MITRE ATT&CK Technique
Description
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. For DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-04-17T20:23:15.105Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may perform Network Denial of Service (DoS) '
'attacks to degrade or block the availability of targeted '
'resources to users. Network DoS can be performed by '
'exhausting the network bandwidth services rely on. Example '
'resources include specific websites, email services, DNS, and '
'web-based applications. Adversaries have been observed '
'conducting network DoS attacks for political '
'purposes(Citation: FireEye OpPoisonedHandover February 2016) '
'and to support other malicious activities, including '
'distraction(Citation: FSISAC FraudNetDoS September 2012), '
'hacktivism, and extortion.(Citation: Symantec DDoS October '
'2014)\n'
'\n'
'A Network DoS will occur when the bandwidth capacity of the '
'network connection to a system is exhausted due to the volume '
'of malicious traffic directed at the resource or the network '
'connections and network devices the resource relies on. For '
'example, an adversary may send 10Gbps of traffic to a server '
'that is hosted by a network with a 1Gbps connection to the '
'internet. This traffic can be generated by a single system or '
'multiple systems spread across the internet, which is '
'commonly referred to as a distributed DoS (DDoS).\n'
'\n'
'To perform Network DoS attacks several aspects apply to '
'multiple methods, including IP address spoofing, and '
'botnets.\n'
'\n'
'Adversaries may use the original IP address of an attacking '
'system, or spoof the source IP address to make the attack '
'traffic more difficult to trace back to the attacking system '
'or to enable reflection. This can increase the difficulty '
'defenders have in defending against the attack by reducing or '
'eliminating the effectiveness of filtering by the source '
'address on network defense devices.\n'
'\n'
'For DoS attacks targeting the hosting system directly, see '
'[Endpoint Denial of '
'Service](https://attack.mitre.org/techniques/T1499).',
'external_references': [{'external_id': 'T1498',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1498'},
{'description': 'Cisco. (n.d.). Detecting and '
'Analyzing Network Threats With '
'NetFlow. Retrieved April 25, 2019.',
'source_name': 'Cisco DoSdetectNetflow',
'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'},
{'description': 'FS-ISAC. (2012, September 17). Fraud '
'Alert – Cyber Criminals Targeting '
'Financial Institution Employee '
'Credentials to Conduct Wire Transfer '
'Fraud. Retrieved September 23, 2024.',
'source_name': 'FSISAC FraudNetDoS September 2012',
'url': 'https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf'},
{'description': 'Ned Moran, Mike Scott, Mike '
'Oppenheim of FireEye. (2014, '
'November 3). Operation Poisoned '
'Handover: Unveiling Ties Between APT '
'Activity in Hong Kong’s '
'Pro-Democracy Movement. Retrieved '
'November 17, 2024.',
'source_name': 'FireEye OpPoisonedHandover February '
'2016',
'url': 'https://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html'},
{'description': 'Wueest, C.. (2014, October 21). The '
'continued rise of DDoS attacks. '
'Retrieved April 24, 2019.',
'source_name': 'Symantec DDoS October 2014',
'url': 'https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf'}],
'id': 'attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'impact'}],
'modified': '2025-10-24T17:49:28.162Z',
'name': 'Network Denial of Service',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Yossi Weizman, Azure Defender Research Team',
'Vishwas Manral, McAfee'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_impact_type': ['Availability'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'IaaS', 'Linux', 'macOS', 'Containers'],
'x_mitre_version': '1.2'}