Detect Service Exhaustion Flood in Sumo Logic CSE
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services through service exhaustion floods. A simple HTTP flood sends a large number of HTTP requests to a web server to overwhelm it and/or an application running on top of it, exhausting various resources required to provide the service. A SSL renegotiation attack takes advantage of a protocol feature in SSL/TLS where the adversary establishes a connection and then proceeds to make a series of renegotiation requests, exploiting the meaningful computational cost of cryptographic renegotiation to degrade or deny service when performed at volume. Both attack types target service availability without requiring exploitation of a software vulnerability.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1499 Endpoint Denial of Service
- Sub-technique
- T1499.002 Service Exhaustion Flood
- Canonical reference
- https://attack.mitre.org/techniques/T1499/002/
Sumo Detection Query
// Branch 1: HTTP access log flood detection
_sourceCategory=*/web/access OR _sourceCategory=*/iis OR _sourceCategory=*/apache OR _sourceCategory=*/nginx
| parse "* * * [*] \"* * *\" * *" as src_ip, ident, authuser, datetime, method, uri, protocol, status, bytes nodrop
| parse "* * [*] \"* * *\" * * * \"*\"" as src_ip, host, datetime, method, uri, protocol, status, bytes, referrer, useragent nodrop
| where isNum(status)
| timeslice 5m
| stats
count as TotalRequests,
count_distinct(uri) as UniqueURIs,
count(if(tonumber(status) >= 500, 1, null)) as Status5xx,
count(if(tonumber(status) == 429, 1, null)) as Status429,
count_distinct(useragent) as DistinctUserAgents,
sum(tonumber(bytes)) as TotalBytesSent
by _timeslice, src_ip, host
| where TotalRequests > 500 or Status5xx > 100
| eval RequestsPerSecond = round(TotalRequests / 300, 2)
| eval FloodType = if(UniqueURIs == 1 and TotalRequests > 500, "Single-Resource HTTP Flood",
if(DistinctUserAgents == 1 and TotalRequests > 1000, "Simple HTTP Flood",
if(Status5xx > 100, "Service Degradation via HTTP Flood", "HTTP Request Flood")))
| eval Severity = if(TotalRequests > 2000 or Status5xx > 500, "Critical",
if(TotalRequests > 1000 or Status5xx > 200, "High", "Medium"))
| eval MITRETechnique = "T1499.002"
| eval DetectionSource = "HTTP_Access_Log"
| fields _timeslice, src_ip, host, TotalRequests, RequestsPerSecond, UniqueURIs, Status5xx, Status429, DistinctUserAgents, FloodType, Severity, MITRETechnique, DetectionSource
| sort by TotalRequests desc
// Branch 2: Network/firewall flood alert detection
// Run separately and correlate results
_sourceCategory=*/firewall OR _sourceCategory=*/paloalto OR _sourceCategory=*/fortinet OR _sourceCategory=*/cisco/asa
| where severity = "high" or severity = "critical"
| where (%"msg" matches /(?i)(flood|dos|denial.of.service|renegotiation|connection.limit|http.flood|ssl.renegotiation|rate.limit)/
or %"signature" matches /(?i)(flood|dos|denial|renegotiation|conn.limit)/)
| timeslice 5m
| stats
count as AlertCount,
count_distinct(dest_port) as UniquePorts,
count_distinct(dest_ip) as AffectedTargets
by _timeslice, src_ip, dest_ip, signature, _sourceCategory
| where AlertCount > 5
| eval FloodType = concat("Network_Alert: ", signature)
| eval Severity = "High"
| eval MITRETechnique = "T1499.002"
| eval DetectionSource = _sourceCategory
| fields _timeslice, src_ip, dest_ip, AlertCount, UniquePorts, AffectedTargets, FloodType, Severity, MITRETechnique, DetectionSource
| sort by AlertCount descDetects T1499.002 Service Exhaustion Flood via two complementary Sumo Logic searches. Branch 1 parses web server access logs (Apache, Nginx, IIS) and aggregates by source IP over 5-minute buckets, flagging IPs exceeding 500 requests/window or 100 server errors. Classifies flood subtype (single-resource, simple, service degradation) and assigns severity tiers. Branch 2 queries firewall and network device logs for high-severity events matching flood/DoS/SSL-renegotiation keyword patterns, aggregating alert counts per source-destination pair.
Data Sources
Required Tables
False Positives & Tuning
- Large-scale SEO crawlers or web archival bots (Archive.org, Common Crawl) that issue thousands of HTTP requests from a single IP or small IP range in a short period against a public-facing site.
- Application performance monitoring tools or real-user monitoring agents deployed on the web server itself that forward synthetic transaction data in batches, creating burst traffic patterns.
- Internal network address translation (NAT) gateways masking thousands of real users behind a single egress IP — especially common in enterprise environments — causing threshold breaches despite representing legitimate distributed user activity.
- SSL certificate transparency log monitors and ACME challenge responders that initiate repeated TLS handshakes for certificate validation purposes, potentially matching SSL renegotiation signatures.
Other platforms for T1499.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP Flood via Apache Bench (ab)
Expected signal: IIS/Apache access logs: 5000 GET requests from 127.0.0.1 to / within ~30-60 seconds, generating ~83-166 req/sec. Linux syslog: ab process creation if auditd enabled. Web server error logs: likely 500/503 responses if no service is running on port 80. Network flow data: single-flow burst pattern from source 127.0.0.1 to destination 127.0.0.1:80.
- Test 2HTTP Flood via Python requests (cross-platform)
Expected signal: IIS W3C logs: 5000 GET requests from source IP 127.0.0.1 with Python requests User-Agent string within ~10-30 seconds. Windows Security Event 4688 (process create) for python3.exe with command line visible if command line auditing enabled. Sysmon Event 1: python3.exe process creation. Sysmon Event 3: multiple concurrent TCP connections from python3.exe to 127.0.0.1:80.
- Test 3SSL Renegotiation Exhaustion via openssl s_client
Expected signal: Linux syslog/auditd: 20 concurrent openssl s_client process creations. TLS server logs (nginx ssl_error.log or Apache ssl_error.log): TLS renegotiation events or errors. Windows equivalent via Schannel: EventID 36874 or 36888 in System Event Log when server rejects or fails renegotiation. Network packet capture: multiple TLS ClientHello and Handshake records on port 443 followed by TLS Handshake (type 22) renegotiation records within existing sessions.
- Test 4Single-Resource HTTP Flood targeting application endpoint
Expected signal: IIS/Apache access logs: 2000 GET requests to /search from 127.0.0.1 with distinct query strings, all within 2-3 minute window. Sysmon Event 1 (if enabled): multiple curl process creation events. Sysmon Event 3: TCP connections from curl to 127.0.0.1:80. Web server logs: potential 404 or 500 responses if /search endpoint does not exist.
References (9)
- https://attack.mitre.org/techniques/T1499/002/
- https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
- https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new
- https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
- https://learn.microsoft.com/en-us/iis/extensions/dynamic-ip-restrictions/using-dynamic-ip-restrictions
- https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-renegotiation
- https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1499.002/T1499.002.md
Unlock Pro Content
Get the full detection package for T1499.002 including response playbook, investigation guide, and atomic red team tests.