T1498: Network Denial of Service
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.[3]
A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).
To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.
Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.
For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.
Analyst context for executives and security teams
Network Denial of Service is an availability attack: adversaries try to consume the network capacity that websites, email, DNS, web applications, cloud-hosted services, containers, and other systems depend on. For leaders, the key issue is not just “traffic volume,” but whether critical services can stay reachable, whether incident teams can distinguish outage from distraction, and whether network providers and internal teams have enough evidence to respond quickly.
Executive priority
Treat T1498 as a business continuity and resilience priority for externally reachable services and critical network dependencies. It can affect Windows, Linux, macOS, IaaS, and container environments, and ATT&CK notes use cases including political purposes, distraction, hacktivism, and extortion. Executives should ask which customer-facing or operational services have bandwidth, DNS, email, and web-application dependencies; who can authorize traffic filtering during an event; and what evidence is retained for audit, insurance, provider escalation, and post-incident review.
Technical view
This is an Impact technique focused on exhausting network bandwidth or dependent network devices. SOC, detection, and IR teams should validate behavioral detection for abnormal traffic volume, protocol mix, source distribution, and service unavailability across the supported platforms and hosting models. Relationship context points to Direct Network Flood and Reflection Amplification as sub-techniques, so defenders should distinguish direct high-volume floods from spoofed/reflected traffic where source-address filtering may be less effective. The related mitigation is Filter Network Traffic, emphasizing ingress/egress/lateral filtering and firewall rules, but local architecture and provider capabilities will determine practical response options.
Likely telemetry
- Network flow records such as NetFlow or equivalent traffic summaries
- Firewall, router, load balancer, and network appliance logs
- Cloud or IaaS network traffic metrics and security logs where applicable
- DNS, email, website, and web-application availability and access logs
- Bandwidth utilization, packet rate, protocol, port, and source distribution metrics
Detection direction
- Validate coverage against behavior rather than fixed source IP lists, because ATT&CK notes source spoofing and reflection can reduce the value of simple source-address filtering.
- Baseline normal bandwidth, packet rate, protocol, and geographic/source diversity for critical services so alerts can distinguish flash crowds or business events from suspicious floods.
- Tune detections separately for direct floods and reflection/amplification patterns, using the T1498.001 and T1498.002 relationship context.
- Correlate network-volume anomalies with application, DNS, email, and web availability telemetry to avoid treating a network DoS as only an infrastructure alert.
- Review DET0518 as the related detection strategy, but verify the actual data sources, thresholds, retention, and escalation workflow in the local environment because the ATT&CK object provides no official detection text.
Mitigation priorities
- Prioritize documented traffic-filtering procedures for public-facing services, aligned to M1037 Filter Network Traffic.
- Predefine ingress filtering, firewall, and network-appliance rule changes that can be safely applied during an availability incident.
- Confirm escalation paths with hosting, IaaS, network, DNS, and traffic-mitigation providers before an event occurs.
- Identify business-critical services whose bandwidth dependencies or upstream network devices represent single points of failure.
- Exercise IR decision-making for DoS scenarios, including when to preserve evidence, when to filter traffic, and when to communicate service-impact status to stakeholders.
Analyst notes and limits
The supplied ATT&CK relationships show known use by APT28 and software entries Lucifer and NKAbuse, and sub-techniques for Direct Network Flood and Reflection Amplification. These relationships are useful for threat-informed planning, but they do not by themselves prove activity in any specific environment. The practical defensive question is whether the organization can see traffic exhaustion early, coordinate filtering quickly, and maintain evidence during a service-availability incident.
MITRE provides no official detection text for this object in the supplied fields. The relationship to DET0518 indicates a detection strategy exists, but no detailed detection logic, data-source requirements, or thresholds are included here. Local network architecture, provider logging, service criticality, and normal traffic baselines are required to assess real coverage.
Network Denial of Service
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.[3]
A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).
To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.
Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.
For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1498.002 | Reflection Amplification Sub-technique | Reflection Amplification subtechnique of this object. |
| Enterprise | T1498.001 | Direct Network Flood Sub-technique | Direct Network Flood subtechnique of this object. |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
S1107: NKAbuse
S0532: Lucifer
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | c23bd605460a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye OpPoisonedHandover February 2016
Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved November 17, 2024.
Open source URL -
[2]
FSISAC FraudNetDoS September 2012
FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved September 23, 2024.
Open source URL -
[3]
Symantec DDoS October 2014
Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019.
Open source URL -
[4]
Cisco DoSdetectNetflow
Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.
Open source URL -
[5]
mitre-attack T1498Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.