Last reviewed:
T1498 is denial-of-service against cloud-hosted services, ranging from volumetric flooding to application-layer attacks. DCV's gold-standard signal is GuardDuty's Backdoor:EC2/DenialOfService family: protocol-level detections for TCP, UDP, and DNS floods, with minimal false positives. The remediation template wires AWS Shield (Standard/Advanced) and ELB cross-zone failover; Azure DDoS Protection Standard is the equivalent preventive control. T1498 detection complements your edge mitigation; both layers are needed for cloud-native services.
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.
A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).
To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.
Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.
For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.
Platforms: Windows, IaaS, Linux, macOS, Containers.
DCV maps 18 detections across 3 cloud providers to T1498. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 8 | 0.63 |
| AWS GuardDuty | AWS | 5 | 0.95 |
| AWS Security Hub | AWS | 2 | 0.75 |
| Azure Policy | Azure | 1 | 0.90 |
| GCP Chronicle | GCP | 1 | 0.85 |
| Microsoft Defender for Cloud | Azure | 1 | 0.90 |
CloudSigma has coverage metadata for 18 T1498 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1498, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1498 is denial-of-service against cloud-hosted services, ranging from volumetric flooding to application-layer attacks. DCV's gold-standard signal is GuardDuty's Backdoor:EC2/DenialOfService family: protocol-level detections for TCP, UDP, and DNS floods, with minimal false positives. The remediation template wires AWS Shield (Standard/Advanced) and ELB cross-zone failover; Azure DDoS Protection Standard is the equivalent preventive control. T1498 detection complements your edge mitigation; both layers are needed for cloud-native services.
DCV maps 18 cloud-native detections to T1498 across 3 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Security Hub, Azure Policy, GCP Chronicle and Microsoft Defender for Cloud.
T1498 is part of MITRE ATT&CK TA0040 Impact: How adversaries disrupt or destroy systems and data.
CloudSigma ships 3 validated Sigma rules for T1498 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.