Seonio
Start Free

Web Development

DNS Amplification: Definition, Mechanics & Mitigation

Identify how DNS amplification exploits open resolvers to launch DDoS attacks. Use mitigation techniques like rate limiting and securing resolvers.

3.6k
dns amplification
Monthly Search Volume

DNS amplification is a volumetric Distributed Denial of Service (DDoS) attack that exploits open DNS servers to flood a target with massive amounts of traffic. By masquerading as the victim, an attacker sends small requests that trigger much larger responses directed at the target. This technique turns the internet’s infrastructure against itself, causing site outages and severe service disruptions.

What is DNS Amplification?

DNS amplification is a "reflection attack" that manipulates the Domain Name System (DNS), the service that translates domain names into IP addresses. Attackers use publicly accessible DNS resolvers to multiply the volume of traffic directed at a victim.

The attack relies on a mismatch in data size. A tiny request from an attacker generates an exponentially larger response from the server. Because the attacker spoofs the victim's IP address, the DNS server sends the heavy response to the victim instead of the attacker. This process can quickly saturate a network's bandwidth, making it impossible for legitimate users to access the site.

Why DNS Amplification matters

For marketers and SEO practitioners, a DNS amplification attack can be devastating. When your site goes down, you lose the ability to capture leads, process sales, and maintain search engine visibility.

  • Avoids Detection: Attackers remain anonymous because they use legitimate, open resolvers to hide their sourcing.
  • Low Cost for Attackers: Launching these attacks requires minimal resources compared to the massive bandwidth they consume on the victim’s end.
  • Erodes Customer Trust: Constant service outages damage brand perception and long-term customer loyalty.
  • Global Congestion: These attacks consume significant internet bandwidth, which can degrade service quality for users far beyond the intended target.
  • Revenue Loss: Downtime halts online transactions and communication, leading to immediate financial impact.

How DNS Amplification works

The attack follows a specific sequence to maximize damage with minimal effort.

  1. Preparation: The attacker identifies a target's IP address and finds open DNS resolvers that allow recursive queries from any source.
  2. Spoofing: The attacker crafts a DNS request with a "spoofed" source IP address. This address is actually the IP of the intended victim.
  3. The Query: The attacker sends this small request to one or more open DNS resolvers. Frequently, they request large data files, such as a DNS zone transfer.
  4. The Reflection: The DNS server receives the request and generates a large response. Because the source address was spoofed, it sends this data to the victim.
  5. The Amplification: The victim receives a flood of unsolicited responses. As the attacker repeats this across thousands of servers, the victim’s network becomes overwhelmed.

Types of DNS Amplification

While the basic mechanism remains the same, attackers use different protocols and methods to amplify their traffic.

UDP-Based Attacks

Most amplification attacks use the User Datagram Protocol (UDP). Because UDP does not require a "handshake" to establish a connection, it is easy to spoof the source IP. [Azure monitored more than 10 attack vectors over 12 months, with NTP and DNS being the most common] (Microsoft).

TCP-Based Attacks

TCP attacks are more complex because they usually require a 3-way handshake. However, attackers have found ways to [exploit middleboxes, such as firewalls, to launch volumetric TCP floods] (Microsoft). These devices may respond to spoofed packets without a completed handshake.

Carpet Bombing

In this variation, the attacker does not target a single IP address. Instead, they [attack many different destinations within a specific subnet or CIDR block] (Microsoft). This makes the attack harder to detect because the traffic is spread out, often flying below simple detection thresholds.

Best practices

Organizations can use these strategies to reduce the risk of being targeted or used as a tool in an attack.

  • Secure your DNS resolvers. Configure servers to ignore recursive queries from external or unknown sources to prevent them from being used in reflection.
  • Implement rate limiting. Restrict the number of responses a DNS server can send in a set timeframe. This limits the "amplification" potential for an attacker.
  • Use BGP anycast scrubbing. Route traffic through [globally distributed scrubbing centers to filter out malicious packets] (Akamai) before they reach your infrastructure.
  • Audit traffic patterns. Regularly monitor DNS traffic to identify sudden spikes or unusual volumes coming from a single source.
  • Update networking software. Ensure all firewalls and middleboxes are patched to prevent attackers from exploiting non-compliant TCP stacks.

Common mistakes

Mistake: Leaving DNS recursion open to the entire internet. Fix: Disable recursion for any source outside of your own network range.

Mistake: Relying on simple, threshold-based alerts for detection. Fix: Use anomaly detection tools that can identify "carpet bombing" where traffic is distributed across a whole subnet.

Mistake: Allowing IP source address spoofing on your own network. Fix: Implement filters that prevent any outgoing packets from leaving your network if the source IP does not match your internal range. [Research suggests that one-third of IPv4 autonomous systems still allow or partially allow spoofing] (Microsoft).

Examples

The 67x Amplification Factor

If an attacker sends a tiny 60-byte query for a domain's records and the server responds with a 4,000-byte packet, [the amplification factor is approximately 66.7] (Imperva). This means the attacker’s impact is 67 times larger than their effort.

Specialized Protocol Factors

Certain protocols offer even higher yields. For example, [Memcached protocols can achieve an amplification factor of up to x9,000] (Microsoft), while NTP protocols can reach x4,670.

High-Volume SSDP Flood

In one specific case, a [short attack campaign lasting only 20 minutes reached a throughput of 58 million packets per second] (Microsoft) using an SSDP flood.

FAQ

What is the "amplification factor"? The amplification factor is the ratio of the response size to the request size. A higher factor means the attacker can generate more traffic with less effort. For instance, a 100x factor means 1 GB of attacker traffic becomes 100 GB of traffic hitting the victim.

Why is UDP used more than TCP for these attacks? UDP is used because it does not require a "handshaking" process. An attacker can send a packet with a false return address, and the server will send the reply to that address without checking if the requester is actually there. TCP requires a verified connection, making spoofing much harder.

Are all DNS servers vulnerable? No. Only servers configured as "open resolvers" that allow recursive queries from external sources are vulnerable. Properly configured servers that only respond to internal requests or specific users cannot be easily exploited for these attacks.

How many open resolvers are active? It is estimated that [millions of open resolvers exist worldwide] (Imperva). Attackers constantly scan the internet to find and add these to their attack networks.

Can a DNS amplification attack crash my server? Yes. The sheer volume of traffic can overwhelm your network's bandwidth or consume all the processing resources of your servers, leading to a complete shutdown of online services.

Related Terms

Web Development

DDOS

201.0k monthly search volume

Web Development

DDoS Mitigation

2.9k monthly search volume

Web Development

DNS Resolver

5.4k monthly search volume

Web Development

Spoofing

165.0k monthly search volume

Start Your SEO Research in Seconds

5 free searches/day • No credit card needed • Access all features

Create Free Account