DNS Amplification Attacks | NOC.org

What Is a DNS Amplification Attack?

A DNS amplification attack is a type of volumetric DDoS attack that exploits the Domain Name System (DNS) to flood a target with massive amounts of traffic. It belongs to the broader family of reflection and amplification attacks, where the attacker uses a third-party service to both reflect and amplify the attack traffic directed at the victim.

The attack works at Layer 3 of the OSI model and is categorized as a distributed denial of service (DDoS) technique. DNS amplification has been responsible for some of the largest recorded DDoS attacks, with peak traffic volumes exceeding 1 Tbps. Its effectiveness comes from two properties: the ability to spoof the source IP address in UDP packets and the fact that DNS responses are significantly larger than DNS queries.

How DNS Amplification Works

The attack follows a straightforward sequence that exploits fundamental properties of the DNS protocol and UDP:

1. IP address spoofing: The attacker crafts DNS query packets with the source IP address set to the victim's IP address. Because DNS uses UDP (a connectionless protocol), there is no handshake to verify the source address.
2. Querying open resolvers: The spoofed queries are sent to open DNS resolvers — DNS servers that accept recursive queries from any IP address on the internet. There are millions of open resolvers online at any given time.
3. Amplification via large responses: The attacker crafts queries that generate the largest possible responses. Queries for DNS records of type ANY or queries targeting domains with large DNSSEC-signed zone files produce responses that are many times larger than the original query.
4. Traffic flood: The open resolvers send their large DNS responses to the victim's IP address (because that was the spoofed source). The victim receives a flood of unsolicited DNS response traffic from thousands of different resolvers simultaneously.

The Amplification Factor

The amplification factor is the ratio between the size of the DNS response and the size of the DNS query. This is what makes the attack so dangerous — the attacker can generate far more traffic than their own bandwidth allows.

With an amplification factor of 70x, an attacker with 1 Gbps of outbound bandwidth can generate 70 Gbps of traffic directed at the victim. A botnet with aggregate bandwidth of 10 Gbps could produce a 700 Gbps attack — enough to overwhelm most enterprise networks and many cloud providers.

The Role of Open Resolvers

Open DNS resolvers are the linchpin of this attack. A DNS resolver is considered "open" when it accepts and processes recursive DNS queries from any source IP address, regardless of whether that IP belongs to its intended user base. While authoritative DNS servers must respond to queries for their zones, recursive resolvers should only serve their own network's clients.

Open resolvers exist for several reasons:

• Misconfigured servers: Many DNS servers are deployed with default configurations that allow recursive queries from any source.
• Legacy infrastructure: Older DNS servers deployed before amplification attacks were well understood may never have been hardened.
• Home routers: Consumer-grade routers often run DNS forwarders that accept queries from the WAN interface.
• Intentional public resolvers: Some organizations operate public resolvers as a service. While these are typically rate-limited and monitored, they can still be exploited if not properly configured.

Projects like the Open Resolver Project have cataloged millions of open resolvers on the internet, and despite years of awareness campaigns, the number remains high enough to fuel significant attacks.

Detecting DNS Amplification Attacks

Detection is critical for rapid response. Several indicators suggest a DNS amplification attack is in progress:

Network-Level Indicators

• Sudden spike in inbound UDP port 53 traffic: DNS responses arrive on UDP port 53. If your server is not making outbound DNS queries, large volumes of inbound DNS responses are a clear sign of a reflection attack.
• Traffic from many different source IPs: The responses come from thousands of different DNS resolvers worldwide, making simple IP-based blocking impractical.
• Asymmetric traffic patterns: Inbound traffic volume vastly exceeds outbound traffic, which is the opposite of normal web server behavior.
• Large DNS response packets: Response packets are unusually large (often near the 4,096-byte EDNS0 limit), indicating ANY or DNSSEC queries were used.

Monitoring Tools

• NetFlow/sFlow analysis: Flow data from routers and switches can reveal traffic anomalies before they cause service disruption.
• SNMP bandwidth monitoring: Tracking interface utilization on edge routers provides early warning of volumetric attacks.
• DNS query logging: If you operate DNS servers, monitoring query patterns can reveal when your servers are being used as amplifiers.

Prevention and Mitigation

Defending against DNS amplification requires action at multiple levels — from preventing your own infrastructure from being used as an amplifier to protecting against inbound attacks.

Preventing Your Infrastructure from Being Exploited

• Close open resolvers: Configure DNS servers to only accept recursive queries from authorized IP ranges. In BIND, use the allow-recursion directive. In Unbound, configure access-control lists.
• Implement BCP38 (Source Address Validation): Network operators should deploy ingress filtering (BCP38/RFC 2827) to prevent packets with spoofed source addresses from leaving their network. If all networks implemented BCP38, reflection attacks would be impossible.
• Rate-limit DNS responses: Configure DNS servers to limit the rate of responses to any single destination IP. BIND's Response Rate Limiting (RRL) feature was specifically designed for this purpose.
• Disable ANY queries: Many DNS operators now refuse ANY queries entirely, as they serve little legitimate purpose and are primarily used in amplification attacks. Cloudflare and other major DNS providers have taken this step.

Protecting Against Inbound Attacks

• Upstream filtering: Work with your ISP or transit provider to filter DNS response traffic if your servers have no reason to receive it. This stops attack traffic before it reaches your network edge.
• Anycast network distribution: A global CDN with anycast routing distributes attack traffic across multiple data centers, preventing any single location from being overwhelmed.
• DDoS mitigation services: Cloud-based DDoS mitigation services can absorb volumetric attacks by routing traffic through scrubbing centers that filter out attack traffic and forward only legitimate requests.
• ACLs at the network edge: If your servers should never receive DNS responses, configure access control lists on your edge routers to drop inbound UDP port 53 traffic.
• Over-provisioning bandwidth: While not a solution on its own, maintaining excess bandwidth capacity provides a buffer that buys time for other mitigation measures to take effect.

DNS Amplification vs. Other Amplification Attacks

DNS amplification is one of several protocols exploited for reflection and amplification. Understanding how they compare helps prioritize defenses:

Protect Your Network from Amplification Attacks

DNS amplification attacks remain one of the most common and effective DDoS techniques because open resolvers are still widespread and source address spoofing is still possible on many networks. A layered defense that combines upstream filtering, CDN-based traffic distribution, and a web application firewall provides the strongest protection against these and other DDoS attack types. View NOC.org's pricing plans to find a solution that fits your infrastructure.