Detect OS Exhaustion Flood in Sumo Logic CSE
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). OS exhaustion floods do not need to deplete physical hardware resources—they exhaust OS-imposed limits on concurrent connections and state tracking. SYN floods send excessive TCP SYN packets without completing the three-way handshake, filling the OS half-open connection backlog queue and preventing new legitimate TCP connections from being established. ACK floods send packets referencing non-existent connections, forcing the OS to perform a full TCP state table search for each packet, causing CPU and memory exhaustion that degrades or stops service. Both techniques can render any TCP-based service unavailable on the targeted endpoint.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1499 Endpoint Denial of Service
- Sub-technique
- T1499.001 OS Exhaustion Flood
- Canonical reference
- https://attack.mitre.org/techniques/T1499/001/
Sumo Detection Query
// OS Exhaustion Flood — SYN/ACK floods, TCP state exhaustion via Sumo Logic
// Branch 1: Linux kernel syslog flood and conntrack messages
(_sourceCategory=linux/syslog OR _sourceCategory=os/linux OR _sourceCategory=syslog)
facility=kern
| parse regex "(?P<kernel_msg>(?:TCP: request_sock_TCP|Possible SYN flooding|sending cookies|TCP: drop open request|nf_conntrack.*table full|ip_conntrack.*table full|possible SYN attack|TCP.*orphaned).*)"
| eval AttackType = if(matches(kernel_msg, "(?i)syn.flood|syn.attack|request_sock_tcp|sending cookies"), "SYN Flood - Linux Kernel",
if(matches(kernel_msg, "(?i)nf_conntrack.*table full|ip_conntrack.*table full"), "ConnTrack Table Full",
if(matches(kernel_msg, "(?i)orphaned"), "TCP Orphaned Socket Exhaustion",
"TCP State Exhaustion - Linux")))
| eval DataSource = "linux-kernel"
| fields _time, _sourceHost, AttackType, DataSource, kernel_msg
// Branch 2: Network device flood alerts (firewall, IDS, IPS)
(_sourceCategory=network/firewall OR _sourceCategory=network/ids OR _sourceCategory=network/ips OR _sourceCategory=network/cisco OR _sourceCategory=network/paloalto)
| eval msg_lower = toLowerCase(_raw)
| eval SYNFlood = if(matches(msg_lower, "syn.flood|syn.attack|synflood|half.open.*exceed"), 1, 0)
| eval ACKFlood = if(matches(msg_lower, "ack.flood|ack.attack|ackflood"), 1, 0)
| eval TCPExhaust = if(matches(msg_lower, "tcp.*exhaust|connection.*table.*full|tcp.*flood|dos.*tcp|ddos.*tcp"), 1, 0)
| where SYNFlood + ACKFlood + TCPExhaust > 0
| eval AttackType = if(SYNFlood=1 AND ACKFlood=0, "SYN Flood - Network Device",
if(ACKFlood=1 AND SYNFlood=0, "ACK Flood - Network Device",
if(SYNFlood=1 AND ACKFlood=1, "Combined SYN/ACK Flood",
if(TCPExhaust=1, "TCP State Exhaustion - Network Device",
"OS Exhaustion Flood"))))
| eval DataSource = "network-device"
| fields _time, _sourceHost, AttackType, DataSource, SYNFlood, ACKFlood, TCPExhaust
// Aggregate both branches together
| count as AlertCount, values(AttackType) as AttackTypes by _sourceHost, DataSource
| where AlertCount >= 3
| sort by AlertCount descDetects OS exhaustion flood attacks by parsing Linux kernel syslog messages indicating SYN cookie activation, conntrack table exhaustion, and orphaned socket overflow, combined with network device alerts for SYN/ACK/TCP flood signatures. Results are grouped by host and data source with a minimum alert count threshold.
Data Sources
Required Tables
False Positives & Tuning
- Containerized applications using host networking on low-memory nodes may intermittently exhaust nf_conntrack tables during normal high-concurrency workloads, producing kernel log entries without an active attack
- Internal red team or penetration testing exercises using hping3 or nmap SYN scan modes against authorized targets will match SYN flood signatures
- Network monitoring systems (SNMP pollers, Zabbix agents) performing frequent TCP checks against many hosts simultaneously can generate half-open connection patterns on intermediate firewalls
Other platforms for T1499.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1hping3 SYN Flood Against Local Test Port
Expected signal: Linux kernel ring buffer (dmesg): 'TCP: Possible SYN flooding on port 9999. Sending cookies.' if tcp_syncookies=1. Syslog facility=kern messages with same content routed to /var/log/kern.log and forwarded to SIEM. 'ss -tan state syn-recv' shows multiple SYN_RECV entries for the test port. /proc/net/netstat field TcpExtTCPReqQFullDoCookies increments for each SYN cookie issued.
- Test 2Python Scapy SYN Flood Simulation
Expected signal: Linux kernel: 'TCP: Possible SYN flooding on port 80. Sending cookies.' in dmesg and kern.log. /proc/net/netstat TcpExtTCPReqQFullDoCookies increments. If Sysmon for Linux is deployed: network events for the scapy process with multiple outbound connections. Packet capture shows SYN packets with randomized source IPs and no corresponding ACK completions.
- Test 3PowerShell TCP Half-Open Connection Flood (Windows)
Expected signal: Windows System Event Log Event ID 4227 ('TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts') if connection limit is hit. Sysmon Event ID 3 (Network Connection) showing many connections from powershell.exe to 127.0.0.1:445. Windows Performance counter TCPv4\Connection Failures increases. netstat output shows many ESTABLISHED or SYN_SENT connections from powershell.exe.
- Test 4nf_conntrack Table Exhaustion Simulation (Linux)
Expected signal: Linux kernel ring buffer (dmesg): 'nf_conntrack: table full, dropping packet' — the exact message generated during real TCP flood attacks that exhaust the connection tracking table. This message is forwarded to syslog as facility=kern and typically appears in /var/log/kern.log. SIEM receives it via syslog forwarding. /proc/sys/net/netfilter/nf_conntrack_count shows the table is full.
References (8)
- https://attack.mitre.org/techniques/T1499/001/
- https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
- https://web.archive.org/web/20220119104451/https://www.corero.com/resource-hub/syn-ack-flood-attack/
- https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
- https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
- https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1499.001/T1499.001.md
Unlock Pro Content
Get the full detection package for T1499.001 including response playbook, investigation guide, and atomic red team tests.