Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1499.003: Application Exhaustion Flood

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.[1]

EnterpriseT1499.003Sub-techniqueObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Application Exhaustion Flood is a denial-of-service behavior where an adversary repeatedly drives expensive application functions until the application or host cannot serve legitimate users. For leaders, the issue is not just network volume; a relatively focused stream of requests against resource-heavy features can threaten availability of business-facing applications across Windows, Linux, macOS, and IaaS-hosted environments.

Executive priority

Prioritize this where application availability is tied to revenue, customer access, operational continuity, or compliance obligations. Executives should ask whether critical applications have identified resource-intensive functions, whether teams can distinguish abusive request patterns from legitimate demand spikes, and whether filtering decisions can be made quickly during an incident without blocking normal users.

Technical view

ATT&CK provides no official detection text for T1499.003, but relationship context identifies DET0415, Application Exhaustion Flood Detection Across Platforms, as a detection strategy. SOC and IR teams should validate monitoring around application request patterns, network flow behavior, and host or application resource exhaustion for public-facing and business-critical services on the listed platforms. Detection should focus on repeated access to expensive application features correlated with degraded availability, rather than only high aggregate bandwidth.

Likely telemetry

  • Application and web server access logs showing request paths, frequency, response codes, and client/source patterns
  • Network flow records such as NetFlow-style summaries for traffic volume, connection rates, and source distribution
  • Host and application performance metrics for CPU, memory, process/thread exhaustion, queue depth, and service responsiveness
  • IaaS network and instance metrics for exposed workloads where applicable
  • Firewall, load balancer, reverse proxy, or traffic filtering logs showing allowed, denied, or rate-limited requests

Detection direction

  • Validate whether DET0415-aligned analytics exist for application-layer exhaustion, not only volumetric network DoS.
  • Baseline normal request rates for resource-intensive application functions so alerting can separate abuse from legitimate seasonal or campaign-driven traffic.
  • Correlate request concentration against expensive features with resource saturation and user-facing availability degradation.
  • Tune for false positives from crawlers, integrations, monitoring tools, performance tests, and legitimate traffic surges.
  • Check blind spots where encrypted traffic, incomplete application logging, missing IaaS flow data, or unmanaged public-facing services prevent attribution of resource exhaustion to request behavior.

Mitigation priorities

  • Apply M1037 Filter Network Traffic where appropriate: use network appliances, endpoint software, firewall rules, and ingress filtering to restrict or block traffic matching predefined abusive conditions.
  • For public-facing servers, confirm firewall and filtering policies can limit traffic to authorized or expected sources where the business model allows it.
  • Prepare operational runbooks for rapid filtering or restriction decisions during availability incidents, including escalation paths and rollback criteria.
  • Use application and infrastructure telemetry to identify the specific features or services creating resource pressure before applying broad blocks that may harm legitimate users.
Analyst notes and limits

This is a sub-technique of T1499 Endpoint Denial of Service under the impact tactic. The supplied description specifically emphasizes resource-intensive application features and repeated requests that exhaust system resources. The strongest defensive value is validating application-aware visibility and response authority, because pure network-volume monitoring may miss targeted application exhaustion.

MITRE does not provide official detection content for this object in the supplied fields. The take is limited to the ATT&CK description, the listed platforms, the DET0415 detection-strategy relationship, M1037 mitigation relationship, and cited external references. Local application architecture, traffic baselines, and logging coverage are required to determine actual exposure or detection effectiveness.

Official MITRE ATT&CK definition

Application Exhaustion Flood

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1499 Endpoint Denial of Service This object subtechnique of Endpoint Denial of Service.
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1037: Filter Network Traffic Enterprise subtechnique of · Technique T1499: Endpoint Denial of Service Enterprise detects · Detection Strategy DET0415: Application Exhaustion Flood Detection Across Platforms Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1037: Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

- Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

- Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

- Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

- Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

- Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
e66b82e2d67797e9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle e66b82e2d677…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Arbor AnnualDoSreport Jan 2018

    Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.

    Open source URL
  2. [2]
    Cisco DoSdetectNetflow

    Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.

    Open source URL
  3. [3]
    mitre-attack T1499.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use