Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0518: Behavioral Detection of T1498 – Network Denial of Service Across Platforms

DET0518 is a MITRE detection strategy for identifying behavior associated with T1498, Network Denial of Service. Its business relevance is availability: at...

EnterpriseDET0518Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0518 is a MITRE detection strategy for identifying behavior associated with T1498, Network Denial of Service. Its business relevance is availability: attacks that exhaust network bandwidth can disrupt websites, email, DNS, and web applications. For leaders, the key decision is whether the organization can recognize and respond to availability-impacting traffic patterns quickly enough to protect customer access, operations, and incident communications.

Executive priority

Treat this as an operational resilience and incident-readiness issue, not only a SOC alerting problem. Executives should ask whether critical internet-facing services have defined ownership, traffic baselines, escalation paths, and evidence that network and cloud teams can distinguish malicious volume-based disruption from legitimate demand spikes or outages. Because the ATT&CK detection object has no official detection text, priority should be on validating local telemetry and response procedures rather than assuming a prebuilt analytic provides coverage.

Technical view

This detection strategy is linked to T1498 under the Impact tactic and to Windows, Linux, macOS, and IaaS environments through the related technique. SOC and IR teams should validate whether they can observe abnormal traffic volume, connection patterns, protocol distribution, and service degradation affecting websites, email, DNS, or web applications. Detection engineering should focus on environment-specific baselines for critical services and correlation between network telemetry, infrastructure health, application availability, and cloud/IaaS metrics.

Likely telemetry

  • Network flow records and traffic volume metrics
  • Firewall, load balancer, proxy, and edge gateway logs
  • DNS service logs and query/response volume metrics
  • Web server and application access logs
  • Cloud/IaaS network, load balancing, and availability metrics where applicable

Detection direction

  • Confirm that telemetry covers the organization’s critical externally reachable services, including websites, email, DNS, and web-based applications.
  • Build or validate baselines for normal bandwidth, connection counts, request rates, geographic/source distribution, and protocol mix.
  • Correlate traffic anomalies with service degradation to avoid treating every volume spike as malicious.
  • Tune for known business events, marketing campaigns, backups, software updates, and other legitimate demand surges that may create false positives.
  • Validate visibility across IaaS and on-premises network paths; blind spots at CDN, ISP, cloud edge, or third-party managed infrastructure can materially reduce detection value.

Mitigation priorities

  • Identify and rank critical services whose availability would create business, customer, or operational impact if disrupted.
  • Confirm monitoring and escalation procedures between SOC, network operations, cloud operations, and incident response teams.
  • Maintain documented response playbooks for availability-impacting network events, including communications and evidence preservation.
  • Review resilience controls for internet-facing services, such as traffic filtering, capacity planning, redundancy, and provider escalation paths, without assuming any single control guarantees protection.
  • Use tabletop or simulation exercises to validate decision-making, ownership, and audit evidence for availability incidents.
Analyst notes and limits

The supplied object is a detection strategy with no official description or official detection content. The strongest supported context comes from its relationship to T1498 Network Denial of Service, which is an Impact technique involving degradation or blocking of resource availability by exhausting network bandwidth. This take therefore emphasizes validation of telemetry, baselines, and response readiness rather than a specific MITRE-provided analytic.

Platforms and tactics are not specified on DET0518 itself; platform and tactic references are derived only from the related T1498 technique. No claims are made about active exploitation, attribution, prevalence, or guaranteed detection. Local architecture, service exposure, telemetry retention, and third-party provider visibility are required to determine actual coverage.

Official MITRE ATT&CK definition

Behavioral Detection of T1498 – Network Denial of Service Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1498 Network Denial of Service This object detects Network Denial of Service.
Relationship explorer

All related ATT&CK context

detects · Technique T1498: Network Denial of Service Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
22dffe1f2041f18f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 22dffe1f2041…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0518
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use