Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

REFLECTDOS - Amplificated DoS Attack

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This detection method unveils Denial of Service (DoS) attacks using the weaknesses of some services that amplify the attack (the services can send a much bigger response on specific requests). An attacker spoofs the source IP address of a victim and generates a large number of small requests meanwhile the victim is flooded with a large amount of data. The purpose of this method is to detect the misuse of the servers in the monitored network for this type of DoS attack. The detection of misuse of the NTP (UDP/123), DNS (UDP/53, TCP/53), Portmap (UDP/111), TFTP (UDP/69), and SLP (UDP/427) services are implemented.

The misused servers are detected using the ratio of sent and received data (communication with a single client). To generate an event, a server has to send at least x-times more data than it receives (with x being the value of the ThresholdChanges parameter) and the server has to send at least as much data to all of its clients as it is the value of the MinimalReplies parameter.

The detection method must have filters assigned that define the IP addresses of the NTP and DNS servers in the DNSServers and NTPServers parameters. If one of these filters is not assigned, the respective part of detection is not active. The detection of amplification attacks that misuse the Portmap, TFTP, or SLP service does not require filter assignment - this part of the detection method can be activated using the Portmap, TrivialFTP, and SLP parameters.

This method consists of the following submethod:

  • Amplification: Reports a reflected Denial of Service attack misusing DNS, NTP, Portmap, TFTP, or SLP servers.

Method configuration

It is recommended to apply this method network-wide for all traffic on the network regardless of IP address. The right place for traffic monitoring is the central switch.

Method parameters

  • MinimalReplies: Minimal amount of data sent by the relevant server.

  • ThresholdChange: The threshold value of the ratio between data sent and received by the relevant server.

  • DNSServers: The name of the filter that defines the IP addresses of DNS servers. If no filter is assigned, the detection of the amplified DoS attacks that misuse the DNS service (UDP/53, TCP/53) is disabled.

  • NTPServers: The name of the filter that defines the IP addresses of NTP servers. If no filter is assigned, the detection of the amplified DoS attacks that misuse the NTP service (UDP/123) is disabled.

  • Portmap: Activates the detection of amplified DoS attacks that misuse the Portmap service (UDP/111).

  • TrivialFTP: Activates the detection of amplified DoS attacks that misuse the TFTP service (UDP/69).

  • SLP: Activates the detection of amplified DoS attacks that misuse the SLP service (UDP/427).

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

This method alerts if there is misuse of the provided service. The solution to this situation could be a change in a service configuration.

TitleResults for “How to create a CRG?”Also Available inAlert