Detect Reflection Amplification in CrowdStrike LogScale
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target using third-party server intermediaries (reflectors). The attacker sends UDP packets to publicly accessible servers with the victim's spoofed source IP address, causing those servers to direct large responses at the victim. This technique exploits protocols whose responses are significantly larger than requests — known as amplification. Prominent amplification vectors include DNS (ANY queries, amplification factor ~28–54x), NTP (monlist command, up to 700x), memcached UDP (up to 51,200x), SSDP (up to 30x), CLDAP/LDAP (up to 70x), and CharGen (up to 358x). Because UDP allows source IP spoofing without a three-way handshake, attackers can direct enormous response volumes at a victim with minimal bandwidth cost. Multiple compromised systems (botnets) are commonly used to multiply the effect. Impacts include network link saturation, upstream provider congestion, and complete unavailability of internet-facing services.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1498 Network Denial of Service
- Sub-technique
- T1498.002 Reflection Amplification
- Canonical reference
- https://attack.mitre.org/techniques/T1498/002/
LogScale Detection Query
// Bot/attacker-side detection: endpoint sending high-volume UDP to amplification-port reflectors
// CrowdStrike Falcon endpoint telemetry is best suited for identifying compromised hosts
// participating in DDoS botnets; victim-side flood detection requires network sensor data
#event_simpleName = NetworkConnectIP4
| RemotePort in (53, 123, 11211, 1900, 389, 5353, 161, 17, 19, 5683, 1434, 520)
| Protocol = "UDP"
| groupBy(
[ComputerName, LocalAddressIP4, FileName, UserName],
function=[
count(as=ConnectionCount),
count(field=RemoteAddressIP4, distinct=true, as=UniqueDestinations),
collect(field=RemotePort, limit=15, as=PortsTargeted)
]
)
| where ConnectionCount > 1000 OR UniqueDestinations > 50
| AttackType := case {
PortsTargeted = /\b53\b/ => "DNS Amplification Sender";
PortsTargeted = /\b123\b/ => "NTP Amplification Sender";
PortsTargeted = /11211/ => "Memcached Amplification Sender";
PortsTargeted = /1900/ => "SSDP Amplification Sender";
PortsTargeted = /\b389\b/ => "CLDAP Amplification Sender";
PortsTargeted = /\b161\b/ => "SNMP Amplification Sender";
PortsTargeted = /\b19\b/ => "CharGen Amplification Sender";
PortsTargeted = /\b17\b/ => "QOTD Amplification Sender";
PortsTargeted = /5683/ => "CoAP Amplification Sender";
* => "Generic Amplification Sender";
}
| sort(ConnectionCount, order=desc)
| table(
[ComputerName, LocalAddressIP4, UserName, FileName, AttackType,
ConnectionCount, UniqueDestinations, PortsTargeted]
)Detects endpoints participating as bots in UDP reflection amplification DDoS attacks (T1498.002 attacker-side). Queries CrowdStrike Falcon NetworkConnectIP4 telemetry to identify hosts making high-volume outbound UDP connections to known amplification service ports across many distinct reflector IPs. Triggers when a host makes more than 1000 UDP connections to amplification ports or contacts more than 50 unique destination IPs on those ports within the query window. This covers the botnet-participant scenario where compromised endpoints send spoofed-source UDP packets to publicly-accessible reflectors. Victim-side flood detection (inbound amplification traffic) requires CrowdStrike Falcon for Network or an external network sensor. Verify that the Protocol field value matches your Falcon sensor version — some environments may require Protocol=17 (integer) instead of Protocol="UDP".
Data Sources
Required Tables
False Positives & Tuning
- Network vulnerability scanners or asset discovery tools running on endpoints — tools such as Nmap, Masscan, or Rapid7 Nexpose conducting UDP port scans generate high volumes of connections to many unique destination IPs on DNS, SNMP, and other amplification ports that match the bot-side pattern
- Authorized penetration testing tooling — red team frameworks or purpose-built DDoS testing tools (hping3, scapy scripts, t50) executing flood tests from designated attacker workstations will match both the UniqueDestinations and ConnectionCount thresholds
- DNS stress testing and benchmarking tools — tools like dnsperf, dnsperftest, or flamethrower used for DNS infrastructure capacity planning send high-volume UDP/53 queries to many resolvers and will trigger the unique destinations threshold
- Backup and replication software using UDP transport — some backup agents or distributed storage systems (Ceph, GlusterFS) use UDP for fast data replication across many storage node IPs, which may generate qualifying connection counts on storage-adjacent ports
- Malware analysis sandboxes and detonation environments — endpoints intentionally executing malware samples that include DDoS bot payloads will generate exactly this traffic pattern by design; exclude known sandbox host IPs from the query results
Other platforms for T1498.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS ANY Query Amplification Probe
Expected signal: Sysmon Event ID 22 (DNS Query) if Sysmon is configured. Zeek/Bro dns.log entry showing qtype=ANY. Network flow logs showing UDP packet to dst_port=53. The response packet will be significantly larger than the query packet.
- Test 2NTP Monlist Request — Amplification Vector Validation
Expected signal: Network flow log showing outbound UDP to dst_port=123. If ntpdc is used, expect a UDP packet of ~48 bytes sent and potentially a large multi-packet response if the server is vulnerable. Zeek/Bro will log this as a bro:ntp or zeek:ntp event.
- Test 3Memcached UDP Statistics Request
Expected signal: Network flow log showing UDP connection to dst_port=11211. If memcached responds, the response bytes will be significantly larger than the 16-byte request. Sysmon Event ID 3 (Network Connection) if running on Windows with a memcached instance. Zeek/Bro conn.log entry with orig_bytes vs resp_bytes showing amplification ratio.
- Test 4SSDP M-SEARCH Amplification Discovery
Expected signal: Network flow log showing outbound UDP to dst_ip=239.255.255.250 (multicast) dst_port=1900. Inbound UDP responses from local SSDP-capable devices to src_port=1900. Sysmon Event ID 3 (Network Connection) on Windows. Zeek/Bro conn.log showing the multicast connection.
- Test 5High-Volume UDP Flood Simulation to Amplification Ports (hping3)
Expected signal: NetFlow/IPFIX records showing 1000+ UDP packets to dst_port=53 and 123 from src_ip=127.0.0.1. Sysmon Event ID 3 (Network Connection) may not capture loopback traffic — use external lab IP for Sysmon telemetry. Firewall logs or Zeek/Bro conn.log showing packet counts exceeding 1000 per minute on amplification ports.
References (13)
- https://attack.mitre.org/techniques/T1498/002/
- https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
- https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
- https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
- https://blog.cloudflare.com/reflections-on-reflections/
- https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
- https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf
- https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
- https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview
- https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AboutSplunkStream
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1498.002/T1498.002.md
- https://www.rfc-editor.org/rfc/rfc2827
- https://nvd.nist.gov/vuln/detail/CVE-2013-5211
Unlock Pro Content
Get the full detection package for T1498.002 including response playbook, investigation guide, and atomic red team tests.