T1498.002 Splunk · SPL

Detect Reflection Amplification in Splunk

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target using third-party server intermediaries (reflectors). The attacker sends UDP packets to publicly accessible servers with the victim's spoofed source IP address, causing those servers to direct large responses at the victim. This technique exploits protocols whose responses are significantly larger than requests — known as amplification. Prominent amplification vectors include DNS (ANY queries, amplification factor ~28–54x), NTP (monlist command, up to 700x), memcached UDP (up to 51,200x), SSDP (up to 30x), CLDAP/LDAP (up to 70x), and CharGen (up to 358x). Because UDP allows source IP spoofing without a three-way handshake, attackers can direct enormous response volumes at a victim with minimal bandwidth cost. Multiple compromised systems (botnets) are commonly used to multiply the effect. Impacts include network link saturation, upstream provider congestion, and complete unavailability of internet-facing services.

MITRE ATT&CK

Tactic
Impact
Technique
T1498 Network Denial of Service
Sub-technique
T1498.002 Reflection Amplification
Canonical reference
https://attack.mitre.org/techniques/T1498/002/

SPL Detection Query

Splunk (SPL)
spl 
index=network (sourcetype=firewall OR sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype="stream:udp" OR sourcetype=netflow OR sourcetype="bro:conn" OR sourcetype="suricata" OR sourcetype="zeek:conn")
  transport=udp
  (src_port=53 OR src_port=123 OR src_port=11211 OR src_port=1900 OR src_port=389 OR src_port=5353 OR src_port=161 OR src_port=17 OR src_port=19 OR src_port=5683 OR src_port=1434 OR src_port=520)
| eval AttackType=case(
    src_port==53,    "DNS Amplification",
    src_port==123,   "NTP Amplification",
    src_port==11211, "Memcached Amplification",
    src_port==1900,  "SSDP Amplification",
    src_port==389,   "CLDAP Amplification",
    src_port==161,   "SNMP Amplification",
    src_port==17,    "QOTD Amplification",
    src_port==19,    "CharGen Amplification",
    src_port==5683,  "CoAP Amplification",
    src_port==1434,  "MSSQL Amplification",
    src_port==520,   "RIP Amplification",
    1==1,            "Generic Reflection Amplification"
)
| bin _time span=5m
| stats
    count as ConnectionCount,
    dc(src_ip) as UniqueSourceIPs,
    sum(bytes_in) as TotalBytesReceived,
    values(src_port) as AmplificationPortsSeen,
    values(AttackType) as AttackTypes,
    list(src_ip) as SourceIPList
  by _time, dest_ip
| where ConnectionCount > 500 OR UniqueSourceIPs > 25
| eval GbReceived=round(TotalBytesReceived/1073741824, 3)
| eval PrimaryAttackType=mvindex(AttackTypes, 0)
| eval SampleSourceIPs=mvjoin(mvrange(0, if(mvcount(SourceIPList) < 5, mvcount(SourceIPList), 5), 1) | foreach X [eval result=mvindex(SourceIPList, X)], ", ")
| eval RiskScore=case(
    ConnectionCount > 10000 OR UniqueSourceIPs > 500, "Critical",
    ConnectionCount > 2000 OR UniqueSourceIPs > 100,  "High",
    ConnectionCount > 500  OR UniqueSourceIPs > 25,   "Medium",
    1==1, "Low"
)
| table _time, dest_ip, PrimaryAttackType, RiskScore, ConnectionCount, UniqueSourceIPs, GbReceived, AmplificationPortsSeen
| rename _time as TimeWindow, dest_ip as VictimIP
| sort - ConnectionCount
high severity medium confidence

Detects Reflection Amplification attacks by analyzing UDP network traffic logs where responses arrive FROM known amplification service ports (DNS/53, NTP/123, Memcached/11211, SSDP/1900, CLDAP/389, SNMP/161, CharGen/19, CoAP/5683) targeting a single victim IP. Aggregates over 5-minute windows and flags destinations receiving more than 500 UDP packets or traffic from more than 25 unique sources from amplification ports. A risk score is computed based on volume and source diversity. Compatible with Zeek/Bro, Suricata, PAN-OS, Cisco ASA, and Splunk Stream sourcetypes.

Data Sources

Network Traffic: Network Traffic FlowNetwork Traffic: Network Traffic ContentZeek/Bro Connection LogsFirewall Flow Logs (PAN-OS, Cisco ASA)

Required Sourcetypes

pan:trafficcisco:asastream:udpnetflowbro:connzeek:connsuricata

False Positives & Tuning

  • Authoritative DNS servers or NTP stratum servers that legitimately receive high-volume responses from recursive resolvers during normal operations
  • Load-balanced application tiers receiving legitimate UDP traffic from many geographically distributed clients
  • Network operations authorized scanning of UDP amplification vectors for vulnerability assessment purposes
  • High-density cloud workloads where many VMs simultaneously perform DNS lookups at startup (e.g., Kubernetes pod scaling events)
  • SSDP traffic in office networks with many UPnP-enabled IoT devices
Download portable Sigma rule (.yml)

Other platforms for T1498.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS ANY Query Amplification Probe

    Expected signal: Sysmon Event ID 22 (DNS Query) if Sysmon is configured. Zeek/Bro dns.log entry showing qtype=ANY. Network flow logs showing UDP packet to dst_port=53. The response packet will be significantly larger than the query packet.

  2. Test 2NTP Monlist Request — Amplification Vector Validation

    Expected signal: Network flow log showing outbound UDP to dst_port=123. If ntpdc is used, expect a UDP packet of ~48 bytes sent and potentially a large multi-packet response if the server is vulnerable. Zeek/Bro will log this as a bro:ntp or zeek:ntp event.

  3. Test 3Memcached UDP Statistics Request

    Expected signal: Network flow log showing UDP connection to dst_port=11211. If memcached responds, the response bytes will be significantly larger than the 16-byte request. Sysmon Event ID 3 (Network Connection) if running on Windows with a memcached instance. Zeek/Bro conn.log entry with orig_bytes vs resp_bytes showing amplification ratio.

  4. Test 4SSDP M-SEARCH Amplification Discovery

    Expected signal: Network flow log showing outbound UDP to dst_ip=239.255.255.250 (multicast) dst_port=1900. Inbound UDP responses from local SSDP-capable devices to src_port=1900. Sysmon Event ID 3 (Network Connection) on Windows. Zeek/Bro conn.log showing the multicast connection.

  5. Test 5High-Volume UDP Flood Simulation to Amplification Ports (hping3)

    Expected signal: NetFlow/IPFIX records showing 1000+ UDP packets to dst_port=53 and 123 from src_ip=127.0.0.1. Sysmon Event ID 3 (Network Connection) may not capture loopback traffic — use external lab IP for Sysmon telemetry. Firewall logs or Zeek/Bro conn.log showing packet counts exceeding 1000 per minute on amplification ports.

Last updated: 2026-04-19 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1498.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1498Network Denial of Service

Related Sub-techniques

T1498.001Direct Network Flood

Related Techniques

T1498Network Denial of ServiceT1498.001Direct Network FloodT1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1583.005BotnetT1584Compromise InfrastructureT1489Service StopT1491.002External DefacementT1046Network Service Discovery

Same Tactic: Impact

Popular Detections