MITRE ATT&CK Technique
Description
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood) Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-20T15:31:43.613Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may target the different network services '
'provided by systems to conduct a denial of service (DoS). '
'Adversaries often target the availability of DNS and web '
'services, however others have been targeted as '
'well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server '
'software can be attacked through a variety of means, some of '
'which apply generally while others are specific to the '
'software being used to provide the service.\n'
'\n'
'One example of this type of attack is known as a simple HTTP '
'flood, where an adversary sends a large number of HTTP '
'requests to a web server to overwhelm it and/or an '
'application that runs on top of it. This flood relies on raw '
'volume to accomplish the objective, exhausting any of the '
'various resources required by the victim software to provide '
'the service.(Citation: Cloudflare HTTPflood)\n'
'\n'
'Another variation, known as a SSL renegotiation attack, takes '
'advantage of a protocol feature in SSL/TLS. The SSL/TLS '
'protocol suite includes mechanisms for the client and server '
'to agree on an encryption algorithm to use for subsequent '
'secure connections. If SSL renegotiation is enabled, a '
'request can be made for renegotiation of the crypto '
'algorithm. In a renegotiation attack, the adversary '
'establishes a SSL/TLS connection and then proceeds to make a '
'series of renegotiation requests. Because the cryptographic '
'renegotiation has a meaningful cost in computation cycles, '
'this can cause an impact to the availability of the service '
'when done in volume.(Citation: Arbor SSLDoS April 2012)',
'external_references': [{'external_id': 'T1499.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1499/002'},
{'description': 'ASERT Team, Netscout Arbor. (2012, '
'April 24). DDoS Attacks on SSL: '
'Something Old, Something New. '
'Retrieved April 22, 2019.',
'source_name': 'Arbor SSLDoS April 2012',
'url': 'https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new'},
{'description': 'Cisco. (n.d.). Detecting and '
'Analyzing Network Threats With '
'NetFlow. Retrieved April 25, 2019.',
'source_name': 'Cisco DoSdetectNetflow',
'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'},
{'description': 'Cloudflare. (n.d.). What is an HTTP '
'flood DDoS attack?. Retrieved April '
'22, 2019.',
'source_name': 'Cloudflare HTTPflood',
'url': 'https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/'},
{'description': 'Philippe Alcoy, Steinthor Bjarnason, '
'Paul Bowen, C.F. Chui, Kirill '
'Kasavchnko, and Gary Sockrider of '
'Netscout Arbor. (2018, January). '
'Insight into the Global Threat '
"Landscape - Netscout Arbor's 13th "
'Annual Worldwide Infrastructure '
'Security Report. Retrieved April 22, '
'2019.',
'source_name': 'Arbor AnnualDoSreport Jan 2018',
'url': 'https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf'}],
'id': 'attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'impact'}],
'modified': '2025-10-24T17:48:39.609Z',
'name': 'Service Exhaustion Flood',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_impact_type': ['Availability'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'IaaS', 'Linux', 'macOS'],
'x_mitre_version': '1.4'}