title: Application Exhaustion Flood (T1499.003)
id: df00tech-t1499-003
status: experimental
description: "Adversaries may target resource-intensive features of web applications to cause a denial of service (DoS), denying availability to those applications. Unlike volumetric network-layer floods, application exhaustion attacks focus on Layer 7 features that consume disproportionate server resources per request — such as search functions, complex database queries, authentication endpoints, report generation, GraphQL resolvers, XML/SOAP processing, or file conversion operations. By repeatedly invoking these expensive operations, adversaries can exhaust CPU cycles, memory, database connection pools, or thread pools with relatively low request volumes, making the attack harder to distinguish from legitimate traffic spikes and more difficult to block at the network layer without application-aware controls."
references:
  - https://attack.mitre.org/techniques/T1499/003/
  - https://df00tech.com/detections/T1499.003
author: df00tech
date: 2026/04/19
tags:
  - attack.t1499.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate high-traffic events such as product launches, marketing campaigns, or viral content causing genuine user spikes to search or landing pages"
  - "Authorized security scanning tools (Qualys, Tenable Nessus, OWASP ZAP) running web application vulnerability assessments that hammer form and API endpoints"
  - "Load testing tools (Apache JMeter, Gatling, Locust, k6) executing authorized performance tests against production or staging environments"
  - Legitimate API clients or integration partners with high-frequency polling or batch processing workloads making hundreds of requests per minute
  - "Search engine crawlers (Googlebot, Bingbot, Slurp) aggressively indexing resource-intensive dynamic pages or paginated search results"
level: high