analyst @ nohacky :~/mitre $
cat / mitre / t1498
analyst@nohacky:~/mitre/t1498-network-denial-of-service.html
reading mode 20 min read
technique_id T1498
category MITRE ATT&CK
tactic
Impact
sub-techniques 2
published March 2026

T1498: Network Denial of Service

Adversaries flood targets with traffic to exhaust network bandwidth or server resources, making services unavailable to legitimate users. DDoS attacks surged 121% in 2025, with Cloudflare mitigating an average of 5,376 attacks every hour. The largest recorded attack peaked at 31.4 terabits per second — a volume that would have been unimaginable five years ago and is now a recurring operational reality.

A Network Denial of Service attack degrades or destroys the availability of a target by overwhelming its network infrastructure with more traffic than it can process. Unlike techniques that steal data or establish persistence, T1498 is about disruption — making websites unreachable, APIs unresponsive, and critical services unavailable to the people who depend on them. The technique falls under the Impact tactic in the MITRE ATT&CK framework because its purpose is to cause visible, immediate harm to operations.

The threat landscape for DDoS has changed fundamentally in recent years. What was once primarily a tool for extortion and petty vandalism has become a weapon of geopolitical conflict. Hacktivist groups now coordinate sustained, high-volume campaigns against government institutions, financial systems, and critical infrastructure as acts of ideological warfare. DDoS-for-hire services have lowered the barrier to entry so far that unskilled actors can launch multi-vector attacks via simple prompts, and AI-driven tools are accelerating botnet growth and attack sophistication. NETSCOUT recorded over 8 million DDoS attacks globally in the second half of 2025 alone, with peak attack demonstrations reaching 30 Tbps.

The distinction between T1498 (Network Denial of Service) and T1499 (Endpoint Denial of Service) is important. T1498 targets the network layer — flooding bandwidth, exhausting connection state tables on firewalls and load balancers, and consuming the capacity of the link itself. T1499 targets the application layer — sending crafted requests that exhaust CPU, memory, or application logic on the server. In practice, sophisticated attackers combine both in multi-vector campaigns that attack every layer simultaneously.

How Network Denial of Service Works

The attack chain begins with infrastructure. The attacker needs a source of traffic volume that exceeds the target's capacity to absorb it. This is achieved through one of three methods: botnets composed of compromised devices that generate traffic directly, reflection and amplification services that multiply a small volume of requests into a massive volume of responses directed at the victim, or DDoS-for-hire platforms that provide both capabilities as a service.

Botnets remain the primary engine for volumetric DDoS. The Aisuru/Kimwolf botnet, responsible for the 31.4 Tbps record in late 2025, consists of over 2 million compromised Android devices — primarily off-brand Android TVs infiltrated through residential proxy networks. The Eleven11 (RapperBot) botnet has powered over 3,600 high-volume attacks since 2021, demonstrating that compromised IoT devices and customer-premise equipment can generate outbound floods exceeding 1 Tbps from a single network's worth of infected devices.

Once the attack infrastructure is in place, the attacker directs traffic at the target. The traffic may consist of raw UDP or ICMP packets that consume bandwidth (volumetric floods), TCP SYN packets that exhaust connection state tables on stateful devices (protocol attacks), or amplified responses from legitimate third-party services like DNS resolvers or NTP servers that are reflected toward the victim (reflection amplification). The most damaging campaigns deploy all three simultaneously, overwhelming different layers of the target's defenses at once.

Sub-Techniques

T1498.001 — Direct Network Flood

A direct flood is the conceptually simplest form of DDoS: the attacker commands a botnet to send as much traffic as possible directly to the target's IP address or network range. The traffic is generated by the compromised devices themselves and does not rely on third-party amplification. Common flood types include UDP floods (random or targeted UDP packets that consume bandwidth and force the target to process and discard each one), ICMP floods (ping floods that consume bandwidth and processing), SYN floods (TCP connection requests that exhaust the state tables of firewalls, load balancers, and servers), and ACK floods (TCP acknowledgment packets that bypass simple SYN-based filtering).

Direct floods have the advantage of being difficult to filter because the traffic originates from geographically distributed, real IP addresses. Unlike amplification attacks where the source can be traced to known reflector services, a botnet flood comes from millions of unique source IPs across residential networks worldwide, making IP-based blocking impractical.

T1498.002 — Reflection Amplification

Reflection amplification is the most bandwidth-efficient form of DDoS. The attacker sends requests to legitimate, publicly accessible services — DNS resolvers, NTP servers, memcached instances, CLDAP servers — with the source IP address spoofed to be the victim's IP. These services process the request and send the response to the victim. Because the response is significantly larger than the request, the attacker achieves amplification: a small amount of outgoing traffic generates a massive volume of incoming traffic at the target.

Protocol Port Amplification Factor Notes
DNS 53/UDP 28x – 54x Open resolvers respond to ANY queries with large zone records; DNSSEC-signed responses are even larger
NTP 123/UDP Up to 556x The monlist command on misconfigured servers returns the last 600 client addresses — a massive response from a tiny request
Memcached 11211/UDP Up to 51,000x Misconfigured memcached servers exposed to the internet can return cached data in response to spoofed requests; produced the first 1 Tbps+ attacks
CLDAP 389/UDP 56x – 70x Connection-less LDAP on Windows domain controllers; common in enterprise environments that inadvertently expose DC services
SSDP 1900/UDP 30x Simple Service Discovery Protocol on consumer IoT devices and home routers
SNMP 161/UDP 6x GetBulk requests against publicly accessible SNMP agents
note

Reflection amplification attacks require the attacker to spoof the source IP address in outgoing packets. Networks that implement BCP38/BCP84 (ingress filtering) prevent their hosts from sending packets with spoofed source addresses, cutting off the attack at the source. Widespread adoption of these standards would eliminate reflection amplification entirely — but adoption remains incomplete across global networks.

Real-World Case Studies

Aisuru/Kimwolf Botnet — The 31.4 Tbps Record

In November 2025, the Aisuru/Kimwolf botnet launched the largest publicly disclosed DDoS attack in history, peaking at 31.4 Tbps. The attack lasted only 35 seconds but demonstrated a volume that would overwhelm virtually any on-premises mitigation equipment. Cloudflare, which detected and mitigated the attack automatically, reported that it did not trigger any internal alerts — the mitigation was entirely automated. Weeks later, the same botnet launched a sustained campaign dubbed "The Night Before Christmas," targeting Cloudflare customers and infrastructure with HTTP DDoS attacks exceeding 200 million requests per second alongside network-layer attacks peaking at 24 Tbps.

The Aisuru botnet's infrastructure consists of more than 2 million compromised Android devices, predominantly off-brand Android TVs that were infiltrated through residential proxy networks. The attack sources in the Christmas campaign were almost entirely Android TV devices, demonstrating how consumer IoT devices that receive no security updates become weaponized infrastructure at scale. Cloudflare reported that over 71.5% of all HTTP DDoS attacks in Q4 2025 originated from known, documented botnets.

NoName057(16) — Hacktivist DDoS at Industrial Scale

The pro-Russian hacktivist group NoName057(16) claimed 4,693 DDoS attacks in 2025, making it the single most active hacktivist entity ever documented. The group systematically targets government institutions, financial systems, transportation infrastructure, and media organizations in NATO countries, with particular focus on Poland, the Czech Republic, the Baltic states, and other nations that have expressed support for Ukraine. Their campaigns are coordinated through Telegram channels and sustained over weeks or months, designed to erode public confidence in digital government services.

NoName057(16) is not alone. Radware's 2026 Global Threat Analysis Report documents that 61% of hacktivist DDoS attacks in 2025 were perpetrated by pro-Russian groups. The ecosystem is increasingly collaborative: groups like Keymous+ have demonstrated how partnerships between threat actors can amplify attack bandwidth by nearly 4x. This coordination represents a shift from opportunistic disruption to sustained, strategic campaigns that function as instruments of hybrid warfare.

Middle East Conflict — 149 Attacks Across 16 Countries in 3 Days

In late February and early March 2026, following escalation in the Middle East conflict, 12 hacktivist groups launched 149 DDoS attacks against 110 organizations across 16 countries in a span of three days. The campaign involved groups including Keymous+, DieNet, NoName057(16), and Hider Nex (Tunisian Maskers Cyber Force), which collectively accounted for 74.6% of all attack activity. Targets included government institutions, financial services, telecommunications providers, and critical infrastructure organizations across the region and in countries perceived as aligned with opposing sides of the conflict.

This case demonstrates how DDoS has become the default first-response weapon in geopolitical conflict. The attacks required minimal coordination time, leveraged existing botnet and DDoS-for-hire infrastructure, and achieved immediate visibility in affected countries. While individual attacks may have been mitigated by cloud-based DDoS protection, the sustained, multi-target nature of the campaign strained resources and forced security teams across the region into continuous response mode.

Related: DDoS Attacks Enter a New Era — Why Many Organizations Are Not Ready

critical

DDoS-for-hire services now leverage conversational AI and illicit large language model tools to let unskilled attackers launch sophisticated multi-vector attacks through simple prompts. Underground forums have recorded a 219% increase in discussions related to malicious AI tools, signaling that the barrier to entry for launching damaging DDoS campaigns will continue to drop.

New Zealand Stock Exchange — Multi-Day Trading Disruption

In August 2020, the New Zealand Stock Exchange (NZX) was forced to halt trading multiple times over several days due to sustained DDoS attacks targeting its connectivity. The attacks overwhelmed the exchange's internet links, preventing traders from accessing the NZX website and trading systems. The incident demonstrated that even critical financial infrastructure in developed nations can be rendered inoperable by well-targeted DDoS campaigns, and it triggered a national-level review of New Zealand's cybersecurity preparedness for critical market infrastructure.

DDoS as Ransomware Smokescreen

A growing operational pattern pairs DDoS attacks with concurrent intrusion operations. The DDoS serves as a distraction: while the security team and network operations center are consumed with responding to the flood of traffic and restoring availability, the attacker conducts their primary mission — data exfiltration, ransomware deployment, or espionage — with reduced likelihood of detection. This pairing is documented across both state-sponsored and financially motivated operations and represents an evolution where DDoS is not the end goal but a tactical enabler for other MITRE techniques.

Detection Strategies

Detecting DDoS is fundamentally different from detecting other MITRE techniques because the attack is volumetric — the signal is the traffic itself, not a subtle behavioral anomaly. Detection focuses on identifying abnormal traffic patterns before they exhaust available resources, distinguishing attack traffic from legitimate traffic spikes, and identifying the attack vector to apply appropriate filtering.

Key Indicators and Data Sources

Data Source What to Monitor Detection Value
NetFlow / sFlow Traffic volume per destination IP, protocol distribution, packets per second, top talkers Primary detection source; establishes baselines and alerts on volumetric anomalies before link saturation
Firewall/IDS logs SYN flood detection, connection state table utilization, dropped packet rates Protocol-level attacks (SYN floods, ACK floods) are visible in stateful device logs before they are visible in bandwidth metrics
DNS query logs Query volume spikes, response size anomalies, queries for non-existent domains DNS amplification attacks generate distinctive query patterns; DNS-based DDoS targets the DNS infrastructure itself
BGP monitoring Route announcements, prefix hijacking, upstream provider notifications Large-scale DDoS can trigger upstream BGP changes; monitoring for unexpected route changes provides early warning
Application performance Response time degradation, error rate increases, connection timeout rates Application-layer impact is often the first thing users and monitoring systems notice; correlate with network metrics to distinguish DDoS from application bugs

Detection Queries

# Detect volumetric anomaly using NetFlow data
# Alert when inbound traffic to a single destination exceeds
# 3x the 7-day rolling average for that destination

index=netflow
| bin _time span=5m
| stats sum(bytes_in) as total_bytes by _time, dest_ip
| eventstats avg(total_bytes) as avg_bytes, stdev(total_bytes) as stdev_bytes by dest_ip
| where total_bytes > (avg_bytes + (3 * stdev_bytes))
| table _time, dest_ip, total_bytes, avg_bytes
| sort -total_bytes
# Detect DNS reflection amplification
# Flags large DNS responses from external resolvers
# arriving at internal hosts that did not make the queries

index=network sourcetype="firewall"
| where dest_port=53 AND direction="inbound" AND protocol="udp"
| where bytes_in > 1000
| stats count, sum(bytes_in) as total_bytes by src_ip, dest_ip
| where count > 100 AND total_bytes > 1000000
| table src_ip, dest_ip, count, total_bytes
| sort -total_bytes
# Detect SYN flood via connection state table monitoring
# Alert when half-open connections exceed threshold

index=firewall sourcetype="firewall:connections"
| where state="SYN_SENT" OR state="SYN_RECEIVED"
| stats count as half_open by dest_ip
| where half_open > 10000
| table dest_ip, half_open
| sort -half_open

Known Threat Actors

  • NoName057(16) (Russia-aligned hacktivist) — 4,693 claimed attacks in 2025; targets NATO government and financial institutions; operates the DDoSia crowdsourced attack tool that recruits volunteer participants
  • Keymous+ (hacktivist) — Drove approximately 70% of DDoS activity during the February-March 2026 Middle East conflict escalation alongside DieNet; demonstrated 4x bandwidth amplification through threat actor collaboration
  • Killnet (Russia-aligned hacktivist) — Targeted U.S. and European government, healthcare, and aviation sectors; provided the organizational model that newer hacktivist groups have replicated
  • APT28 / Fancy Bear (Russia) — Conducted DDoS attacks against the World Anti-Doping Agency as part of politically motivated operations; combines DDoS with espionage techniques
  • Hider Nex / Tunisian Maskers (hacktivist) — Pro-Palestinian hacktivist group combining DDoS with data breach and leak operations; emerged in mid-2025
  • Handala Hack Team (Iran-aligned hacktivist) — DDoS attacks, website defacements, and infrastructure disruption claims against Israeli targets
  • Aisuru/Kimwolf Botnet (criminal infrastructure) — 2+ million compromised Android devices; responsible for the 31.4 Tbps record and the "Night Before Christmas" campaign
  • Eleven11 / RapperBot (criminal infrastructure) — IoT-based botnet powering 3,600+ high-volume attacks since 2021; demonstrates that compromised CPE can generate 1 Tbps+ floods
  • Lucifer Malware — Supports TCP, UDP, and HTTP flood attacks; turns compromised hosts into DDoS nodes alongside its primary cryptomining and vulnerability exploitation capabilities

Defensive Recommendations

  1. Deploy upstream DDoS mitigation through CDN or scrubbing services: When attack traffic exceeds on-premises link capacity, upstream mitigation is the only viable defense. Services like Cloudflare, Akamai Prolexic, AWS Shield Advanced, and Azure DDoS Protection absorb and filter volumetric floods before they reach the target network. For critical services, always-on protection is preferable to on-demand scrubbing, which introduces activation delays during which traffic may already be impacting availability.
  2. Implement Anycast routing for internet-facing services: Anycast distributes incoming traffic across multiple geographically dispersed points of presence, preventing any single location from bearing the full weight of an attack. This is particularly important for DNS infrastructure and web properties that must remain available under attack conditions.
  3. Configure rate limiting and connection thresholds on all edge devices: Firewalls, load balancers, and web application firewalls should enforce per-source rate limits for connection requests, UDP traffic, and DNS queries. SYN cookies should be enabled on all TCP listeners to protect state tables from SYN flood exhaustion without dropping legitimate connections.
  4. Eliminate your network as an amplification source: Implement BCP38/BCP84 ingress filtering to prevent packets with spoofed source addresses from leaving your network. Ensure that DNS resolvers, NTP servers, memcached instances, and LDAP services are not accessible from the public internet. Close UDP ports 11211, 1900, and 389 at the network perimeter if external access is not required.
  5. Maintain network and DNS redundancy: Use multiple upstream ISPs with diverse paths. Deploy DNS infrastructure across multiple providers and use secondary DNS zones so that a DDoS against one DNS provider does not take all domains offline. Ensure that critical applications have fallback connectivity paths that do not share the same physical links or transit providers as the primary path.
  6. Develop and regularly test a DDoS response plan: Document escalation procedures, upstream provider contact information, and playbooks for different attack types (volumetric, protocol, application-layer). Include procedures for engaging ISP-level mitigation (BGP Flowspec, remotely triggered blackhole routing) when attack volume exceeds CDN capacity. Test the plan through tabletop exercises and simulated attacks at least annually.
  7. Monitor for DDoS as a distraction technique: When a DDoS attack is underway, increase monitoring sensitivity for other attack indicators — lateral movement, authentication anomalies, data exfiltration, and unauthorized configuration changes. DDoS is increasingly used as cover for concurrent intrusion operations, and the response team must avoid tunnel vision on the availability incident while ignoring other attacks in progress.
  8. Harden IoT devices and consumer-premise equipment: Change default credentials, disable unnecessary services (particularly UPnP/SSDP), apply firmware updates, and segment IoT devices from critical network infrastructure. Every unpatched device is a potential botnet node. Organizations that operate large fleets of IoT devices have a responsibility to prevent their infrastructure from being weaponized against others.

MITRE ATT&CK Mapping

Field Value
Technique IDT1498
Technique NameNetwork Denial of Service
TacticImpact
Impact TypeAvailability
PlatformsWindows, Linux, macOS, Containers, IaaS
Sub-TechniquesT1498.001 (Direct Network Flood), T1498.002 (Reflection Amplification)
Data SourcesNetwork Traffic (Content, Flow), Sensor Health (Host Status)
MitigationsFilter Network Traffic, Network Segmentation (upstream), Egress Filtering (BCP38)
RelatedT1499 (Endpoint Denial of Service), T1489 (Service Stop), T1486 (Data Encrypted for Impact)
MITRE Referenceattack.mitre.org/techniques/T1498

Sources and References

  • MITRE ATT&CK — T1498 Network Denial of Service: attack.mitre.org
  • Cloudflare — 2025 Q4 DDoS Threat Report (31.4 Tbps record, 121% surge, Aisuru/Kimwolf): blog.cloudflare.com
  • Radware — 2026 Global Threat Analysis Report (NoName057 record, hacktivist trends): radware.com
  • NETSCOUT — DDoS Threat Intelligence Report H2 2025 (8M+ attacks, 30 Tbps peaks, AI-driven DDoS): netscout.com
  • The Hacker News — 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries (March 2026): thehackernews.com
  • MITRE ATT&CK — DET0518 Behavioral Detection of T1498 (October 2025): attack.mitre.org
  • Cloudflare — Famous DDoS Attacks: cloudflare.com
— end of briefing