Detect Reflection Amplification in Elastic Security
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target using third-party server intermediaries (reflectors). The attacker sends UDP packets to publicly accessible servers with the victim's spoofed source IP address, causing those servers to direct large responses at the victim. This technique exploits protocols whose responses are significantly larger than requests — known as amplification. Prominent amplification vectors include DNS (ANY queries, amplification factor ~28–54x), NTP (monlist command, up to 700x), memcached UDP (up to 51,200x), SSDP (up to 30x), CLDAP/LDAP (up to 70x), and CharGen (up to 358x). Because UDP allows source IP spoofing without a three-way handshake, attackers can direct enormous response volumes at a victim with minimal bandwidth cost. Multiple compromised systems (botnets) are commonly used to multiply the effect. Impacts include network link saturation, upstream provider congestion, and complete unavailability of internet-facing services.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1498 Network Denial of Service
- Sub-technique
- T1498.002 Reflection Amplification
- Canonical reference
- https://attack.mitre.org/techniques/T1498/002/
Elastic Detection Query
FROM logs-network*, logs-endpoint.events.network*
| WHERE @timestamp > NOW() - 1 hour
| WHERE network.transport == "udp"
| WHERE source.port IN (53, 123, 11211, 1900, 389, 5353, 161, 17, 19, 5683, 1434, 520)
| EVAL attack_type = CASE(
source.port == 53, "DNS Amplification",
source.port == 123, "NTP Amplification",
source.port == 11211, "Memcached Amplification",
source.port == 1900, "SSDP Amplification",
source.port == 389, "CLDAP Amplification",
source.port == 5353, "mDNS Amplification",
source.port == 161, "SNMP Amplification",
source.port == 17, "QOTD Amplification",
source.port == 19, "CharGen Amplification",
source.port == 5683, "CoAP Amplification",
source.port == 1434, "MSSQL Amplification",
source.port == 520, "RIP Amplification",
"Generic Reflection Amplification"
)
| STATS
connection_count = COUNT(*),
unique_source_ips = COUNT_DISTINCT(source.ip),
total_bytes_in = SUM(destination.bytes),
attack_types = VALUES(attack_type),
sample_source_ips = VALUES(source.ip)
BY destination.ip, BUCKET(@timestamp, 5 minutes)
| WHERE connection_count > 500 OR unique_source_ips > 25
| EVAL gb_received = ROUND(total_bytes_in / 1073741824.0, 3)
| EVAL risk_score = CASE(
connection_count > 10000 OR unique_source_ips > 500, "Critical",
connection_count > 2000 OR unique_source_ips > 100, "High",
connection_count > 500 OR unique_source_ips > 25, "Medium",
"Low"
)
| KEEP `destination.ip`, `BUCKET(@timestamp, 5 minutes)`, attack_types, risk_score, connection_count, unique_source_ips, gb_received
| SORT connection_count DESCDetects UDP reflection amplification DDoS attacks (T1498.002) using ES|QL aggregation on network flow and endpoint telemetry indices. Identifies victim IPs receiving high-volume UDP traffic sourced from known amplification service ports (DNS/53, NTP/123, Memcached/11211, SSDP/1900, CLDAP/389, mDNS/5353, SNMP/161, QOTD/17, CharGen/19, CoAP/5683, MSSQL/1434, RIP/520) within 5-minute windows. Alerts when a single destination IP receives more than 500 UDP connections or traffic from more than 25 unique source IPs in one window. Note: This is an ES|QL aggregation query — deploy via Kibana Alerting using an Aggregation threshold rule pointing at the same index pattern for automated alerting.
Data Sources
Required Tables
False Positives & Tuning
- Public-facing DNS authoritative servers or high-throughput recursive resolvers — organizations hosting DNS infrastructure will see high volumes of UDP/53 responses directed at their server IPs that match the inbound flood pattern and will regularly exceed the connection count threshold
- NTP stratum servers or synchronization bursts — time servers serving large fleets of clients, or mass clock-sync events following network outages or large-scale VM provisioning, can generate NTP response spikes (UDP/123) that exceed thresholds without indicating an attack
- Authorized DDoS simulation exercises or red team operations — penetration testing engagements that include volumetric attack testing should be baselined and suppressed using Kibana exception containers scoped to known test windows and IP ranges
- Anycast CDN or DNS provider PoPs — environments with routing that aggregates traffic from multiple CDN or DNS provider points of presence behind a single observed destination IP may exceed the unique source IP threshold for legitimate traffic
- Large-scale SNMP polling infrastructure — environments with dense SNMP monitoring (UDP/161) from multiple managed network devices responding to a central collector will generate high connection counts matching this rule
Other platforms for T1498.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS ANY Query Amplification Probe
Expected signal: Sysmon Event ID 22 (DNS Query) if Sysmon is configured. Zeek/Bro dns.log entry showing qtype=ANY. Network flow logs showing UDP packet to dst_port=53. The response packet will be significantly larger than the query packet.
- Test 2NTP Monlist Request — Amplification Vector Validation
Expected signal: Network flow log showing outbound UDP to dst_port=123. If ntpdc is used, expect a UDP packet of ~48 bytes sent and potentially a large multi-packet response if the server is vulnerable. Zeek/Bro will log this as a bro:ntp or zeek:ntp event.
- Test 3Memcached UDP Statistics Request
Expected signal: Network flow log showing UDP connection to dst_port=11211. If memcached responds, the response bytes will be significantly larger than the 16-byte request. Sysmon Event ID 3 (Network Connection) if running on Windows with a memcached instance. Zeek/Bro conn.log entry with orig_bytes vs resp_bytes showing amplification ratio.
- Test 4SSDP M-SEARCH Amplification Discovery
Expected signal: Network flow log showing outbound UDP to dst_ip=239.255.255.250 (multicast) dst_port=1900. Inbound UDP responses from local SSDP-capable devices to src_port=1900. Sysmon Event ID 3 (Network Connection) on Windows. Zeek/Bro conn.log showing the multicast connection.
- Test 5High-Volume UDP Flood Simulation to Amplification Ports (hping3)
Expected signal: NetFlow/IPFIX records showing 1000+ UDP packets to dst_port=53 and 123 from src_ip=127.0.0.1. Sysmon Event ID 3 (Network Connection) may not capture loopback traffic — use external lab IP for Sysmon telemetry. Firewall logs or Zeek/Bro conn.log showing packet counts exceeding 1000 per minute on amplification ports.
References (13)
- https://attack.mitre.org/techniques/T1498/002/
- https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
- https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
- https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
- https://blog.cloudflare.com/reflections-on-reflections/
- https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
- https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf
- https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
- https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview
- https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AboutSplunkStream
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1498.002/T1498.002.md
- https://www.rfc-editor.org/rfc/rfc2827
- https://nvd.nist.gov/vuln/detail/CVE-2013-5211
Unlock Pro Content
Get the full detection package for T1498.002 including response playbook, investigation guide, and atomic red team tests.