Detect Direct Network Flood in Splunk
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. Direct Network Floods use one or more systems to send high-volume network packets toward the targeted service or network. Any network protocol may be used — stateless protocols such as UDP and ICMP are common due to their low overhead, but TCP SYN floods are also prevalent. Botnets are frequently leveraged to amplify attack volume, with compromised endpoints acting as unwitting flood sources. Organizations may detect this technique either as a victim observing inbound traffic spikes, or by identifying compromised endpoints in their environment participating in an outbound DDoS campaign as botnet nodes.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1498 Network Denial of Service
- Sub-technique
- T1498.001 Direct Network Flood
- Canonical reference
- https://attack.mitre.org/techniques/T1498/001/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval image_lower=lower(Image)
| eval cmdline_lower=lower(CommandLine)
| eval FloodToolMatch=if(
match(image_lower, "(hping|nping|trafgen|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|t50)") OR
match(cmdline_lower, "(hping|nping|trafgen|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood)"), 1, 0)
| eval FloodArgMatch=if(
match(cmdline_lower, "(--flood|-i\s+u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|-c\s+[0-9]{6,}|--count\s+[0-9]{6,}|--faster|--turbo|--rate\s+[0-9]{5,})"), 1, 0)
| eval SuspicionScore=FloodToolMatch + FloodArgMatch
| where SuspicionScore > 0
| eval SuspicionLevel=case(
FloodToolMatch=1 AND FloodArgMatch=1, "Critical",
FloodToolMatch=1, "High",
FloodArgMatch=1, "Medium",
true(), "Low")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, FloodToolMatch, FloodArgMatch, SuspicionScore, SuspicionLevel
| sort - _timeDetects Direct Network Flood tool execution using Sysmon Event ID 1 (Process Creation). Evaluates both the process image path and command line against known DDoS tool names and flood-specific arguments. Assigns a cumulative SuspicionScore: 1 for tool name match only, 1 for flood arguments only, 2 for both (Critical). A SuspicionScore of 2 with known tool name plus flood arguments is a high-confidence indicator of malicious flood activity with no common legitimate explanation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Load testing tools (Apache Bench, wrk, hey, vegeta, k6) run by QA engineers or DevOps against authorized test targets
- Network performance benchmarking tools (iperf, iperf3, netperf) used by infrastructure teams to validate bandwidth
- Security scanners using aggressive timing (nmap -T5, masscan) run by authorized vulnerability management programs
- Authorized penetration testers or red team operators conducting DDoS simulation exercises with documented change tickets
- Academic or research environments where flood tools are used for legitimate network research or coursework
Other platforms for T1498.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1UDP Flood with hping3 to Localhost
Expected signal: Linux auditd: syscall execve for hping3 with argv containing '--udp', '--flood', '-p 53', '127.0.0.1'. Sysmon for Linux (if deployed): Process execution event with Image=hping3 and full CommandLine. Network metrics: High-volume UDP packet rate on loopback interface visible in netstat -s and /proc/net/udp. The -c 10000 flag limits total packets to prevent resource exhaustion.
- Test 2PowerShell UDP Packet Burst to Localhost
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'UdpClient', 'Send', 'Loopback'. Sysmon Event ID 3: High-frequency network connection events to 127.0.0.1:53 — this will generate thousands of Event ID 3 records in the Sysmon log. PowerShell ScriptBlock Log Event ID 4104 with full script content if ScriptBlock logging is enabled.
- Test 3ICMP Flood with ping -f to Localhost
Expected signal: Linux auditd: syscall execve for ping with argv '-f', '-c', '10000', '127.0.0.1'. Process execution in syslog or Sysmon for Linux. Output shows packet statistics: '10000 packets transmitted, 10000 received, 0% packet loss'. Network metrics show ICMP packet rate spike on loopback interface visible via /proc/net/snmp ICMP counters.
- Test 4LOIC Flood Tool Binary Staging and Execution Simulation
Expected signal: Sysmon Event ID 11: File Create event for %TEMP%\loic.exe — triggers the file-staging hunting query on flood tool binary name. Sysmon Event ID 1: Process Create for loic.exe with CommandLine '--method udp --target 127.0.0.1 --port 80 --threads 10'. Security Event ID 4688 (if command-line auditing enabled) with same process details. Sysmon Event ID 7: Image Load events showing DLLs loaded by the loic.exe process.
References (8)
- https://attack.mitre.org/techniques/T1498/001/
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
- https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1498.001/T1498.001.md
- https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1498.001 including response playbook, investigation guide, and atomic red team tests.