title: Service Exhaustion Flood (T1499.002)
id: df00tech-t1499-002
status: experimental
description: "Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services through service exhaustion floods. A simple HTTP flood sends a large number of HTTP requests to a web server to overwhelm it and/or an application running on top of it, exhausting various resources required to provide the service. A SSL renegotiation attack takes advantage of a protocol feature in SSL/TLS where the adversary establishes a connection and then proceeds to make a series of renegotiation requests, exploiting the meaningful computational cost of cryptographic renegotiation to degrade or deny service when performed at volume. Both attack types target service availability without requiring exploitation of a software vulnerability."
references:
  - https://attack.mitre.org/techniques/T1499/002/
  - https://df00tech.com/detections/T1499.002
author: df00tech
date: 2026/04/19
tags:
  - attack.t1499.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate high-traffic events such as product launches, viral marketing campaigns, or news coverage driving genuine traffic spikes from many distributed users"
  - "Web scraping bots, SEO crawlers, and content aggregators that rapidly enumerate site content and generate high request volumes from single IP ranges"
  - "Load testing tools (Apache Bench, k6, Locust, JMeter, Gatling) used by development and QA teams against production or staging environments without prior notification"
  - "CDN edge nodes, reverse proxies, or shared NAT gateways that aggregate traffic from many legitimate users behind a single source IP, inflating per-IP counts"
  - "Automated monitoring, synthetic transaction tools, and health check agents that poll endpoints at high frequency"
level: high