AN0490: Analytic 0490
Excessive inbound HTTP or TLS connections to services such as Apache or Nginx, causing worker thread exhaustion or segmentation faults.
Analyst context for executives and security teams
AN0490 is a Linux-focused detection analytic for spotting excessive inbound HTTP or TLS connections to web services such as Apache or Nginx. For leaders, the practical issue is service availability: if web worker threads are exhausted or services fault, customer-facing applications and internal portals can become unreliable even without confirmed data theft or malware.
Executive priority
Treat this as an operational resilience and incident readiness question: do teams have enough web, network, and host telemetry to recognize abnormal inbound connection pressure before it becomes an outage? This analytic supports prioritization of monitoring for Linux web tiers, availability runbooks, and evidence needed to explain a disruption to executives, auditors, and business owners.
Technical view
SOC and IR teams should validate visibility for Linux-hosted Apache or Nginx services receiving high volumes of inbound HTTP or TLS connections. Because ATT&CK provides no official detection logic for this analytic, teams should define local baselines for connection rates, worker/thread utilization, service errors, and abnormal termination events, then correlate network-facing spikes with web server and operating system symptoms such as exhaustion or segmentation faults.
Likely telemetry
- Network flow or load balancer records showing inbound HTTP/TLS connection volume to Linux web services
- Web server logs from Apache, Nginx, or equivalent services
- Linux host metrics for process health, worker/thread utilization, resource exhaustion, and service restarts
- System logs or crash indicators related to segmentation faults or abnormal web service termination
- TLS termination or reverse proxy logs where applicable
Detection direction
- Establish normal inbound connection baselines per service, site, and time period before alerting on excess volume.
- Correlate connection spikes with web service degradation indicators to reduce false positives from legitimate traffic surges.
- Confirm whether TLS termination occurs before traffic reaches the Linux host, because host-level web logs may not show the full inbound connection picture.
- Tune alerting separately for public-facing services, internal portals, and maintenance windows.
- Account for sparse ATT&CK guidance: there is no supplied detection pseudocode, threshold, tactic mapping, or relationship context for this analytic.
Mitigation priorities
- Prioritize availability monitoring for Linux web services exposed to HTTP or TLS traffic.
- Ensure incident runbooks cover triage of web worker exhaustion, service crashes, and abnormal inbound connection pressure.
- Validate that web server, network, load balancer, and host telemetry are retained long enough for incident reconstruction.
- Review capacity, rate-limiting, and traffic-management controls using local architecture requirements rather than assuming a universal threshold.
- Document monitoring and response evidence for resilience and compliance discussions where service availability is in scope.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic fields. The object identifies Linux and services such as Apache or Nginx, with excessive inbound HTTP or TLS connections causing worker thread exhaustion or segmentation faults. No tactics, technique relationships, or official detection logic were supplied.
Local baselines, application architecture, TLS termination points, traffic sources, and service criticality are required to turn this analytic into reliable detection. The supplied data does not support claims about adversary attribution, active exploitation, impact severity, or guaranteed detection coverage.
Analytic 0490
Excessive inbound HTTP or TLS connections to services such as Apache or Nginx, causing worker thread exhaustion or segmentation faults.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a3a7af258f6a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0490Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.