A DNS amplification attack is a form of Distributed Denial of Service (DDoS) attack that abuses publicly accessible DNS servers. The attacker takes advantage of the fact that DNS responses are larger than the corresponding requests to amplify the effects of their attack and send more data to the intended target.
DNS amplification attacks work by using IP spoofing to send more data to the target than an attacker sends out. The malicious actor will make a request to a legitimate service, like a DNS server, with the IP address spoofed to that of the victim.
The service will send the response to this address. Since amplification attacks use protocols whose responses are larger than the corresponding request, this allows the attacker to consume more of their target’s bandwidth than they use in their volumetric attacks.
DNS amplification attacks take advantage of open DNS resolvers to improve the effectiveness of a DDoS attack. DNS is a popular choice for amplification attacks for a few reasons, including:
Factor | Description | Advantage for Attacker |
UDP Usage | DNS often uses UDP, which lacks handshake verification. | Easier IP spoofing for attackers. |
Trusted Protocol | DNS is a fundamental internet protocol, often allowed through firewalls. | Bypass firewall filtering based on protocol type. |
Larger Responses | DNS responses contain all requested data exceeding the request size. | Amplifies data volume sent to the target. |
Configurable Responses | Attackers can create massive DNS records for even greater amplification. | Maximizes the attack’s impact. |
Legitimate Requests | Attacks can utilize legitimate domains, making filtering based on domain names ineffective. | Difficult to distinguish from genuine traffic. |
DNS amplification attacks are an example of a volumetric DDoS attack. The goal of these attacks is to flood the target with enough spam traffic to consume all of its network bandwidth or some other scarce resource (computational power, etc.).
By using DNS for amplification, an attacker can overwhelm a target while using a fraction of the resources consumed by their attack. Often, DDoS attacks are designed to knock a target service offline. If the attacker uses all of the available resources, then none are available for legitimate users, rendering the service unusable.
However, smaller-scale attacks can also have negative effects on their targets…
Even if a service isn’t knocked completely offline, degraded performance can have a negative effect on its customers. Additionally, all of the resources consumed by the attack cost the target money while bringing no profit to the business.
Here is the mitigation strategy against these DNS attacks:
These measures are designed to protect the target of these types of attacks.
The overall threat can also be managed by controlling access to DNS resolvers to prevent them from being used in these attacks.
By taking advantage of the amplification effect provided by DNS, an attacker can launch a much larger attack than they could directly. However, DNS isn’t the only DDoS amplification option available, nor is it even the one with the greatest amplification factor.
Protecting against DNS amplification and other DDoS attacks requires a DDoS mitigation solution that can filter attack traffic and legitimate traffic before it reaches the target server.
Check Point Quantum DDoS Protector offers real-time attack detection and prevention for DDoS attacks up to 800 Gbps, providing robust protection against the DDoS threat. For more information about Quantum DDoS Protector and its capabilities, check out this datasheet.