MITRE ATT&CK Technique
Description
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood) ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-20T15:27:18.581Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may launch a denial of service (DoS) attack '
"targeting an endpoint's operating system (OS). A system's OS "
'is responsible for managing the finite resources as well as '
'preventing the entire system from being overwhelmed by '
'excessive demands on its capacity. These attacks do not need '
'to exhaust the actual resources on a system; the attacks may '
'simply exhaust the limits and available resources that an OS '
'self-imposes.\n'
'\n'
'Different ways to achieve this exist, including TCP '
'state-exhaustion attacks such as SYN floods and ACK '
'floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN '
'floods, excessive amounts of SYN packets are sent, but the '
'3-way TCP handshake is never completed. Because each OS has a '
'maximum number of concurrent TCP connections that it will '
'allow, this can quickly exhaust the ability of the system to '
'receive new requests for TCP connections, thus preventing '
'access to any TCP service provided by the server.(Citation: '
'Cloudflare SynFlood)\n'
'\n'
'ACK floods leverage the stateful nature of the TCP protocol. '
'A flood of ACK packets are sent to the target. This forces '
'the OS to search its state table for a related TCP connection '
'that has already been established. Because the ACK packets '
'are for connections that do not exist, the OS will have to '
'search the entire state table to confirm that no match '
'exists. When it is necessary to do this for a large flood of '
'packets, the computational requirements can cause the server '
'to become sluggish and/or unresponsive, due to the work it '
'must do to eliminate the rogue ACK packets. This greatly '
'reduces the resources available for providing the targeted '
'service.(Citation: Corero SYN-ACKflood)',
'external_references': [{'external_id': 'T1499.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1499/001'},
{'description': 'Cisco. (n.d.). Detecting and '
'Analyzing Network Threats With '
'NetFlow. Retrieved April 25, 2019.',
'source_name': 'Cisco DoSdetectNetflow',
'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'},
{'description': 'Cloudflare. (n.d.). What is a SYN '
'flood attack?. Retrieved April 22, '
'2019.',
'source_name': 'Cloudflare SynFlood',
'url': 'https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/'},
{'description': 'Corero. (n.d.). What is a SYN-ACK '
'Flood Attack?. Retrieved November '
'17, 2024.',
'source_name': 'Corero SYN-ACKflood',
'url': 'https://web.archive.org/web/20220119104451/https://www.corero.com/resource-hub/syn-ack-flood-attack/'},
{'description': 'Philippe Alcoy, Steinthor Bjarnason, '
'Paul Bowen, C.F. Chui, Kirill '
'Kasavchnko, and Gary Sockrider of '
'Netscout Arbor. (2018, January). '
'Insight into the Global Threat '
"Landscape - Netscout Arbor's 13th "
'Annual Worldwide Infrastructure '
'Security Report. Retrieved April 22, '
'2019.',
'source_name': 'Arbor AnnualDoSreport Jan 2018',
'url': 'https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf'}],
'id': 'attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'impact'}],
'modified': '2025-10-24T17:48:23.935Z',
'name': 'OS Exhaustion Flood',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_impact_type': ['Availability'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.2'}