T1499.001 Microsoft Sentinel · KQL

Detect OS Exhaustion Flood in Microsoft Sentinel

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). OS exhaustion floods do not need to deplete physical hardware resources—they exhaust OS-imposed limits on concurrent connections and state tracking. SYN floods send excessive TCP SYN packets without completing the three-way handshake, filling the OS half-open connection backlog queue and preventing new legitimate TCP connections from being established. ACK floods send packets referencing non-existent connections, forcing the OS to perform a full TCP state table search for each packet, causing CPU and memory exhaustion that degrades or stops service. Both techniques can render any TCP-based service unavailable on the targeted endpoint.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.001 OS Exhaustion Flood
Canonical reference
https://attack.mitre.org/techniques/T1499/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect OS Exhaustion Flood — SYN floods, ACK floods, TCP state exhaustion
// Branch 1: Network security device alerts via CommonSecurityLog (Firewall, IDS, IPS)
let FloodSignatures = dynamic([
    "syn flood", "ack flood", "tcp flood", "tcp state exhaustion",
    "half-open", "connection table full", "syn attack", "synflood",
    "tcp exhaustion", "possible syn flooding", "syn cookie",
    "incomplete handshake", "dos tcp", "ddos tcp"
]);
let NWSAlerts = CommonSecurityLog
| where TimeGenerated > ago(1h)
| where Activity has_any (FloodSignatures)
    or Message has_any (FloodSignatures)
    or DeviceEventClassID has_any ("DOS", "DDOS", "FLOOD", "SYN_ATTACK", "TCP_EXHAUST")
| extend AttackType = case(
    Activity has_any ("syn flood", "syn attack", "synflood") or Message has_any ("syn flood", "syn attack"),
        "SYN Flood",
    Activity has_any ("ack flood") or Message has_any ("ack flood"),
        "ACK Flood",
    Activity has_any ("tcp flood", "tcp exhaustion") or Message has_any ("tcp exhaustion", "tcp flood"),
        "TCP State Exhaustion",
    Message has_any ("half-open", "connection table full"),
        "Half-Open Queue Exhaustion",
    "OS Exhaustion Flood"
)
| extend TargetAsset = coalesce(DestinationHostName, DestinationIP, "Unknown")
| extend SourceLabel = "network-device"
| summarize
    AlertCount = count(),
    UniqueSourceIPs = dcount(SourceIP),
    SourceIPSample = make_set(SourceIP, 10),
    TargetPorts = make_set(DestinationPort, 10),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    AttackTypes = make_set(AttackType, 5)
  by TargetAsset, DeviceVendor, DeviceProduct, SourceLabel
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| extend IsDDoS = iff(UniqueSourceIPs > 10, true, false)
| project FirstSeen, LastSeen, DurationMinutes, TargetAsset, AttackTypes,
    AlertCount, UniqueSourceIPs, SourceIPSample, TargetPorts,
    IsDDoS, DeviceVendor, DeviceProduct, SourceLabel;
// Branch 2: Linux kernel TCP SYN flood and conntrack table exhaustion via Syslog
let KernelAlerts = Syslog
| where TimeGenerated > ago(1h)
| where Facility == "kern"
| where SyslogMessage has_any (
    "TCP: request_sock_TCP:",
    "Possible SYN flooding on port",
    "sending cookies",
    "TCP: drop open request from",
    "nf_conntrack: table full, dropping packet",
    "ip_conntrack: table full, dropping packet",
    "possible SYN attack",
    "TCP: too many of orphaned sockets"
)
| extend AttackType = case(
    SyslogMessage has_any ("SYN flooding", "SYN attack", "sending cookies", "request_sock_TCP"),
        "SYN Flood - Linux Kernel Alert",
    SyslogMessage has_any ("nf_conntrack", "ip_conntrack"),
        "Connection Tracking Table Full",
    SyslogMessage has "orphaned sockets",
        "TCP Orphaned Socket Exhaustion",
    "TCP State Exhaustion - Linux Kernel"
)
| summarize
    AlertCount = count(),
    UniqueSourceIPs = int(0),
    SourceIPSample = dynamic([]),
    TargetPorts = dynamic([]),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    AttackTypes = make_set(AttackType, 5)
  by TargetAsset = Computer, DeviceVendor = "Linux", DeviceProduct = "Kernel TCP Stack",
     SourceLabel = "linux-kernel"
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| extend IsDDoS = false
| project FirstSeen, LastSeen, DurationMinutes, TargetAsset, AttackTypes,
    AlertCount, UniqueSourceIPs, SourceIPSample, TargetPorts,
    IsDDoS, DeviceVendor, DeviceProduct, SourceLabel;
NWSAlerts
| union KernelAlerts
| where AlertCount >= 3
| sort by AlertCount desc
high severity medium confidence

Detects OS Exhaustion Flood attacks using two complementary branches unified into a single result set. Branch 1 queries CommonSecurityLog for alerts from network security devices (firewalls, IDS/IPS) reporting SYN floods, ACK floods, TCP state exhaustion, and related DoS signatures — covering vendors including Cisco, Palo Alto, Fortinet, CheckPoint, and Juniper. Branch 2 queries Linux kernel Syslog messages for TCP SYN flood kernel warnings including SYN cookie activation ('sending cookies'), kernel-level SYN attack detection, nf_conntrack/ip_conntrack table overflow, and TCP orphaned socket exhaustion. Results are aggregated by target asset and attack type. Requires 3+ alerts to reduce noise from transient spikes.

Data Sources

Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic ContentSensor Health: Host StatusCommonSecurityLog from network devices (Firewall, IDS, IPS)Syslog from Linux kernel

Required Tables

CommonSecurityLogSyslog

False Positives & Tuning

  • Legitimate high-traffic web servers receiving organic traffic spikes from CDN edge nodes, load testing campaigns, or major product launches can trigger connection count thresholds in IPS/IDS signatures
  • Network security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7, nmap) performing broad TCP port scans may generate SYN flood-like signatures on IPS/IDS devices when run at high rates
  • Cloud auto-scaling events and health check storms from load balancers (AWS ELB, Azure Application Gateway) can produce connection bursts that resemble early-stage floods from the perspective of perimeter devices
  • Misconfigured network monitoring tools performing high-frequency TCP keepalive probes may trigger half-open connection alerts on target systems
  • Software bugs causing TCP connection leaks or aggressive retry storms in microservices can mimic flood patterns, especially triggering Linux kernel nf_conntrack table full warnings in high-throughput environments
Download portable Sigma rule (.yml)

Other platforms for T1499.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1hping3 SYN Flood Against Local Test Port

    Expected signal: Linux kernel ring buffer (dmesg): 'TCP: Possible SYN flooding on port 9999. Sending cookies.' if tcp_syncookies=1. Syslog facility=kern messages with same content routed to /var/log/kern.log and forwarded to SIEM. 'ss -tan state syn-recv' shows multiple SYN_RECV entries for the test port. /proc/net/netstat field TcpExtTCPReqQFullDoCookies increments for each SYN cookie issued.

  2. Test 2Python Scapy SYN Flood Simulation

    Expected signal: Linux kernel: 'TCP: Possible SYN flooding on port 80. Sending cookies.' in dmesg and kern.log. /proc/net/netstat TcpExtTCPReqQFullDoCookies increments. If Sysmon for Linux is deployed: network events for the scapy process with multiple outbound connections. Packet capture shows SYN packets with randomized source IPs and no corresponding ACK completions.

  3. Test 3PowerShell TCP Half-Open Connection Flood (Windows)

    Expected signal: Windows System Event Log Event ID 4227 ('TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts') if connection limit is hit. Sysmon Event ID 3 (Network Connection) showing many connections from powershell.exe to 127.0.0.1:445. Windows Performance counter TCPv4\Connection Failures increases. netstat output shows many ESTABLISHED or SYN_SENT connections from powershell.exe.

  4. Test 4nf_conntrack Table Exhaustion Simulation (Linux)

    Expected signal: Linux kernel ring buffer (dmesg): 'nf_conntrack: table full, dropping packet' — the exact message generated during real TCP flood attacks that exhaust the connection tracking table. This message is forwarded to syslog as facility=kern and typically appears in /var/log/kern.log. SIEM receives it via syslog forwarding. /proc/sys/net/netfilter/nf_conntrack_count shows the table is full.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1499.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1499.004Application or System Exploitation

Related Techniques

T1499Endpoint Denial of ServiceT1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1498.001Direct Network FloodT1498.002Reflection AmplificationT1489Service StopT1562.004Disable or Modify System FirewallT1046Network Service DiscoveryT1583.005Botnet

Same Tactic: Impact

Popular Detections