# T1498 Network Denial of Service

-----------------------------------------------------------------------

## Technique Description

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)

A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

For DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).

## Technique Detection

Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.

-----------------------------------------------------------------------

### Tactics:

  *   Impact

### Platforms:

  * Windows

  * Azure AD

  * Office 365

  * SaaS

  * IaaS

  * Linux

  * macOS

  * Google Workspace

  * Containers

### Data Sources:

  * **Sensor Health:** Host Status

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| APT28 | In 2016, [APT28](https://attack.mitre.org/groups/G0007) conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.(Citation: US District Court Indictment GRU Oct 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1498)

  * [Fireeye Oppoisonedhandover February 2016](https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html), Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.

  * [Fsisac Fraudnetdos September 2012](https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf), FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019.

  * [Symantec Ddos October 2014](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf), Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019.

  * [Cisco Dosdetectnetflow](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf), Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 15 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Sengsouriya Kapkeo

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

* **APT28**
    - APT28 has conducted a distributed denial of service (DDoS) attacks, most recently against the World Anti-Doping Agency (tied to the 2016 Olympics)

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | X | 1 |

## Detection Blindspots

- Encrypted traffic may not allow for analysis of payload

- Incorrect sensor placement will make identifying this TTP difficult

- Huge amounts of data being ingested will make hunting this TTP difficult. Suggest doing smaller timeframes

## Analytical References

  * [Other references: All custom links should go here](example.lan)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- SpiGraph view in Arkime & Kibana Dashboards will assist in hunting for this TTP by seeing how much data is being sent from a source host

- When using SpiGraph view in Arkime, pay attention to the intervals of the graphs.

- Very difficult to hunt for, but very easily detectable if occuring as you will notice a huge chunk of data coming from a single source and a abrupt stop of data transfer

#### Analytic 1

  * **Information:** 'Identify internal source hosts sending surplus amounts of data compared to normal day-to-day traffic'

  * **Source:** 'PCAP, session*'

  * **Tool:** 'Arkime, Kibana'

  * **Notes:** 'Filtering on source IP as well as sorting the databytes is a good starting point.'

  * **Arkime Query:** `ip.src == [10/8, 192.168/16, 172.16/12]`
    - Use SpiGraph and set the SpiGraph to ip.src from Arkime Node. Change the datatype being shown from sessions to databytes


  * **Kibana Query:** `srcIp: 10.0.0.0/8 OR srcIp: 192.168.0.0/16 OR srcIp: 172.16.0.0/12`
  
    - Creating a visualiztion or dashboard to track databytes from source IPs might be easier