CAPEC-482 TCP Flood – Attack Pattern Analysis

CAPEC-482 Metadata

Likelihood of Attack

Medium

Typical Severity

High

Overview

Summary

An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.

Prerequisites

This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server.

Potential Solutions / Mitigations

To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack.

Related Weaknesses (CWE)

CWE ID	Description
CWE-770	Allocation of Resources Without Limits or Throttling

Related CAPECs

CAPEC ID	Description
CAPEC-125	An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.

CAPEC ID

Description

CAPEC-125

An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1498.001	Network Denial of Service: Direct Network Flood
1499.001	Endpoint Denial of Service: OS Exhaustion Flood
1499.002	Endpoint Denial of Service: Service Exhaustion Flood

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.