Esc
Reflection Amplification - T1498.002
(ATT&CK® Technique)
Definition
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target. This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1498002["Reflection Amplification"] --> |produces| InboundInternetNetworkTraffic["Inbound Internet Network Traffic"]; class T1498002 OffensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode; click InboundInternetNetworkTraffic href "/dao/artifact/d3f:InboundInternetNetworkTraffic";
click T1498002 href "/offensive-technique/attack/T1498.002/"; click InboundInternetNetworkTraffic href "/dao/artifact/d3f:InboundInternetNetworkTraffic"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1498002["Reflection Amplification"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1498002["Reflection Amplification"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1498002["Reflection Amplification"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1498002["Reflection Amplification"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -.->
| may-detect | T1498002["Reflection Amplification"] ;
class InboundSessionVolumeAnalysis DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click InboundSessionVolumeAnalysis href "/technique/d3f:InboundSessionVolumeAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1498002["Reflection Amplification"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1498002["Reflection Amplification"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1498002["Reflection Amplification"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1498002["Reflection Amplification"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; InboundTrafficFiltering["Inbound Traffic Filtering"] -->
| filters | InboundInternetNetworkTraffic["Inbound Internet Network Traffic"];
InboundTrafficFiltering["Inbound Traffic Filtering"] -.->
| may-isolate | T1498002["Reflection Amplification"] ;
class InboundTrafficFiltering DefensiveTechniqueNode;
class InboundInternetNetworkTraffic ArtifactNode;
click InboundTrafficFiltering href "/technique/d3f:InboundTrafficFiltering";