Skip to content

DET0408 Detection Strategy for Reflection Amplification DoS (T1498.002)

Item Value
ID DET0408
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1498.002 (Reflection Amplification)

Analytics

Windows

AN1140

Outbound spoofed traffic to known amplification protocols (e.g., DNS, NTP, Memcached) combined with abnormal network traffic volume targeting remote reflectors, resulting in disproportionate traffic returned to a victim

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Host Status (DC0018) Windows:perfmon Sudden spike in outbound throughput without corresponding inbound traffic
Mutable Elements
Field Description
TimeWindow Interval for measuring sudden outbound spike or volume pattern
AmplificationProtocolPorts List of known ports used for reflection amplification (e.g., 53/DNS, 123/NTP, 11211/Memcached)
PacketToByteRatio Heuristic threshold where the response volume far outweighs the request volume

Linux

AN1141

Spoofed outbound packets sent to amplification services from command-line tools or scripts, combined with abnormal outbound packet volume on known reflector ports

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports
Network Traffic Flow (DC0078) NSM:Flow Outbound UDP floods targeting common reflection services with spoofed IP headers
Host Status (DC0018) sar:network Outbound network saturation with minimal process activity
Mutable Elements
Field Description
TimeWindow Sliding interval for detecting volumetric anomalies
AmplificationProtocolList Which protocols to watch (e.g., DNS, NTP, SSDP, Memcached)
ExecutionToolList Set of binaries and scripts commonly abused for spoofing/reflection

macOS

AN1142

Command-line initiated UDP traffic bursts to external reflection amplification ports using built-in scripting or binaries with network anomalies

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Execution of ping, nping, or crafted network packets via bash or python to reflection services
Network Traffic Flow (DC0078) macos:unifiedlog Outbound UDP spikes to external reflector IPs
Mutable Elements
Field Description
ReflectionPorts Ports known for reflection abuse — DNS, NTP, SSDP, Memcached
TrafficSpikeThreshold How much deviation in outbound traffic constitutes a suspicious spike

IaaS

AN1143

Cloud-hosted VM or container generates spoofed UDP requests to third-party services on known amplifier ports, with high outbound-to-inbound traffic ratios in VPC Flow Logs

Log Sources
Data Component Name Channel
Firewall Rule Modification (DC0051) AWS:CloudTrail Create egress rule allowing UDP to port 53, 123, 11211
Network Traffic Flow (DC0078) AWS:VPCFlowLogs Large outbound UDP traffic to multiple public reflector IPs
Host Status (DC0018) AWS:CloudWatch Sudden spike in network output without a corresponding inbound request ratio
Mutable Elements
Field Description
EgressRulePorts Cloud security group rules permitting UDP to reflector protocols
OutboundToInboundRatio Ratio threshold to flag traffic as potential reflection behavior
VMInstanceTagContext Cloud metadata that can help scope anomalous behavior to development, testing, or external-facing services