Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0408: Detection Strategy for Reflection Amplification DoS (T1498.002)

DET0408 is a MITRE detection strategy object for Reflection Amplification DoS, an impact technique where adversaries may use third-party reflectors to send...

EnterpriseDET0408Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0408 is a MITRE detection strategy object for Reflection Amplification DoS, an impact technique where adversaries may use third-party reflectors to send high-volume traffic toward a victim. For leaders, the significance is service availability: defenses are often decided less by endpoint visibility and more by network, cloud, ISP, and incident-response readiness to recognize and absorb or divert abnormal inbound traffic.

Executive priority

Treat this as an operational resilience and continuity issue. Security leaders should ask whether critical internet-facing services have documented DoS response paths, whether cloud/IaaS and network teams can produce evidence of abnormal traffic patterns quickly, and whether escalation to providers or upstream mitigations is rehearsed. Because the supplied detection strategy has no official detection text, priority should be on validating local telemetry, ownership, and response playbooks rather than assuming ATT&CK provides a complete analytic.

Technical view

The object detects T1498.002 Reflection Amplification, related to the Impact tactic and listed for Windows, IaaS, Linux, and macOS environments. SOC and IR teams should validate visibility into inbound network volume, protocol distribution, source/destination patterns, and service availability signals for internet-exposed assets. Detection engineering should focus on environment-specific baselines for sudden high-volume reflected traffic and correlate network observations with service degradation, cloud/IaaS metrics, and incident tickets. Because the detection strategy itself has no official description or detection logic, any analytic must be locally defined and tested.

Likely telemetry

  • Network flow records and traffic volume metrics for internet-facing services
  • Firewall, load balancer, proxy, and edge device logs
  • Cloud/IaaS network metrics and availability indicators where applicable
  • DNS, NTP, UDP, or other protocol-level summaries if collected at the edge
  • Service health, uptime, latency, and error-rate monitoring

Detection direction

  • Confirm that monitoring can distinguish abnormal inbound traffic volume from normal business peaks, marketing events, maintenance, or scanning noise.
  • Correlate traffic spikes with service health degradation to reduce false positives from benign high-volume events.
  • Validate visibility at the network edge and in IaaS environments, since endpoint logs alone may not capture the deciding evidence for reflection amplification DoS.
  • Build runbooks around observable symptoms and escalation thresholds because the supplied ATT&CK detection strategy includes no official detection procedure.
  • Review blind spots where traffic is handled by third-party providers, content delivery layers, or upstream mitigation services before reaching organization-controlled logging.

Mitigation priorities

  • Prioritize resilience planning for critical internet-facing services, including documented ownership, escalation paths, and provider contact procedures.
  • Ensure network, cloud, and SOC teams can access the telemetry needed to confirm or rule out reflection amplification during an availability incident.
  • Define response thresholds and decision criteria for engaging upstream or cloud-based DoS mitigation capabilities.
  • Use exercises or tabletop reviews to test incident coordination across SOC, infrastructure, application owners, and business continuity teams.
  • Preserve evidence needed for compliance, post-incident review, and service-level discussions, including traffic metrics and response timelines.
Analyst notes and limits

This take is based on the DET0408 detection strategy metadata and its relationship to T1498.002 Reflection Amplification. The official object provides no description or detection text, so practical guidance is framed around defensible validation questions and telemetry classes supported by the related technique context.

Platforms and tactic are taken from the related T1498.002 technique, not from the detection strategy object itself. The supplied relationship description is truncated, and no official analytic, data sources, mitigations, procedures, or detection logic were provided. Local architecture, provider controls, and traffic baselines are required to determine real coverage.

Official MITRE ATT&CK definition

Detection Strategy for Reflection Amplification DoS (T1498.002)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1498.002 Reflection Amplification Sub-technique This object detects Reflection Amplification.
Relationship explorer

All related ATT&CK context

detects · Technique T1498.002: Reflection Amplification Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a502e2a40c2469e5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a502e2a40c24…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0408
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use