T1499.001 Splunk · SPL

Detect OS Exhaustion Flood in Splunk

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). OS exhaustion floods do not need to deplete physical hardware resources—they exhaust OS-imposed limits on concurrent connections and state tracking. SYN floods send excessive TCP SYN packets without completing the three-way handshake, filling the OS half-open connection backlog queue and preventing new legitimate TCP connections from being established. ACK floods send packets referencing non-existent connections, forcing the OS to perform a full TCP state table search for each packet, causing CPU and memory exhaustion that degrades or stops service. Both techniques can render any TCP-based service unavailable on the targeted endpoint.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.001 OS Exhaustion Flood
Canonical reference
https://attack.mitre.org/techniques/T1499/001/

SPL Detection Query

Splunk (SPL)
spl 
// Detect OS Exhaustion Flood via syslog kernel messages and network device alerts
// Branch 1: Linux kernel SYN flood and connection tracking exhaustion
(
    (index=linux_logs OR index=syslog OR index=os) sourcetype=syslog facility=kern
    | eval message=lower(_raw)
    | eval SYNFloodKernel=if(match(message, "(possible syn flooding|tcp: request_sock_tcp|sending cookies|tcp: drop open request|possible syn attack|syn attack)"), 1, 0)
    | eval ConnTrackFull=if(match(message, "(nf_conntrack.*table full|ip_conntrack.*table full|connection tracking.*full)"), 1, 0)
    | eval OrphanedSockets=if(match(message, "(tcp.*orphaned|orphaned sockets.*exceeded)"), 1, 0)
    | eval SuspicionScore=SYNFloodKernel + ConnTrackFull + OrphanedSockets
    | where SuspicionScore > 0
    | eval AttackType=case(
        SYNFloodKernel=1, "SYN Flood - Linux Kernel Alert",
        ConnTrackFull=1, "Connection Tracking Table Full",
        OrphanedSockets=1, "TCP Orphaned Socket Exhaustion",
        true(), "OS TCP Exhaustion"
      )
    | eval DataSource="linux-kernel"
    | table _time, host, AttackType, DataSource, _raw, SYNFloodKernel, ConnTrackFull, OrphanedSockets, SuspicionScore
)
| append [
    // Branch 2: Network device flood detection (Cisco ASA, Palo Alto, Juniper, CheckPoint, Fortinet)
    (index=network OR index=firewall OR index=ids OR index=ips)
        (sourcetype=cisco:asa OR sourcetype="pan:threat" OR sourcetype="pan:traffic"
         OR sourcetype=juniper:junos OR sourcetype=checkpoint:syslog
         OR sourcetype=fortigate_traffic OR sourcetype=syslog)
    | eval message=lower(_raw)
    | eval SYNFloodNW=if(match(message, "(syn flood|syn attack|synflood|syn-flood|half-open.*exceed)"), 1, 0)
    | eval ACKFloodNW=if(match(message, "(ack flood|ack attack|ackflood|ack-flood)"), 1, 0)
    | eval TCPExhaustionNW=if(match(message, "(tcp.*exhaust|tcp.*state.*exhaust|connection.*table.*full|tcp.*flood|dos.*tcp|ddos.*tcp|tcp.*half.open)"), 1, 0)
    | eval SuspicionScore=SYNFloodNW + ACKFloodNW + TCPExhaustionNW
    | where SuspicionScore > 0
    | eval AttackType=case(
        SYNFloodNW=1 AND ACKFloodNW=0, "SYN Flood - Network Device Alert",
        ACKFloodNW=1 AND SYNFloodNW=0, "ACK Flood - Network Device Alert",
        SYNFloodNW=1 AND ACKFloodNW=1, "Combined SYN/ACK Flood",
        TCPExhaustionNW=1, "TCP State Exhaustion - Network Device Alert",
        true(), "OS Exhaustion Flood"
      )
    | eval DataSource="network-device"
    | table _time, host, AttackType, DataSource, _raw, SYNFloodNW, ACKFloodNW, TCPExhaustionNW, SuspicionScore
]
| stats count as AlertCount, values(AttackType) as AttackTypes, max(SuspicionScore) as MaxScore,
    earliest(_time) as FirstSeen, latest(_time) as LastSeen
  by host, DataSource
| where AlertCount >= 3
| eval DurationSeconds=LastSeen - FirstSeen
| table FirstSeen, LastSeen, DurationSeconds, host, AttackTypes, AlertCount, MaxScore, DataSource
| sort - AlertCount
high severity medium confidence

Detects OS Exhaustion Flood attacks via two appended branches aggregated by host. Branch 1 searches Linux kernel syslog messages for TCP SYN flood warnings including SYN cookie activation ('sending cookies'), kernel-level SYN attack detection, nf_conntrack/ip_conntrack connection tracking table overflow messages, and TCP orphaned socket exhaustion. Branch 2 queries network device logs across common sourcetypes (Cisco ASA, Palo Alto Networks threat/traffic, Juniper, CheckPoint, Fortinet) for SYN flood, ACK flood, combined flood, and TCP state exhaustion keywords. Results are aggregated per host with a minimum of 3 alerts to suppress single transient events. The SuspicionScore field enables prioritization of events with multiple confirming indicators.

Data Sources

Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic ContentLinux syslog kernel messagesNetwork device logs (firewall, IPS, IDS)

Required Sourcetypes

syslogcisco:asapan:threatjuniper:junoscheckpoint:syslogfortigate_traffic

False Positives & Tuning

  • Legitimate high-traffic web servers receiving organic traffic spikes from CDN edge nodes, load testing campaigns, or major product launches can trigger connection count thresholds in IPS/IDS signatures
  • Network security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7, nmap) performing broad TCP port scans at high rates generate SYN flood-like signatures on perimeter network devices
  • Cloud auto-scaling events and health check storms from load balancers can produce connection bursts that resemble early-stage floods, especially triggering Linux kernel nf_conntrack table full warnings
  • Misconfigured network monitoring tools performing high-frequency TCP keepalive probes may trigger half-open connection alerts and SYN flood signatures on IDS/IPS devices
  • Software-level TCP connection leaks or aggressive retry loops in microservices can mimic OS-level flood conditions, generating identical kernel log messages without an external attacker
Download portable Sigma rule (.yml)

Other platforms for T1499.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1hping3 SYN Flood Against Local Test Port

    Expected signal: Linux kernel ring buffer (dmesg): 'TCP: Possible SYN flooding on port 9999. Sending cookies.' if tcp_syncookies=1. Syslog facility=kern messages with same content routed to /var/log/kern.log and forwarded to SIEM. 'ss -tan state syn-recv' shows multiple SYN_RECV entries for the test port. /proc/net/netstat field TcpExtTCPReqQFullDoCookies increments for each SYN cookie issued.

  2. Test 2Python Scapy SYN Flood Simulation

    Expected signal: Linux kernel: 'TCP: Possible SYN flooding on port 80. Sending cookies.' in dmesg and kern.log. /proc/net/netstat TcpExtTCPReqQFullDoCookies increments. If Sysmon for Linux is deployed: network events for the scapy process with multiple outbound connections. Packet capture shows SYN packets with randomized source IPs and no corresponding ACK completions.

  3. Test 3PowerShell TCP Half-Open Connection Flood (Windows)

    Expected signal: Windows System Event Log Event ID 4227 ('TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts') if connection limit is hit. Sysmon Event ID 3 (Network Connection) showing many connections from powershell.exe to 127.0.0.1:445. Windows Performance counter TCPv4\Connection Failures increases. netstat output shows many ESTABLISHED or SYN_SENT connections from powershell.exe.

  4. Test 4nf_conntrack Table Exhaustion Simulation (Linux)

    Expected signal: Linux kernel ring buffer (dmesg): 'nf_conntrack: table full, dropping packet' — the exact message generated during real TCP flood attacks that exhaust the connection tracking table. This message is forwarded to syslog as facility=kern and typically appears in /var/log/kern.log. SIEM receives it via syslog forwarding. /proc/sys/net/netfilter/nf_conntrack_count shows the table is full.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1499.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1499.004Application or System Exploitation

Related Techniques

T1499Endpoint Denial of ServiceT1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1498.001Direct Network FloodT1498.002Reflection AmplificationT1489Service StopT1562.004Disable or Modify System FirewallT1046Network Service DiscoveryT1583.005Botnet

Same Tactic: Impact

Popular Detections