T1499.003 Splunk · SPL

Detect Application Exhaustion Flood in Splunk

Adversaries may target resource-intensive features of web applications to cause a denial of service (DoS), denying availability to those applications. Unlike volumetric network-layer floods, application exhaustion attacks focus on Layer 7 features that consume disproportionate server resources per request — such as search functions, complex database queries, authentication endpoints, report generation, GraphQL resolvers, XML/SOAP processing, or file conversion operations. By repeatedly invoking these expensive operations, adversaries can exhaust CPU cycles, memory, database connection pools, or thread pools with relatively low request volumes, making the attack harder to distinguish from legitimate traffic spikes and more difficult to block at the network layer without application-aware controls.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.003 Application Exhaustion Flood
Canonical reference
https://attack.mitre.org/techniques/T1499/003/

SPL Detection Query

Splunk (SPL)
spl 
index=web (sourcetype="ms:iis:auto" OR sourcetype="iis" OR sourcetype="access_combined" OR sourcetype="apache:access")
| eval uri=coalesce(cs_uri_stem, uri_path, uri, request)
| eval time_taken_ms=coalesce(time_taken, timetaken, response_time, 0)
| eval status=coalesce(sc_status, status, 200)
| eval src_ip=coalesce(c_ip, src_ip, clientip, remote_host)
| where match(uri, "(?i)/(search|query|find|report|export|download|generate|convert|login|authenticate|auth|oauth|signin|graphql|wp-login\.php|xmlrpc\.php|wp-admin|rest/api|odata|api/)")
    OR time_taken_ms > 5000
| bin _time span=5m
| eval is_server_error=if(status>=500, 1, 0)
| eval is_rate_limited=if(status=429, 1, 0)
| stats
    count as RequestCount,
    avg(time_taken_ms) as AvgResponseMs,
    max(time_taken_ms) as MaxResponseMs,
    dc(uri) as UniqueEndpoints,
    values(uri) as Endpoints,
    values(status) as StatusCodes,
    sum(is_server_error) as ServerErrorCount,
    sum(is_rate_limited) as RateLimitedCount
    by _time, src_ip, host
| eval ErrorRate=round(ServerErrorCount / RequestCount, 2)
| eval ThreatScore=case(
    RequestCount > 1000 AND AvgResponseMs > 10000, 3,
    RequestCount > 500 OR AvgResponseMs > 8000, 2,
    1)
| where RequestCount > 300 OR (AvgResponseMs > 5000 AND RequestCount > 50) OR RateLimitedCount > 10
| sort - ThreatScore, - RequestCount
| table _time, src_ip, host, RequestCount, AvgResponseMs, MaxResponseMs, UniqueEndpoints, Endpoints, StatusCodes, ServerErrorCount, RateLimitedCount, ErrorRate, ThreatScore
high severity medium confidence

Detects application exhaustion flood attacks using IIS, Apache, or other web access logs indexed in Splunk. Normalizes field names across common web log sourcetypes using coalesce(). Aggregates requests per source IP in 5-minute windows, filtering for requests targeting resource-intensive URI patterns or exhibiting high response times. Computes ThreatScore 1-3 based on request volume and server response time degradation. Covers both high-rate single-IP floods and slow exhaustion attacks where response times degrade before request count thresholds are reached.

Data Sources

Network Traffic: Network Traffic FlowApplication Log: Application Log ContentWeb Server Access Logs (IIS, Apache, Nginx)

Required Sourcetypes

ms:iis:autoiisaccess_combinedapache:access

False Positives & Tuning

  • Legitimate high-traffic events such as product launches, marketing campaigns, or viral content causing genuine user spikes
  • Authorized security scanning tools (Qualys, Tenable, OWASP ZAP) running application vulnerability assessments
  • Load testing tools (JMeter, Gatling, Locust, k6) executing authorized performance tests in production or staging environments
  • Legitimate API clients or integration partners with high-frequency polling or batch processing workloads
  • Search engine crawlers (Googlebot, Bingbot, Slurp) aggressively indexing resource-intensive dynamic pages
Download portable Sigma rule (.yml)

Other platforms for T1499.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Apache Bench Single-Source Application Endpoint Flood

    Expected signal: W3CIISLog or Apache access.log: 5000 requests from 127.0.0.1 to /search endpoint within 30-60 seconds. User-Agent will show ApacheBench/2.X despite the override only applying to one header in some ab versions — check actual logs. TimeTaken values will show progressive degradation as server load increases. High RequestCount in 5-minute window from single source IP.

  2. Test 2Python Multi-threaded Concurrent Request Flood

    Expected signal: Web access logs: 2000 requests from 127.0.0.1 to /api/search endpoint within 10-30 seconds with User-Agent 'python-requests/X.X.X'. High concurrency visible from overlapping request timestamps. If server load causes stress, HTTP 503 or 429 responses will appear in logs alongside 200s. ServerErrorCount or RateLimitedCount fields will be non-zero.

  3. Test 3curl Loop Targeting Authentication Endpoint with POST Bodies

    Expected signal: Web access logs: 500 POST requests to /login from 127.0.0.1 with Content-Type: application/json. Average response time measurably higher than GET requests due to bcrypt cost. Application logs may show repeated authentication failure warnings. HTTP status codes will be 401 for invalid credentials or 429 if rate limiting activates.

  4. Test 4GraphQL Complexity Attack via Deeply Nested Query Flood

    Expected signal: Web access logs: 200 POST requests to /graphql endpoint with deeply nested query payload. Response times significantly elevated (potentially >10s per request) due to N+1 resolver execution and recursive database queries. CPU utilization on application server and database server both spike. Database slow query logs will show high-volume repetitive queries triggered by the resolver chain.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1499.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion FloodT1499.002Service Exhaustion FloodT1499.004Application or System Exploitation

Related Techniques

T1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.004Application or System ExploitationT1498.001Direct Network FloodT1498.002Reflection AmplificationT1489Service StopT1110.003Password SprayingT1583.008MalvertisingT1584Compromise Infrastructure

Same Tactic: Impact

Popular Detections