title: Direct Network Flood (T1498.001)
id: df00tech-t1498-001
status: experimental
description: "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. Direct Network Floods use one or more systems to send high-volume network packets toward the targeted service or network. Any network protocol may be used — stateless protocols such as UDP and ICMP are common due to their low overhead, but TCP SYN floods are also prevalent. Botnets are frequently leveraged to amplify attack volume, with compromised endpoints acting as unwitting flood sources. Organizations may detect this technique either as a victim observing inbound traffic spikes, or by identifying compromised endpoints in their environment participating in an outbound DDoS campaign as botnet nodes."
references:
  - https://attack.mitre.org/techniques/T1498/001/
  - https://df00tech.com/detections/T1498.001
author: df00tech
date: 2026/04/14
tags:
  - attack.t1498.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Load testing tools (Apache Bench, wrk, hey, vegeta, k6) run legitimately by QA engineers or DevOps teams against internal staging environments or authorized external endpoints"
  - "Network performance benchmarking tools (iperf, iperf3, netperf, iperf) used by infrastructure teams to validate bandwidth capacity on new circuits or after changes"
  - "Security scanners using aggressive timing profiles (nmap -T5, masscan) operated by internal vulnerability management or red team programs with authorized change tickets"
  - Authorized DDoS simulation exercises where security vendors run flood tools against hardened DMZ systems to validate WAF or DDoS protection efficacy
  - "Academic, research, or sandbox environments where flood tools are used for network research, coursework, or tool development without malicious intent"
level: high