Esc
Direct Network Flood - T1498.001
(ATT&CK® Technique)
Definition
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1498001["Direct Network Flood"] --> |creates| InboundInternetNetworkTraffic["Inbound Internet Network Traffic"]; class T1498001 OffensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode; click InboundInternetNetworkTraffic href "/dao/artifact/d3f:InboundInternetNetworkTraffic";
click T1498001 href "/offensive-technique/attack/T1498.001/"; click InboundInternetNetworkTraffic href "/dao/artifact/d3f:InboundInternetNetworkTraffic"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1498001["Direct Network Flood"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1498001["Direct Network Flood"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1498001["Direct Network Flood"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1498001["Direct Network Flood"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1498001["Direct Network Flood"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1498001["Direct Network Flood"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1498001["Direct Network Flood"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -.->
| may-detect | T1498001["Direct Network Flood"] ;
class InboundSessionVolumeAnalysis DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click InboundSessionVolumeAnalysis href "/technique/d3f:InboundSessionVolumeAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1498001["Direct Network Flood"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; InboundTrafficFiltering["Inbound Traffic Filtering"] -->
| filters | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
InboundTrafficFiltering["Inbound Traffic Filtering"] -.->
| may-isolate | T1498001["Direct Network Flood"] ;
class InboundTrafficFiltering DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click InboundTrafficFiltering href "/technique/d3f:InboundTrafficFiltering";