Detection coverage in DCV across AWS, Azure and GCP for Network Denial of Service, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.
A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).
To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.
Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.
For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.
Platforms: Windows, IaaS, Linux, macOS, Containers.
DCV maps 18 detections across 3 cloud providers to T1498. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 8 | 0.63 |
| AWS GuardDuty | AWS | 5 | 0.95 |
| AWS Security Hub | AWS | 2 | 0.75 |
| Azure Policy | Azure | 1 | 0.90 |
| GCP Chronicle | GCP | 1 | 0.85 |
| Microsoft Defender for Cloud | Azure | 1 | 0.90 |
CloudSigma ships 3 production-ready Sigma rules that detect T1498 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.
title: AWS Network Denial of Service via ACL Modification
id: 3b68cb09-4e72-4afa-ab25-4f6c6d25e121
status: experimental
description: Detects modifications to network interface attributes and creation of network ACLs with deny-all rules that may
indicate a network denial of service attack. Adversaries may disrupt network connectivity to cause impact.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1498/
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
tags:
- attack.impact
- attack.t1498
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: ec2.amazonaws.com
eventName:
- ModifyNetworkInterfaceAttribute
- CreateNetworkAcl
condition: selection
falsepositives:
- Legitimate network configuration changes
- Authorized network ACL creation for security zoning
level: medium