AN0970: Analytic 0970
Kernel or userland processes generating high-rate network traffic (ICMP, UDP, TCP SYN) beyond expected interface throughput or user behavior norms.
Analyst context for executives and security teams
This analytic describes a Linux host behavior where kernel or userland processes generate unusually high-rate network traffic such as ICMP, UDP, or TCP SYN traffic beyond normal interface throughput or user behavior. For leaders, the practical value is resilience: this kind of signal can indicate a host creating abnormal network load that may affect service availability, network capacity, or incident triage priorities. Because ATT&CK provides no detection logic or relationship context here, organizations should treat it as a validation prompt rather than a ready-to-deploy rule.
Executive priority
Prioritize this as a coverage and readiness question for Linux environments: can the SOC identify when a host is producing network traffic volumes that are inconsistent with baseline behavior? The business decision is whether network and endpoint telemetry are sufficient to support incident response, availability protection, and compliance evidence around monitoring. This is especially relevant where Linux systems support critical services, internet-facing infrastructure, or operational dependencies sensitive to traffic spikes.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into Linux process activity and network throughput at the host and network layers. The supplied analytic focuses on high-rate ICMP, UDP, and TCP SYN traffic from kernel or userland processes, but provides no official detection query, thresholds, tactics, or linked techniques. Teams should therefore define environment-specific baselines for interface throughput and user/process behavior, then test whether existing telemetry can associate abnormal traffic rates with the responsible host and, where possible, process context.
Likely telemetry
- Linux host network interface throughput and packet counters
- Network flow records showing ICMP, UDP, and TCP SYN volume by source host
- Endpoint process telemetry capable of linking network activity to userland processes
- Host logs or EDR data showing process execution and network connections
- Firewall, IDS, or network sensor telemetry summarizing packet rates and protocol mix
Detection direction
- Establish Linux host and interface baselines before setting high-rate thresholds; static thresholds may create false positives on backup, monitoring, scanning, or high-throughput service systems.
- Correlate network-volume anomalies with host identity, interface, protocol, destination pattern, and process context where available.
- Tune separately for ICMP, UDP, and TCP SYN behavior because normal rates and operational use cases differ by protocol.
- Validate whether telemetry can distinguish expected service traffic from abnormal user or process-driven traffic.
- Document blind spots where network flow exists but process attribution is unavailable, or where endpoint telemetry exists but packet-rate context is missing.
Mitigation priorities
- Inventory Linux systems where abnormal outbound or lateral network load would create business or operational risk.
- Ensure host and network monitoring collect enough throughput, protocol, and source-host detail to support triage.
- Apply least-privilege and change-control practices for services and users that can generate high-volume network traffic.
- Use network segmentation, rate controls, or egress policy where appropriate to limit the blast radius of abnormal traffic from Linux hosts.
- Create incident response playbooks for investigating Linux hosts producing excessive ICMP, UDP, or TCP SYN traffic, including ownership, containment criteria, and evidence preservation.
Analyst notes and limits
ATT&CK identifies this as detection analytic AN0970 for Linux, describing high-rate network traffic from kernel or userland processes. No tactics, official detection text, aliases, labels, or relationship context were supplied. The strongest use is as a defensive engineering checklist item for telemetry validation and baseline-driven anomaly detection.
This take is limited to the supplied official STIX fields, external reference, and absence of relationships. It does not infer attacker intent, active exploitation, specific malware, attribution, impact, or guaranteed detection coverage. Local baselines and architecture are required to decide thresholds, severity, and response actions.
Analytic 0970
Kernel or userland processes generating high-rate network traffic (ICMP, UDP, TCP SYN) beyond expected interface throughput or user behavior norms.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 097baefbaa39… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0970Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.