Detect Reflection Amplification in Sumo Logic CSE
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target using third-party server intermediaries (reflectors). The attacker sends UDP packets to publicly accessible servers with the victim's spoofed source IP address, causing those servers to direct large responses at the victim. This technique exploits protocols whose responses are significantly larger than requests — known as amplification. Prominent amplification vectors include DNS (ANY queries, amplification factor ~28–54x), NTP (monlist command, up to 700x), memcached UDP (up to 51,200x), SSDP (up to 30x), CLDAP/LDAP (up to 70x), and CharGen (up to 358x). Because UDP allows source IP spoofing without a three-way handshake, attackers can direct enormous response volumes at a victim with minimal bandwidth cost. Multiple compromised systems (botnets) are commonly used to multiply the effect. Impacts include network link saturation, upstream provider congestion, and complete unavailability of internet-facing services.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1498 Network Denial of Service
- Sub-technique
- T1498.002 Reflection Amplification
- Canonical reference
- https://attack.mitre.org/techniques/T1498/002/
Sumo Detection Query
_sourceCategory=network (firewall OR netflow OR zeek OR suricata OR "pan:traffic" OR "cisco:asa" OR "bro:conn" OR "stream:udp")
| where transport="udp" OR transport="UDP" OR proto="udp" OR proto="UDP" OR ip_proto="17"
| where src_port IN ("53","123","11211","1900","389","5353","161","17","19","5683","1434","520")
| eval attack_type=if(src_port="53","DNS Amplification",
if(src_port="123","NTP Amplification",
if(src_port="11211","Memcached Amplification",
if(src_port="1900","SSDP Amplification",
if(src_port="389","CLDAP Amplification",
if(src_port="5353","mDNS Amplification",
if(src_port="161","SNMP Amplification",
if(src_port="17","QOTD Amplification",
if(src_port="19","CharGen Amplification",
if(src_port="5683","CoAP Amplification",
if(src_port="1434","MSSQL Amplification",
if(src_port="520","RIP Amplification",
"Generic Reflection Amplification"))))))))))))
| timeslice 5m
| stats
count as ConnectionCount,
dcount(src_ip) as UniqueSourceIPs,
sum(bytes_in) as TotalBytesReceived,
values(src_port) as AmplificationPortsSeen,
values(attack_type) as AttackTypes
by _timeslice, dest_ip
| where ConnectionCount > 500 OR UniqueSourceIPs > 25
| eval GbReceived=round(TotalBytesReceived/1073741824,3)
| eval RiskScore=if(ConnectionCount>10000 OR UniqueSourceIPs>500,"Critical",
if(ConnectionCount>2000 OR UniqueSourceIPs>100,"High",
if(ConnectionCount>500 OR UniqueSourceIPs>25,"Medium","Low")))
| fields _timeslice, dest_ip, AttackTypes, RiskScore, ConnectionCount, UniqueSourceIPs, GbReceived, AmplificationPortsSeen
| sort by ConnectionCount desc
| rename _timeslice as TimeWindow, dest_ip as VictimIPDetects UDP reflection amplification DDoS attacks (T1498.002) in Sumo Logic by aggregating network, firewall, and flow log data. Identifies victim IPs receiving excessive inbound UDP connections from known amplification service ports (DNS/53, NTP/123, Memcached/11211, SSDP/1900, CLDAP/389, mDNS/5353, SNMP/161, QOTD/17, CharGen/19, CoAP/5683, MSSQL/1434, RIP/520) within 5-minute windows. Triggers when ConnectionCount exceeds 500 or UniqueSourceIPs exceeds 25 per window per victim IP. Includes attack-type classification and risk scoring. Deploy as a Sumo Logic Scheduled Search alert with notification threshold or as a Cloud SIEM (CSE) rule.
Data Sources
Required Tables
False Positives & Tuning
- Public DNS authoritative or recursive resolver infrastructure — organizations operating DNS servers exposed to the internet will receive high volumes of UDP/53 responses matching the flood pattern; exclude known DNS server IPs from dest_ip using a lookup table
- NTP pool participants or enterprise time servers — NTP servers responding to large numbers of client sync requests, particularly during mass VM provisioning or daylight saving transitions, will generate high UDP/123 traffic volumes
- Authorized red team or DDoS simulation testing — suppression should be applied via Sumo Logic Scheduled Views or alert suppression windows for known test IPs and time ranges
- Cloud-native environments with NAT gateways or shared egress — cloud NAT gateways that aggregate UDP responses from many internal hosts to external services may inflate dest_ip connection counts for a single gateway IP
- Large-scale SNMP environments — network monitoring platforms receiving SNMP trap responses (UDP/161) from hundreds of network devices to a central management server IP will regularly exceed the connection count threshold
Other platforms for T1498.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS ANY Query Amplification Probe
Expected signal: Sysmon Event ID 22 (DNS Query) if Sysmon is configured. Zeek/Bro dns.log entry showing qtype=ANY. Network flow logs showing UDP packet to dst_port=53. The response packet will be significantly larger than the query packet.
- Test 2NTP Monlist Request — Amplification Vector Validation
Expected signal: Network flow log showing outbound UDP to dst_port=123. If ntpdc is used, expect a UDP packet of ~48 bytes sent and potentially a large multi-packet response if the server is vulnerable. Zeek/Bro will log this as a bro:ntp or zeek:ntp event.
- Test 3Memcached UDP Statistics Request
Expected signal: Network flow log showing UDP connection to dst_port=11211. If memcached responds, the response bytes will be significantly larger than the 16-byte request. Sysmon Event ID 3 (Network Connection) if running on Windows with a memcached instance. Zeek/Bro conn.log entry with orig_bytes vs resp_bytes showing amplification ratio.
- Test 4SSDP M-SEARCH Amplification Discovery
Expected signal: Network flow log showing outbound UDP to dst_ip=239.255.255.250 (multicast) dst_port=1900. Inbound UDP responses from local SSDP-capable devices to src_port=1900. Sysmon Event ID 3 (Network Connection) on Windows. Zeek/Bro conn.log showing the multicast connection.
- Test 5High-Volume UDP Flood Simulation to Amplification Ports (hping3)
Expected signal: NetFlow/IPFIX records showing 1000+ UDP packets to dst_port=53 and 123 from src_ip=127.0.0.1. Sysmon Event ID 3 (Network Connection) may not capture loopback traffic — use external lab IP for Sysmon telemetry. Firewall logs or Zeek/Bro conn.log showing packet counts exceeding 1000 per minute on amplification ports.
References (13)
- https://attack.mitre.org/techniques/T1498/002/
- https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
- https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
- https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
- https://blog.cloudflare.com/reflections-on-reflections/
- https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
- https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf
- https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
- https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview
- https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AboutSplunkStream
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1498.002/T1498.002.md
- https://www.rfc-editor.org/rfc/rfc2827
- https://nvd.nist.gov/vuln/detail/CVE-2013-5211
Unlock Pro Content
Get the full detection package for T1498.002 including response playbook, investigation guide, and atomic red team tests.