title: OS Exhaustion Flood (T1499.001)
id: df00tech-t1499-001
status: experimental
description: "Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). OS exhaustion floods do not need to deplete physical hardware resources—they exhaust OS-imposed limits on concurrent connections and state tracking. SYN floods send excessive TCP SYN packets without completing the three-way handshake, filling the OS half-open connection backlog queue and preventing new legitimate TCP connections from being established. ACK floods send packets referencing non-existent connections, forcing the OS to perform a full TCP state table search for each packet, causing CPU and memory exhaustion that degrades or stops service. Both techniques can render any TCP-based service unavailable on the targeted endpoint."
references:
  - https://attack.mitre.org/techniques/T1499/001/
  - https://df00tech.com/detections/T1499.001
author: df00tech
date: 2026/04/20
tags:
  - attack.t1499.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate high-traffic web servers receiving organic traffic spikes from CDN edge nodes, load testing campaigns, or major product launches can trigger connection count thresholds in IPS/IDS signatures"
  - "Network security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7, nmap) performing broad TCP port scans may generate SYN flood-like signatures on IPS/IDS devices when run at high rates"
  - "Cloud auto-scaling events and health check storms from load balancers (AWS ELB, Azure Application Gateway) can produce connection bursts that resemble early-stage floods from the perspective of perimeter devices"
  - Misconfigured network monitoring tools performing high-frequency TCP keepalive probes may trigger half-open connection alerts on target systems
  - "Software bugs causing TCP connection leaks or aggressive retry storms in microservices can mimic flood patterns, especially triggering Linux kernel nf_conntrack table full warnings in high-throughput environments"
level: high