Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
DNS Amplification DDoS attacks are a type of DDoS attack in which an attacker exploits the functionality of open DNS resolvers to flood a target server or network with amplified traffic. It is also defined as a reflection-based volumetric distributed denial of service (DDoS) attack, and the surrounding infrastructure becomes completely inaccessible.
Amplification attacks are generally based on a spoofed request-response mechanism between an attacker and a targeted server. The fundamental principle behind a DNS amplification attack is the disparity in size between the request and the response. The attacker sends a small DNS query — typically a request for a DNS record type such as ANY, which returns a much larger response — to an open DNS resolver, spoofing the source IP address in the packet so that it appears to come from the intended victim. The DNS resolver then sends its large response to the victim’s IP address rather than to the attacker.
By using a large number of open DNS resolvers simultaneously and directing all of their responses at a single target, the attacker can generate a massive volume of traffic aimed at the victim. Because each small query produces a much larger response, the attacker is able to amplify the attack traffic significantly without needing a proportionally large amount of outgoing bandwidth. The amplification factor for DNS attacks can be 28 to 54 times — meaning a 1 Mbps stream of spoofed DNS queries could generate up to 54 Mbps of attack traffic directed at the target.
An open DNS resolver is a DNS server that responds to queries from any IP address on the internet, rather than restricting responses to authorised users or networks. While open resolvers can be useful in certain contexts, they represent a significant security risk when they exist in large numbers on the public internet, as they can be weaponised to amplify DDoS attacks without any direct involvement from the resolver’s operator.
The DNS protocol itself operates over UDP, which does not require a handshake to establish a connection. This makes it straightforward for attackers to spoof source IP addresses, since there is no three-way TCP handshake to verify that the sender is who they claim to be.
Organisations can reduce their risk of being used as an unwitting amplifier by configuring their DNS servers not to respond to recursive queries from external IP addresses — effectively closing the open resolver. Response Rate Limiting (RRL) can also be configured on DNS servers to limit the number of identical or similar responses sent to any single IP address within a given time window, reducing the volume of traffic that can be generated by a spoofed query. For organisations on the receiving end of a DNS amplification attack, upstream scrubbing services and DDoS mitigation providers can filter the attack traffic before it reaches the target’s network. ISP-level ingress filtering, which blocks packets with spoofed source addresses at the network edge, also helps to reduce the effectiveness of these attacks at the internet infrastructure level.
You May Be Interested In These
