Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1013: Analytic 1013

Flood of spoofed SYN or ACK packets causing exhaustion of OS TCP state table, potentially via user-space utilities or kernel-level DoS agents.

EnterpriseAN1013AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a Linux-focused denial-of-service pattern: large volumes of spoofed SYN or ACK packets can exhaust the operating system’s TCP state handling and disrupt availability. For leaders, the practical issue is not attribution; it is whether critical Linux-hosted services have enough network telemetry, capacity controls, and incident runbooks to distinguish abnormal packet floods from legitimate traffic surges before business services degrade.

Executive priority

Prioritize this as an availability and resilience question for internet-facing or business-critical Linux services. Executives should ask which services would be materially affected by TCP state exhaustion, whether network and host teams can prove visibility into packet-rate anomalies, and whether incident responders have predefined escalation paths with infrastructure, cloud, ISP, or DDoS protection providers. Because ATT&CK provides no detection logic for this analytic, organizations should treat local validation and evidence collection as the basis for control assurance and audit readiness.

Technical view

SOC, network, and IR teams should validate monitoring for Linux systems and upstream network devices that can reveal abnormal SYN or ACK volume, spoofed-source characteristics, connection-state pressure, and service degradation. The supplied object does not define tactics, relationships, or detection criteria, so detection engineering should focus on environment-specific baselines for packet rates, TCP state table pressure, connection failures, and correlated service health signals rather than relying on a MITRE-provided rule.

Likely telemetry

  • Network flow records showing packet rates, protocol, TCP flags, source/destination distribution, and traffic direction
  • Packet capture or sampled packet telemetry for SYN and ACK flag analysis when available
  • Linux host metrics related to TCP connection state, backlog pressure, socket errors, and resource exhaustion
  • Firewall, load balancer, reverse proxy, or DDoS protection logs showing dropped, challenged, or rate-limited traffic
  • Service availability telemetry, synthetic checks, application error rates, and latency metrics

Detection direction

  • Baseline normal SYN and ACK rates for critical Linux-hosted services and alert on sustained deviations tied to service health degradation.
  • Correlate network flag anomalies with Linux host TCP state pressure and application availability; packet volume alone can create false positives during legitimate demand spikes.
  • Validate visibility at multiple points: edge network, load balancer or firewall, and affected Linux hosts, since spoofed floods may be filtered before reaching endpoint logs.
  • Tune detections to consider source distribution, impossible or unusual source patterns, destination concentration, and abrupt changes in connection success or reset behavior.
  • Document that ATT&CK provides no official detection text for AN1013; local analytic logic, thresholds, and test evidence are required.

Mitigation priorities

  • Identify business-critical Linux services where TCP state exhaustion would affect operations and ensure ownership for resilience decisions.
  • Confirm upstream filtering, rate limiting, load balancing, and DDoS response options are available where appropriate for exposed services.
  • Harden operational readiness with runbooks covering triage, escalation, traffic evidence collection, and coordination with network or service providers.
  • Use capacity and resilience testing in controlled conditions to validate monitoring, alert thresholds, and response workflows without disrupting production.
  • Maintain evidence of telemetry coverage and response procedures for compliance and risk review, especially for services with availability obligations.
Analyst notes and limits

AN1013 is a detection analytic object for Linux describing spoofed SYN or ACK packet floods that may exhaust the OS TCP state table. No tactics, relationships, aliases, labels, or official detection text were supplied, so the defensible value is in mapping the behavior to availability monitoring, network/host telemetry validation, and incident readiness rather than asserting a specific rule or adversary pattern.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, attribution, affected products, cloud relevance, or guaranteed detection coverage. Local architecture, exposure, traffic baselines, and control evidence are required to determine material risk and detection quality.

Official MITRE ATT&CK definition

Analytic 1013

Flood of spoofed SYN or ACK packets causing exhaustion of OS TCP state table, potentially via user-space utilities or kernel-level DoS agents.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d54a5faaa97c1c1b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d54a5faaa97c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1013
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use