Outbound spoofed traffic to known amplification protocols (e.g., DNS, NTP, Memcached) combined with abnormal network traffic volume targeting remote reflectors, resulting in disproportionate traffic returned to a victim
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Host Status (DC0018) | Windows:perfmon | Sudden spike in outbound throughput without corresponding inbound traffic |
| Field | Description |
|---|---|
| TimeWindow | Interval for measuring sudden outbound spike or volume pattern |
| AmplificationProtocolPorts | List of known ports used for reflection amplification (e.g., 53/DNS, 123/NTP, 11211/Memcached) |
| PacketToByteRatio | Heuristic threshold where the response volume far outweighs the request volume |
Spoofed outbound packets sent to amplification services from command-line tools or scripts, combined with abnormal outbound packet volume on known reflector ports
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports |
| Network Traffic Flow (DC0078) | NSM:Flow | Outbound UDP floods targeting common reflection services with spoofed IP headers |
| Host Status (DC0018) | sar:network | Outbound network saturation with minimal process activity |
| Field | Description |
|---|---|
| TimeWindow | Sliding interval for detecting volumetric anomalies |
| AmplificationProtocolList | Which protocols to watch (e.g., DNS, NTP, SSDP, Memcached) |
| ExecutionToolList | Set of binaries and scripts commonly abused for spoofing/reflection |
Command-line initiated UDP traffic bursts to external reflection amplification ports using built-in scripting or binaries with network anomalies
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of ping, nping, or crafted network packets via bash or python to reflection services |
| Network Traffic Flow (DC0078) | macos:unifiedlog | Outbound UDP spikes to external reflector IPs |
| Field | Description |
|---|---|
| ReflectionPorts | Ports known for reflection abuse — DNS, NTP, SSDP, Memcached |
| TrafficSpikeThreshold | How much deviation in outbound traffic constitutes a suspicious spike |
Cloud-hosted VM or container generates spoofed UDP requests to third-party services on known amplifier ports, with high outbound-to-inbound traffic ratios in VPC Flow Logs
| Data Component | Name | Channel |
|---|---|---|
| Firewall Rule Modification (DC0051) | AWS:CloudTrail | Create egress rule allowing UDP to port 53, 123, 11211 |
| Network Traffic Flow (DC0078) | AWS:VPCFlowLogs | Large outbound UDP traffic to multiple public reflector IPs |
| Host Status (DC0018) | AWS:CloudWatch | Sudden spike in network output without a corresponding inbound request ratio |
| Field | Description |
|---|---|
| EgressRulePorts | Cloud security group rules permitting UDP to reflector protocols |
| OutboundToInboundRatio | Ratio threshold to flag traffic as potential reflection behavior |
| VMInstanceTagContext | Cloud metadata that can help scope anomalous behavior to development, testing, or external-facing services |