title: Network Denial of Service (T1498)
id: df00tech-t1498
status: experimental
description: "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. This includes direct network floods and reflection amplification attacks targeting websites, DNS, email services, and web-based applications. Attackers may use botnets, IP spoofing, and distributed systems to amplify attack volume and obscure the origin. Real-world usage includes APT28 DDoS attacks against WADA, NKAbuse malware with multi-protocol DoS capabilities, and Lucifer malware executing TCP/UDP/HTTP floods."
references:
  - https://attack.mitre.org/techniques/T1498/
  - https://df00tech.com/detections/T1498
author: df00tech
date: 2026/03/15
tags:
  - attack.t1498
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate load testing tools (Apache Bench, siege, wrk, k6) used by QA or DevOps teams against internal or staging systems"
  - "Network scanners (Nmap, Masscan) run by authorized penetration testers or vulnerability management platforms"
  - "High-volume legitimate services such as CDN edge nodes, torrent clients, or P2P applications that generate many simultaneous outbound connections"
  - Security research environments or honeypot systems configured to generate high connection volumes for traffic analysis
  - Monitoring or synthetic testing agents that make frequent connections to multiple endpoints for uptime checks
level: high