Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0343: Direct Network Flood Detection across IaaS, Linux, Windows, and macOS

DET0343 is a detection strategy tied to Direct Network Flood behavior: high-volume traffic aimed at degrading or denying access to a service. For leaders,...

EnterpriseDET0343Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0343 is a detection strategy tied to Direct Network Flood behavior: high-volume traffic aimed at degrading or denying access to a service. For leaders, the practical issue is service availability. Even without detailed MITRE detection text, the relationship to T1498.001 makes this relevant to continuity planning, cloud and network resilience, SOC escalation, and incident response decision-making for Windows, Linux, macOS, and IaaS environments referenced by the related ATT&CK technique.

Executive priority

Treat this as an availability-risk validation item: can the organization quickly recognize abnormal traffic floods, determine which business service is affected, and coordinate network, cloud, SOC, and incident response actions before outage impact expands? Priority should be driven by business-critical internet-facing services, IaaS exposure, recovery objectives, and the quality of evidence available for audit, post-incident review, and resilience testing.

Technical view

Because the official detection field is not provided, defenders should map this strategy to telemetry that can reveal high-volume inbound or service-directed traffic associated with Direct Network Flood. SOC and detection engineering teams should validate visibility across network perimeter, cloud/IaaS networking, host network counters where available, and service availability monitoring. Detection logic should focus on material deviations in traffic volume, packet rate, connection attempts, protocol mix, and service degradation, while accounting for legitimate spikes such as product launches, backups, monitoring, vulnerability scanning, or load testing.

Likely telemetry

  • Network flow records and packet/traffic summaries
  • Firewall, load balancer, router, and gateway logs
  • Cloud/IaaS network telemetry such as flow logs and DDoS or traffic metrics where available
  • Host network interface counters and operating system logs for Windows, Linux, and macOS where relevant
  • Application and service availability metrics, latency, error rates, and saturation indicators

Detection direction

  • Validate that monitoring distinguishes normal traffic surges from flood-like anomalies against critical services.
  • Correlate traffic-volume alerts with application health, latency, error rates, and resource saturation to reduce false positives.
  • Confirm coverage for IaaS-hosted assets and not only on-premises network devices, since the related technique includes IaaS.
  • Tune thresholds by service criticality, expected seasonality, and known operational events such as load tests or marketing campaigns.
  • Ensure alerts identify the targeted service, destination asset, protocol, and time window so responders can make containment and escalation decisions quickly.

Mitigation priorities

  • Prioritize inventory of business-critical externally reachable services and their network dependencies.
  • Ensure network, cloud, SOC, and incident response teams have documented escalation paths for suspected availability attacks.
  • Enable and retain the telemetry needed to prove traffic volume, affected assets, and business impact during an incident.
  • Use resilience controls appropriate to the environment, such as traffic filtering, rate limiting, load distribution, upstream provider coordination, and cloud/network DDoS protections where available.
  • Test detection and response through controlled availability scenarios without assuming that a single telemetry source will provide sufficient evidence.
Analyst notes and limits

This take is based on the DET0343 detection-strategy object and its relationship indicating it detects ATT&CK technique T1498.001, Direct Network Flood, under the impact tactic. The supplied object has no official description, no official detection text, and no direct platform list; platform context comes from the related technique and the detection strategy name.

MITRE did not supply detection logic, data sources, thresholds, procedures, or mitigations in the provided fields. Local architecture, cloud provider controls, baseline traffic patterns, and service criticality are required to turn this into deployable detection content. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Direct Network Flood Detection across IaaS, Linux, Windows, and macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1498.001 Direct Network Flood Sub-technique This object detects Direct Network Flood.
Relationship explorer

All related ATT&CK context

detects · Technique T1498.001: Direct Network Flood Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7d33451a4a3fd42f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7d33451a4a3f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0343
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use