Detect Application Exhaustion Flood in Sumo Logic CSE
Adversaries may target resource-intensive features of web applications to cause a denial of service (DoS), denying availability to those applications. Unlike volumetric network-layer floods, application exhaustion attacks focus on Layer 7 features that consume disproportionate server resources per request — such as search functions, complex database queries, authentication endpoints, report generation, GraphQL resolvers, XML/SOAP processing, or file conversion operations. By repeatedly invoking these expensive operations, adversaries can exhaust CPU cycles, memory, database connection pools, or thread pools with relatively low request volumes, making the attack harder to distinguish from legitimate traffic spikes and more difficult to block at the network layer without application-aware controls.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1499 Endpoint Denial of Service
- Sub-technique
- T1499.003 Application Exhaustion Flood
- Canonical reference
- https://attack.mitre.org/techniques/T1499/003/
Sumo Detection Query
_sourceCategory=web/access OR _sourceCategory=iis OR _sourceCategory=apache OR _sourceCategory=nginx
| parse regex field=_raw "(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| parse regex field=_raw "\"(?:GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS) (?P<uri_path>[^\s]+)"
| parse regex field=_raw "\" (?P<status_code>\d{3}) "
| parse regex field=_raw "(?P<response_time_ms>\d+)$" nodrop
| where _sourceCategory matches "*web*" or _sourceCategory matches "*iis*" or _sourceCategory matches "*apache*" or _sourceCategory matches "*nginx*"
| where (
uri_path matches "*search*" or
uri_path matches "*query*" or
uri_path matches "*find*" or
uri_path matches "*report*" or
uri_path matches "*export*" or
uri_path matches "*download*" or
uri_path matches "*generate*" or
uri_path matches "*convert*" or
uri_path matches "*login*" or
uri_path matches "*authenticate*" or
uri_path matches "*/auth*" or
uri_path matches "*oauth*" or
uri_path matches "*signin*" or
uri_path matches "*graphql*" or
uri_path matches "*wp-login.php*" or
uri_path matches "*xmlrpc.php*" or
uri_path matches "*wp-admin*" or
uri_path matches "*rest/api*" or
uri_path matches "*odata*" or
uri_path matches "*/api/*"
) or num(response_time_ms) > 5000
| timeslice 5m
| eval status_int = num(status_code)
| eval is_server_error = if(status_int >= 500, 1, 0)
| eval is_rate_limited = if(status_int == 429, 1, 0)
| eval response_ms = num(response_time_ms)
| stats
count as RequestCount,
avg(response_ms) as AvgResponseMs,
max(response_ms) as MaxResponseMs,
dcount(uri_path) as UniqueEndpoints,
sum(is_server_error) as ServerErrorCount,
sum(is_rate_limited) as RateLimitedCount
by _timeslice, src_ip, _sourceHost
| where RequestCount > 300
or (AvgResponseMs > 5000 and RequestCount > 50)
or RateLimitedCount > 10
| eval ErrorRate = round(ServerErrorCount / RequestCount, 2)
| eval ThreatScore = if(RequestCount > 1000 and AvgResponseMs > 10000, 3,
if(RequestCount > 500 or AvgResponseMs > 8000, 2, 1))
| eval IsHighRateFlood = if(RequestCount > 300, "true", "false")
| eval IsSlowExhaustion = if(AvgResponseMs > 5000, "true", "false")
| sort by ThreatScore, RequestCount
| fields _timeslice, src_ip, _sourceHost, RequestCount, AvgResponseMs, MaxResponseMs, UniqueEndpoints, ServerErrorCount, RateLimitedCount, ErrorRate, IsHighRateFlood, IsSlowExhaustion, ThreatScoreDetects T1499.003 Application Exhaustion Flood in Sumo Logic by parsing web access logs from IIS, Apache, and Nginx sources. Extracts source IP, URI path, HTTP status code, and response time using regex field extractions. Aggregates into 5-minute timeslices per source IP and host, then flags behavior matching high-volume requests to resource-intensive endpoints, slow average server response indicating CPU/memory exhaustion, or repeated HTTP 429 rate-limiting. Outputs a ThreatScore and categorical flags for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Large-scale legitimate user events such as product launches, marketing campaigns, or viral content that generate authentic traffic spikes against /search or /api endpoints from diverse IPs — look for corresponding geographic and ASN diversity before escalating
- Search engine indexing bots (Googlebot, Bingbot, Applebot) that aggressively crawl /search or sitemap-linked endpoints; filter by User-Agent string where available in log fields
- Legitimate bulk data export jobs initiated by enterprise users or scheduled ETL pipelines hitting /export or /download endpoints — cross-reference with scheduled job windows and user identity
- Internal DevOps pipelines running integration or performance tests against staging environments where the same log sources are used across environments
Other platforms for T1499.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Apache Bench Single-Source Application Endpoint Flood
Expected signal: W3CIISLog or Apache access.log: 5000 requests from 127.0.0.1 to /search endpoint within 30-60 seconds. User-Agent will show ApacheBench/2.X despite the override only applying to one header in some ab versions — check actual logs. TimeTaken values will show progressive degradation as server load increases. High RequestCount in 5-minute window from single source IP.
- Test 2Python Multi-threaded Concurrent Request Flood
Expected signal: Web access logs: 2000 requests from 127.0.0.1 to /api/search endpoint within 10-30 seconds with User-Agent 'python-requests/X.X.X'. High concurrency visible from overlapping request timestamps. If server load causes stress, HTTP 503 or 429 responses will appear in logs alongside 200s. ServerErrorCount or RateLimitedCount fields will be non-zero.
- Test 3curl Loop Targeting Authentication Endpoint with POST Bodies
Expected signal: Web access logs: 500 POST requests to /login from 127.0.0.1 with Content-Type: application/json. Average response time measurably higher than GET requests due to bcrypt cost. Application logs may show repeated authentication failure warnings. HTTP status codes will be 401 for invalid credentials or 429 if rate limiting activates.
- Test 4GraphQL Complexity Attack via Deeply Nested Query Flood
Expected signal: Web access logs: 200 POST requests to /graphql endpoint with deeply nested query payload. Response times significantly elevated (potentially >10s per request) due to N+1 resolver execution and recursive database queries. CPU utilization on application server and database server both spike. Database slow query logs will show high-volume repetitive queries triggered by the resolver chain.
References (8)
- https://attack.mitre.org/techniques/T1499/003/
- https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
- https://owasp.org/www-community/attacks/Denial_of_Service
- https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html
- https://learn.microsoft.com/en-us/azure/web-application-firewall/overview
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/w3ciislog
- https://learn.microsoft.com/en-us/iis/extensions/advanced-logging-module/advanced-logging-for-iis-real-time-logging
Unlock Pro Content
Get the full detection package for T1499.003 including response playbook, investigation guide, and atomic red team tests.