dnsreflection

Explanation

The dnsreflection event is detection within the Netography Fusion Portal that detects DNS reflection attacks. These types of attacks use DNS servers to amplify the size of the incoming traffic to a victim's website by spoofing the source IP addresses of the requests. This can lead to denial of service (DoS) attacks as the victim's server is overwhelmed with traffic.

What to Look For

In order to examine the results of the dnsreflection event, users should review the network traffic logs. Specifically, they should look for a high volume of DNS requests originating from multiple source IP addresses. In addition, this traffic may also be characterized by unusually large query sizes or traffic volumes. At the endpoint level, users should monitor for any signs of unusual CPU or memory spikes, as this may indicate that the device is being used in a reflection attack.

Related MITRE ATT&CK Categories

Network Denial of Service, Technique T1498 - Enterprise