Service Disruption
Info
ID: AT-IM006
Tactic: Impact
Sub-techniques: Denial of Service (DoS) Attacks, Resource Starvation, System Shutdown and Reboot, Traffic Flooding
Service Disruption
Adversaries may degrade or deny legitimate user access by overwhelming application resources, forcibly shutting down services, or exhausting compute capacity. This can be carried out by traffic floods, intentional resource starvation, or orchestrated restarts of critical components. In a cloud context, attackers might scale malicious workloads to consume entire cluster budgets, significantly impacting availability and SLA commitments.
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0029 | Network Traffic Flow | Detect sustained traffic spikes or burst rates exceeding baseline across multiple sources, indicating potential flood or resource exhaustion. |
| DS0030 | Cloud Service Metadata | Alert on sudden, large-scale auto-scaling events or quota exhaustion triggered by workloads not linked to scheduled deployments. |
| DS0015 | Application Log | Monitor service-restart or crash-loop events occurring in rapid succession across clustered components. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1030 | Network Segmentation | Employ rate-limiting, WAF rules, and auto-scaling safeguards to absorb or block excess traffic. |
| M1040 | Behavior Prevention on Endpoint | Configure health-checks and circuit-breakers to shed load when critical thresholds are reached. |
| M1053 | Data Backup | Maintain redundant infrastructure and fail-over plans to minimize downtime. |