Detect Service Exhaustion Flood in Google Chronicle
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services through service exhaustion floods. A simple HTTP flood sends a large number of HTTP requests to a web server to overwhelm it and/or an application running on top of it, exhausting various resources required to provide the service. A SSL renegotiation attack takes advantage of a protocol feature in SSL/TLS where the adversary establishes a connection and then proceeds to make a series of renegotiation requests, exploiting the meaningful computational cost of cryptographic renegotiation to degrade or deny service when performed at volume. Both attack types target service availability without requiring exploitation of a software vulnerability.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1499 Endpoint Denial of Service
- Sub-technique
- T1499.002 Service Exhaustion Flood
- Canonical reference
- https://attack.mitre.org/techniques/T1499/002/
YARA-L Detection Query
rule t1499_002_service_exhaustion_flood_http {
meta:
author = "Argus Detection Engineering"
description = "Detects T1499.002 Service Exhaustion Flood: HTTP flood attacks characterized by high request volume from a single source IP against a web server over a 5-minute window. Covers single-resource floods, simple floods, and service degradation patterns."
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1499.002"
severity = "HIGH"
priority = "HIGH"
version = "1.0"
created = "2026-04-19"
platforms = "Windows, Linux, GCP, AWS"
events:
// Web access log events — HTTP requests
$e.metadata.event_type = "NETWORK_HTTP"
$e.principal.ip != ""
$e.target.hostname != ""
// Capture fields for aggregation
$src_ip = $e.principal.ip
$target_host = $e.target.hostname
$status_code = $e.network.http.response_code
$uri = $e.target.url
match:
$src_ip, $target_host over 5m
outcome:
$total_requests = count($e.metadata.id)
$unique_uris = count_distinct($uri)
$status_5xx_count = sum(if($status_code >= 500, 1, 0))
$status_429_count = sum(if($status_code = 429, 1, 0))
$requests_per_second = math.round(count($e.metadata.id) / 300.0, 2)
$flood_type = if(
count_distinct($uri) = 1 and count($e.metadata.id) > 500,
"Single-Resource HTTP Flood",
if(
count($e.metadata.id) > 1000 and sum(if($status_code >= 500, 1, 0)) > 100,
"Service Degradation via HTTP Flood",
"HTTP Request Flood"
)
)
$risk_score = if(
count($e.metadata.id) > 2000 or sum(if($status_code >= 500, 1, 0)) > 500, 95,
if(
count($e.metadata.id) > 1000 or sum(if($status_code >= 500, 1, 0)) > 200, 75,
55
)
)
condition:
#e > 500 or $status_5xx_count > 100
}
rule t1499_002_service_exhaustion_flood_network_alerts {
meta:
author = "Argus Detection Engineering"
description = "Detects T1499.002 Service Exhaustion Flood via network security alerts (firewall, IDS/IPS) reporting flood, DoS, SSL renegotiation, or connection exhaustion events from a single source."
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1499.002"
severity = "HIGH"
priority = "HIGH"
version = "1.0"
created = "2026-04-19"
events:
// Network security device alerts
$alert.metadata.event_type = "NETWORK_CONNECTION" or
$alert.metadata.event_type = "GENERIC_EVENT"
$alert.metadata.product_event_type != ""
// Match flood/DoS related signatures
(
re.regex($alert.metadata.description, `(?i)(flood|denial.of.service|ssl.renegotiation|connection.limit|http.flood|dos.attack|rate.limit)`) or
re.regex($alert.metadata.product_event_type, `(?i)(flood|dos|renegotiation|conn.limit|syn.flood)`) or
re.regex($alert.security_result.summary, `(?i)(flood|denial|dos|renegotiation|exhaustion)`)
)
// High or critical severity network alerts only
$alert.security_result.severity = "HIGH" or
$alert.security_result.severity = "CRITICAL"
$src_ip = $alert.principal.ip
$dst_ip = $alert.target.ip
$alert_name = $alert.security_result.summary
match:
$src_ip, $dst_ip over 5m
outcome:
$alert_count = count($alert.metadata.id)
$unique_ports = count_distinct($alert.target.port)
$flood_type = concat("Network_Alert: ", array_first(array_distinct($alert_name)))
$risk_score = 85
condition:
#alert > 5
}Two Chronicle YARA-L 2.0 rules detecting T1499.002 Service Exhaustion Flood. Rule 1 (t1499_002_service_exhaustion_flood_http) aggregates NETWORK_HTTP events over 5-minute match windows, flagging source IPs generating more than 500 requests or 100 5xx responses against a single host. Classifies into Single-Resource, Simple, Service Degradation, or generic HTTP Flood subtypes with risk scoring. Rule 2 (t1499_002_service_exhaustion_flood_network_alerts) catches firewall/IDS/IPS alerts with flood/DoS/SSL-renegotiation signatures at HIGH or CRITICAL severity, grouping by source-destination pair over 5 minutes.
Data Sources
Required Tables
False Positives & Tuning
- Cloud provider health checks and load balancer probes from shared IP pools (AWS ELB health checker, GCP health check probes) that issue hundreds of requests per minute against application endpoints from a small set of internal IPs.
- Content delivery network (CDN) origin pull requests where the CDN consolidates traffic from thousands of end users and forwards them as a burst from a small number of CDN PoP IPs, making legitimate traffic appear as a flood.
- Automated regression testing pipelines (GitHub Actions, CircleCI) that execute load or stress tests against staging environments which share Chronicle log ingestion with production, causing alert fatigue during nightly test runs.
- SaaS application webhooks with retry logic that attempt to deliver failed notifications repeatedly from a single IP within a short window if the destination is temporarily unavailable.
Other platforms for T1499.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP Flood via Apache Bench (ab)
Expected signal: IIS/Apache access logs: 5000 GET requests from 127.0.0.1 to / within ~30-60 seconds, generating ~83-166 req/sec. Linux syslog: ab process creation if auditd enabled. Web server error logs: likely 500/503 responses if no service is running on port 80. Network flow data: single-flow burst pattern from source 127.0.0.1 to destination 127.0.0.1:80.
- Test 2HTTP Flood via Python requests (cross-platform)
Expected signal: IIS W3C logs: 5000 GET requests from source IP 127.0.0.1 with Python requests User-Agent string within ~10-30 seconds. Windows Security Event 4688 (process create) for python3.exe with command line visible if command line auditing enabled. Sysmon Event 1: python3.exe process creation. Sysmon Event 3: multiple concurrent TCP connections from python3.exe to 127.0.0.1:80.
- Test 3SSL Renegotiation Exhaustion via openssl s_client
Expected signal: Linux syslog/auditd: 20 concurrent openssl s_client process creations. TLS server logs (nginx ssl_error.log or Apache ssl_error.log): TLS renegotiation events or errors. Windows equivalent via Schannel: EventID 36874 or 36888 in System Event Log when server rejects or fails renegotiation. Network packet capture: multiple TLS ClientHello and Handshake records on port 443 followed by TLS Handshake (type 22) renegotiation records within existing sessions.
- Test 4Single-Resource HTTP Flood targeting application endpoint
Expected signal: IIS/Apache access logs: 2000 GET requests to /search from 127.0.0.1 with distinct query strings, all within 2-3 minute window. Sysmon Event 1 (if enabled): multiple curl process creation events. Sysmon Event 3: TCP connections from curl to 127.0.0.1:80. Web server logs: potential 404 or 500 responses if /search endpoint does not exist.
References (9)
- https://attack.mitre.org/techniques/T1499/002/
- https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
- https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new
- https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
- https://learn.microsoft.com/en-us/iis/extensions/dynamic-ip-restrictions/using-dynamic-ip-restrictions
- https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-renegotiation
- https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1499.002/T1499.002.md
Unlock Pro Content
Get the full detection package for T1499.002 including response playbook, investigation guide, and atomic red team tests.