T1499.002 IBM QRadar · QRadar

Detect Service Exhaustion Flood in IBM QRadar

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services through service exhaustion floods. A simple HTTP flood sends a large number of HTTP requests to a web server to overwhelm it and/or an application running on top of it, exhausting various resources required to provide the service. A SSL renegotiation attack takes advantage of a protocol feature in SSL/TLS where the adversary establishes a connection and then proceeds to make a series of renegotiation requests, exploiting the meaningful computational cost of cryptographic renegotiation to degrade or deny service when performed at volume. Both attack types target service availability without requiring exploitation of a software vulnerability.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.002 Service Exhaustion Flood
Canonical reference
https://attack.mitre.org/techniques/T1499/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
// Branch 1: HTTP flood detection from web access logs
SELECT
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm') AS time_bucket,
    sourceip AS source_ip,
    LONG(destinationip) AS destination_ip,
    'HTTP_Access_Log' AS detection_source,
    COUNT(*) AS total_requests,
    COUNT(DISTINCT "URL") AS unique_uris,
    SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) AS status_5xx,
    SUM(CASE WHEN LONG("HTTP Response Code") = 429 THEN 1 ELSE 0 END) AS status_429,
    COUNT(DISTINCT "User Agent") AS distinct_user_agents,
    ROUND(COUNT(*) / 300.0, 2) AS requests_per_second,
    CASE
        WHEN COUNT(DISTINCT "URL") = 1 AND COUNT(*) > 500 THEN 'Single-Resource HTTP Flood'
        WHEN COUNT(DISTINCT "User Agent") = 1 AND COUNT(*) > 1000 THEN 'Simple HTTP Flood'
        WHEN SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) > 100 THEN 'Service Degradation via HTTP Flood'
        ELSE 'HTTP Request Flood'
    END AS flood_type,
    CASE
        WHEN COUNT(*) > 2000 OR SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) > 500 THEN 'High'
        WHEN COUNT(*) > 1000 OR SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) > 200 THEN 'Medium'
        ELSE 'Low'
    END AS severity
FROM events
WHERE
    starttime > NOW() - 3600000
    AND LOGSOURCETYPEID IN (
        SELECT id FROM SYS_LOGSOURCETYPE
        WHERE name IN ('Apache HTTP Server', 'Microsoft IIS', 'nginx', 'AWS Application Load Balancer')
    )
GROUP BY
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm'),
    sourceip,
    destinationip
HAVING
    COUNT(*) > 500 OR SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) > 100
ORDER BY total_requests DESC

UNION ALL

// Branch 2: Network/firewall flood alerts — Palo Alto, Fortinet, Check Point
SELECT
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm') AS time_bucket,
    sourceip AS source_ip,
    LONG(destinationip) AS destination_ip,
    LOGSOURCENAME(logsourceid) AS detection_source,
    COUNT(*) AS total_requests,
    COUNT(DISTINCT destinationport) AS unique_uris,
    COUNT(*) AS status_5xx,
    0 AS status_429,
    0 AS distinct_user_agents,
    0.0 AS requests_per_second,
    CONCAT('Network_Alert: ', QIDNAME(qid)) AS flood_type,
    'High' AS severity
FROM events
WHERE
    starttime > NOW() - 3600000
    AND (
        LOWER(QIDNAME(qid)) LIKE '%flood%'
        OR LOWER(QIDNAME(qid)) LIKE '%denial%'
        OR LOWER(QIDNAME(qid)) LIKE '%dos%'
        OR LOWER(QIDNAME(qid)) LIKE '%renegotiation%'
        OR LOWER(QIDNAME(qid)) LIKE '%ssl%flood%'
        OR LOWER(QIDNAME(qid)) LIKE '%connection%limit%'
        OR LOWER(QIDNAME(qid)) LIKE '%rate%limit%'
    )
    AND severity >= 7
    AND LOGSOURCETYPEID IN (
        SELECT id FROM SYS_LOGSOURCETYPE
        WHERE name IN ('Palo Alto PA Series', 'Fortinet FortiGate', 'Check Point FireWall-1', 'Cisco ASA')
    )
GROUP BY
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm'),
    sourceip,
    destinationip,
    logsourceid,
    qid
HAVING COUNT(*) > 5
ORDER BY total_requests DESC
high severity medium confidence

Detects T1499.002 Service Exhaustion Flood using QRadar AQL across two correlated branches. Branch 1 aggregates web access log events over 1-minute buckets to identify source IPs generating HTTP floods (>500 requests/window or >100 5xx errors), classifying flood subtype and severity. Branch 2 queries firewall and IDS log sources for high-severity events matching flood/DoS/SSL-renegotiation signatures from Palo Alto, Fortinet, Check Point, and Cisco ASA. Results are unioned and ranked by request volume for analyst triage.

Data Sources

Apache HTTP Server log source (LOGSOURCETYPEID: Apache HTTP Server)Microsoft IIS log source (LOGSOURCETYPEID: Microsoft IIS)AWS Application Load Balancer log sourcePalo Alto PA Series firewall (LOGSOURCETYPEID: Palo Alto PA Series)Fortinet FortiGate (LOGSOURCETYPEID: Fortinet FortiGate)Check Point FireWall-1 (LOGSOURCETYPEID: Check Point FireWall-1)Cisco ASA (LOGSOURCETYPEID: Cisco ASA)

Required Tables

events

False Positives & Tuning

  • High-traffic e-commerce or media sites during flash sales, product launches, or viral content events where a CDN edge node or reverse proxy IP appears as a single source IP generating floods of legitimate user traffic.
  • Security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7 InsightVM) executing web application scans that generate many requests across short intervals to test for vulnerabilities — correlate with scheduled scan windows.
  • Firewall or IDS rules that are overly broad and trigger on any high-volume connection, including legitimate internal services such as log shippers, metrics collectors, or backup systems that open many connections to a single destination.
  • CDN health checks and anycast routing probes from providers like Akamai, Cloudflare, or Fastly that send regular high-frequency probes from a small set of monitoring IPs to verify origin availability.
Download portable Sigma rule (.yml)

Other platforms for T1499.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP Flood via Apache Bench (ab)

    Expected signal: IIS/Apache access logs: 5000 GET requests from 127.0.0.1 to / within ~30-60 seconds, generating ~83-166 req/sec. Linux syslog: ab process creation if auditd enabled. Web server error logs: likely 500/503 responses if no service is running on port 80. Network flow data: single-flow burst pattern from source 127.0.0.1 to destination 127.0.0.1:80.

  2. Test 2HTTP Flood via Python requests (cross-platform)

    Expected signal: IIS W3C logs: 5000 GET requests from source IP 127.0.0.1 with Python requests User-Agent string within ~10-30 seconds. Windows Security Event 4688 (process create) for python3.exe with command line visible if command line auditing enabled. Sysmon Event 1: python3.exe process creation. Sysmon Event 3: multiple concurrent TCP connections from python3.exe to 127.0.0.1:80.

  3. Test 3SSL Renegotiation Exhaustion via openssl s_client

    Expected signal: Linux syslog/auditd: 20 concurrent openssl s_client process creations. TLS server logs (nginx ssl_error.log or Apache ssl_error.log): TLS renegotiation events or errors. Windows equivalent via Schannel: EventID 36874 or 36888 in System Event Log when server rejects or fails renegotiation. Network packet capture: multiple TLS ClientHello and Handshake records on port 443 followed by TLS Handshake (type 22) renegotiation records within existing sessions.

  4. Test 4Single-Resource HTTP Flood targeting application endpoint

    Expected signal: IIS/Apache access logs: 2000 GET requests to /search from 127.0.0.1 with distinct query strings, all within 2-3 minute window. Sysmon Event 1 (if enabled): multiple curl process creation events. Sysmon Event 3: TCP connections from curl to 127.0.0.1:80. Web server logs: potential 404 or 500 responses if /search endpoint does not exist.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1499.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1499.004Application or System Exploitation

Related Techniques

T1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1498Network Denial of ServiceT1498.001Direct Network FloodT1498.002Reflection AmplificationT1489Service StopT1491.002External DefacementT1071.001Web Protocols

Same Tactic: Impact

Popular Detections