T1498.002 IBM QRadar · QRadar

Detect Reflection Amplification in IBM QRadar

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target using third-party server intermediaries (reflectors). The attacker sends UDP packets to publicly accessible servers with the victim's spoofed source IP address, causing those servers to direct large responses at the victim. This technique exploits protocols whose responses are significantly larger than requests — known as amplification. Prominent amplification vectors include DNS (ANY queries, amplification factor ~28–54x), NTP (monlist command, up to 700x), memcached UDP (up to 51,200x), SSDP (up to 30x), CLDAP/LDAP (up to 70x), and CharGen (up to 358x). Because UDP allows source IP spoofing without a three-way handshake, attackers can direct enormous response volumes at a victim with minimal bandwidth cost. Multiple compromised systems (botnets) are commonly used to multiply the effect. Impacts include network link saturation, upstream provider congestion, and complete unavailability of internet-facing services.

MITRE ATT&CK

Tactic
Impact
Technique
T1498 Network Denial of Service
Sub-technique
T1498.002 Reflection Amplification
Canonical reference
https://attack.mitre.org/techniques/T1498/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(STARTTIME, 'yyyy-MM-dd HH:mm') AS TimeWindow,
    destinationip AS VictimIP,
    COUNT(*) AS ConnectionCount,
    COUNT(DISTINCT sourceip) AS UniqueSourceIPs,
    SUM(sourcebytes) AS TotalBytesReceived,
    ROUND(SUM(sourcebytes) / 1073741824.0, 3) AS GbReceived,
    CASE
        WHEN sourceport = 53    THEN 'DNS Amplification'
        WHEN sourceport = 123   THEN 'NTP Amplification'
        WHEN sourceport = 11211 THEN 'Memcached Amplification'
        WHEN sourceport = 1900  THEN 'SSDP Amplification'
        WHEN sourceport = 389   THEN 'CLDAP Amplification'
        WHEN sourceport = 5353  THEN 'mDNS Amplification'
        WHEN sourceport = 161   THEN 'SNMP Amplification'
        WHEN sourceport = 17    THEN 'QOTD Amplification'
        WHEN sourceport = 19    THEN 'CharGen Amplification'
        WHEN sourceport = 5683  THEN 'CoAP Amplification'
        WHEN sourceport = 1434  THEN 'MSSQL Amplification'
        WHEN sourceport = 520   THEN 'RIP Amplification'
        ELSE 'Generic Reflection Amplification'
    END AS PrimaryAttackType,
    sourceport AS AmplificationPort
FROM flows
WHERE LAST 60 MINUTES
    AND transportprotocol = 17
    AND sourceport IN (53, 123, 11211, 1900, 389, 5353, 161, 17, 19, 5683, 1434, 520)
GROUP BY
    DATEFORMAT(STARTTIME, 'yyyy-MM-dd HH:mm'),
    destinationip,
    sourceport,
    CASE
        WHEN sourceport = 53    THEN 'DNS Amplification'
        WHEN sourceport = 123   THEN 'NTP Amplification'
        WHEN sourceport = 11211 THEN 'Memcached Amplification'
        WHEN sourceport = 1900  THEN 'SSDP Amplification'
        WHEN sourceport = 389   THEN 'CLDAP Amplification'
        WHEN sourceport = 5353  THEN 'mDNS Amplification'
        WHEN sourceport = 161   THEN 'SNMP Amplification'
        WHEN sourceport = 17    THEN 'QOTD Amplification'
        WHEN sourceport = 19    THEN 'CharGen Amplification'
        WHEN sourceport = 5683  THEN 'CoAP Amplification'
        WHEN sourceport = 1434  THEN 'MSSQL Amplification'
        WHEN sourceport = 520   THEN 'RIP Amplification'
        ELSE 'Generic Reflection Amplification'
    END
HAVING COUNT(*) > 500 OR COUNT(DISTINCT sourceip) > 25
ORDER BY ConnectionCount DESC
critical severity high confidence

Detects UDP reflection amplification DDoS attacks (T1498.002) using QRadar AQL against QFlow network flow data. Queries the flows table for high-volume UDP traffic (transportprotocol=17) sourced from known amplification service ports and directed at a single destination IP within 1-minute time windows. The victim IP is identified as the destination receiving the spoofed-source reflector responses. Triggers when a destination IP receives more than 500 UDP flows or traffic from more than 25 distinct source IPs within the window from any single amplification port. Deploy as a QRadar custom rule with Custom Event Properties mapped from AQL results, or schedule as an offense-generating rule with magnitude scoring.

Data Sources

QRadar QFlow network flow collector (NetFlow v5/v9, IPFIX, sFlow)Firewall flow logs via QRadar DSM (Cisco ASA, Juniper SRX, Palo Alto PAN-OS, Fortinet FortiGate)IDS/IPS appliances via QRadar DSM (Snort, Suricata, Check Point)Router and switch NetFlow exports

Required Tables

flows

False Positives & Tuning

  • Organizations hosting authoritative DNS servers or high-capacity recursive resolvers — legitimate DNS infrastructure regularly receives high volumes of UDP/53 responses from many distinct client IPs, which matches the victim-side flood pattern and may exceed both thresholds
  • NTP infrastructure or pool participants — NTP servers (pool.ntp.org members or enterprise stratum-2 servers) responding to many client sync requests generate high UDP/123 flow volumes that match the inbound flood signature
  • Authorized DDoS resilience testing or penetration testing engagements — volumetric testing exercises should be suppressed via QRadar Building Blocks referencing a managed IP group for known test sources and windows
  • SNMP management infrastructure at scale — network management systems polling hundreds of devices will receive high volumes of UDP/161 SNMP responses to a central collector IP, potentially exceeding the connection count threshold
  • mDNS/Bonjour-heavy environments — large office or campus networks with many Apple or IoT devices generating multicast DNS traffic (UDP/5353) may produce elevated connection counts from many unique source IPs to local subnets
Download portable Sigma rule (.yml)

Other platforms for T1498.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS ANY Query Amplification Probe

    Expected signal: Sysmon Event ID 22 (DNS Query) if Sysmon is configured. Zeek/Bro dns.log entry showing qtype=ANY. Network flow logs showing UDP packet to dst_port=53. The response packet will be significantly larger than the query packet.

  2. Test 2NTP Monlist Request — Amplification Vector Validation

    Expected signal: Network flow log showing outbound UDP to dst_port=123. If ntpdc is used, expect a UDP packet of ~48 bytes sent and potentially a large multi-packet response if the server is vulnerable. Zeek/Bro will log this as a bro:ntp or zeek:ntp event.

  3. Test 3Memcached UDP Statistics Request

    Expected signal: Network flow log showing UDP connection to dst_port=11211. If memcached responds, the response bytes will be significantly larger than the 16-byte request. Sysmon Event ID 3 (Network Connection) if running on Windows with a memcached instance. Zeek/Bro conn.log entry with orig_bytes vs resp_bytes showing amplification ratio.

  4. Test 4SSDP M-SEARCH Amplification Discovery

    Expected signal: Network flow log showing outbound UDP to dst_ip=239.255.255.250 (multicast) dst_port=1900. Inbound UDP responses from local SSDP-capable devices to src_port=1900. Sysmon Event ID 3 (Network Connection) on Windows. Zeek/Bro conn.log showing the multicast connection.

  5. Test 5High-Volume UDP Flood Simulation to Amplification Ports (hping3)

    Expected signal: NetFlow/IPFIX records showing 1000+ UDP packets to dst_port=53 and 123 from src_ip=127.0.0.1. Sysmon Event ID 3 (Network Connection) may not capture loopback traffic — use external lab IP for Sysmon telemetry. Firewall logs or Zeek/Bro conn.log showing packet counts exceeding 1000 per minute on amplification ports.

Last updated: 2026-04-19 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1498.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1498Network Denial of Service

Related Sub-techniques

T1498.001Direct Network Flood

Related Techniques

T1498Network Denial of ServiceT1498.001Direct Network FloodT1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1583.005BotnetT1584Compromise InfrastructureT1489Service StopT1491.002External DefacementT1046Network Service Discovery

Same Tactic: Impact

Popular Detections