T1499.001 IBM QRadar · QRadar

Detect OS Exhaustion Flood in IBM QRadar

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). OS exhaustion floods do not need to deplete physical hardware resources—they exhaust OS-imposed limits on concurrent connections and state tracking. SYN floods send excessive TCP SYN packets without completing the three-way handshake, filling the OS half-open connection backlog queue and preventing new legitimate TCP connections from being established. ACK floods send packets referencing non-existent connections, forcing the OS to perform a full TCP state table search for each packet, causing CPU and memory exhaustion that degrades or stops service. Both techniques can render any TCP-based service unavailable on the targeted endpoint.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.001 OS Exhaustion Flood
Canonical reference
https://attack.mitre.org/techniques/T1499/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
// OS Exhaustion Flood — SYN/ACK floods, TCP state exhaustion via IBM QRadar AQL
// Branch 1: Syslog kernel flood indicators and conntrack exhaustion
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(endtime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
  sourceip AS SourceIP,
  destinationip AS TargetIP,
  destinationport AS TargetPort,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER(UTF8(payload)) MATCHES '.*syn flood.*|.*syn attack.*|.*synflood.*|.*request_sock_tcp.*|.*sending cookies.*' THEN 'SYN Flood'
    WHEN LOWER(UTF8(payload)) MATCHES '.*ack flood.*|.*ack attack.*|.*ackflood.*' THEN 'ACK Flood'
    WHEN LOWER(UTF8(payload)) MATCHES '.*nf_conntrack.*table full.*|.*ip_conntrack.*table full.*|.*connection table full.*' THEN 'ConnTrack Table Full'
    WHEN LOWER(UTF8(payload)) MATCHES '.*half.open.*exceed.*|.*tcp.*exhaust.*' THEN 'TCP State Exhaustion'
    WHEN LOWER(UTF8(payload)) MATCHES '.*tcp.*orphaned.*' THEN 'TCP Orphaned Socket Exhaustion'
    ELSE 'OS Exhaustion Flood'
  END AS AttackType,
  COUNT(*) AS AlertCount
FROM events
WHERE
  starttime > NOW() - 3600000
  AND (
    (
      devicetype IN (SELECT id FROM device_type_definition WHERE name LIKE '%Syslog%')
      AND (
        LOWER(UTF8(payload)) MATCHES '.*possible syn flooding.*'
        OR LOWER(UTF8(payload)) MATCHES '.*tcp: request_sock_tcp.*'
        OR LOWER(UTF8(payload)) MATCHES '.*sending cookies.*'
        OR LOWER(UTF8(payload)) MATCHES '.*nf_conntrack.*table full.*'
        OR LOWER(UTF8(payload)) MATCHES '.*ip_conntrack.*table full.*'
        OR LOWER(UTF8(payload)) MATCHES '.*tcp.*orphaned.*'
        OR LOWER(UTF8(payload)) MATCHES '.*possible syn attack.*'
      )
    )
    OR
    (
      category IN (
        SELECT id FROM categories WHERE name LIKE '%Denial of Service%'
          OR name LIKE '%Flood%'
          OR name LIKE '%SYN%'
      )
      OR QIDNAME(qid) ILIKE '%syn flood%'
      OR QIDNAME(qid) ILIKE '%ack flood%'
      OR QIDNAME(qid) ILIKE '%tcp flood%'
      OR QIDNAME(qid) ILIKE '%tcp exhaustion%'
      OR QIDNAME(qid) ILIKE '%connection table%'
      OR LOWER(UTF8(payload)) MATCHES '.*(syn.flood|ack.flood|tcp.flood|tcp.exhaust|half.open|synflood|dos.*tcp|ddos.*tcp).*'
    )
  )
GROUP BY
  sourceip, destinationip, destinationport, logsourceid, category, qid
HAVING AlertCount >= 3
ORDER BY AlertCount DESC
high severity medium confidence

Detects OS exhaustion flood attacks (SYN floods, ACK floods, TCP conntrack table exhaustion) by querying QRadar events for Linux kernel syslog flood messages and network device DoS/flood category events. Correlates across source IP, target IP, and port with a minimum alert threshold to suppress noise.

Data Sources

Linux syslog (kern facility) via QRadar Syslog DSMCisco ASA DSMPalo Alto Networks DSMJuniper Networks DSMFortinet FortiGate DSMCheck Point FireWall-1 DSMGeneric Firewall / IDS / IPS DSMs

Required Tables

events

False Positives & Tuning

  • Security scanners and vulnerability assessment tools (Nessus, Qualys) performing TCP port scans against internal assets may generate half-open connection log entries resembling SYN flood indicators
  • Cloud load balancers performing health checks at high frequency against backend servers can trigger connection table threshold alerts on under-provisioned hosts
  • Legitimate traffic spikes during marketing events or product launches may cause transient conntrack table exhaustion on VMs with default nf_conntrack limits
Download portable Sigma rule (.yml)

Other platforms for T1499.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1hping3 SYN Flood Against Local Test Port

    Expected signal: Linux kernel ring buffer (dmesg): 'TCP: Possible SYN flooding on port 9999. Sending cookies.' if tcp_syncookies=1. Syslog facility=kern messages with same content routed to /var/log/kern.log and forwarded to SIEM. 'ss -tan state syn-recv' shows multiple SYN_RECV entries for the test port. /proc/net/netstat field TcpExtTCPReqQFullDoCookies increments for each SYN cookie issued.

  2. Test 2Python Scapy SYN Flood Simulation

    Expected signal: Linux kernel: 'TCP: Possible SYN flooding on port 80. Sending cookies.' in dmesg and kern.log. /proc/net/netstat TcpExtTCPReqQFullDoCookies increments. If Sysmon for Linux is deployed: network events for the scapy process with multiple outbound connections. Packet capture shows SYN packets with randomized source IPs and no corresponding ACK completions.

  3. Test 3PowerShell TCP Half-Open Connection Flood (Windows)

    Expected signal: Windows System Event Log Event ID 4227 ('TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts') if connection limit is hit. Sysmon Event ID 3 (Network Connection) showing many connections from powershell.exe to 127.0.0.1:445. Windows Performance counter TCPv4\Connection Failures increases. netstat output shows many ESTABLISHED or SYN_SENT connections from powershell.exe.

  4. Test 4nf_conntrack Table Exhaustion Simulation (Linux)

    Expected signal: Linux kernel ring buffer (dmesg): 'nf_conntrack: table full, dropping packet' — the exact message generated during real TCP flood attacks that exhaust the connection tracking table. This message is forwarded to syslog as facility=kern and typically appears in /var/log/kern.log. SIEM receives it via syslog forwarding. /proc/sys/net/netfilter/nf_conntrack_count shows the table is full.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1499.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1499.004Application or System Exploitation

Related Techniques

T1499Endpoint Denial of ServiceT1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1498.001Direct Network FloodT1498.002Reflection AmplificationT1489Service StopT1562.004Disable or Modify System FirewallT1046Network Service DiscoveryT1583.005Botnet

Same Tactic: Impact

Popular Detections