Last reviewed:
T1498.001 is volumetric denial of service: raw packet floods aimed at saturating bandwidth, the classic botnet barrage. Cloud accounts also become unwitting sources when their instances are hijacked into a flood. DCV covers both directions on AWS: GuardDuty's Backdoor:EC2/DenialOfService finding family catches workloads emitting UDP and TCP floods, while Config rules verifying Shield Advanced auto-renewal and Firewall Manager Shield policies confirm the absorption layer stays on. Source-side findings deserve incident response, not just an abuse-desk ticket.
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.
Platforms: Windows, IaaS, Linux, macOS.
DCV maps 8 detections across 1 cloud provider to T1498.001. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 5 | 0.90 |
| AWS Config Rules | AWS | 3 | 0.85 |
CloudSigma has coverage metadata for 8 T1498.001 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1498.001, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1498.001 is volumetric denial of service: raw packet floods aimed at saturating bandwidth, the classic botnet barrage. Cloud accounts also become unwitting sources when their instances are hijacked into a flood. DCV covers both directions on AWS: GuardDuty's Backdoor:EC2/DenialOfService finding family catches workloads emitting UDP and TCP floods, while Config rules verifying Shield Advanced auto-renewal and Firewall Manager Shield policies confirm the absorption layer stays on. Source-side findings deserve incident response, not just an abuse-desk ticket.
DCV maps 8 cloud-native detections to T1498.001 across 1 cloud providers, drawn from AWS Config Rules and AWS GuardDuty.
T1498.001 is part of MITRE ATT&CK TA0040 Impact: How adversaries disrupt or destroy systems and data.
CloudSigma ships 3 validated Sigma rules for T1498.001 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.