FlowTraq > Blog > DDoS Mitigation Tips > DNS Amplification Attacks: What You Need to Know

DNS Amplification Attacks: What You Need to Know

Gurdev Sethi
By | May 31, 2016


Understanding DNS Requests

The domain name system (DNS) is what translates memorable websites names, like, into IP addresses. When someone types a website address into a browser, the ISP “looks up” that address to find the corresponding IP address and directs the user to that site. A DNS server can also query other DNS servers on behalf of the requesting client and then send an answer back to the client – this is known as recursion.

Anatomy of a DNS Amplification Attack

DNS amplification attacks combine amplification (using techniques to increase the size of packets being sent to the victim network) with reflection (using a third party as an intermediary in the attack).

How the Attack Works

DNS amplification attacks are similar to Smurf and Fraggle attacks in that they send a query from a spoofed IP via a protocol (such as ICMP or UDP) that doesn’t require a three-way handshake and that the response to the query is larger than the query itself.

DNS amplification attacks (also sometimes called DNS reflection attacks) take advantage of publically accessible open DNS servers to overwhelm a victim’s system with DNS response traffic. The attacker sends a large number of look-up requests via a botnet to a vulnerable DNS server using the spoofed IP address of the target victim. The victim’s network is then bombarded with unrequested DNS query responses, which consumes network resources and CPU time on the target machines.

Spoofing is Easy

DNS relies on the UDP protocol, which means there’s no verification that the source IP address is, in fact, the sender/requestor.

The Amplification Potential is Huge

Attackers use a variety of amplification techniques to inflate the size of the UDP packets to make the attack big enough to bring down even the most robust infrastructures.

EDNS0 – Per the original DNS protocol, a 64-byte DNS query would return a UDP response no larger than 512 bytes, a potential increase of 8X. EDNS0 is a protocol extension that permits the transfer of packets larger than 512 bytes, up to 4096 bytes, increasing the potential potency of an attack by enabling perpetrators to achieve a 50X to 60X increase in traffic volume without requiring a proportional increase in bandwidth or requesting systems on their end.

ANY query – Additionally, perpetrators can use the ANY query which returns all known information about a DNS zone within a single request, thus maximizing the size of the responses sent to the victim.

What makes a DNS server vulnerable?

Many organizations running DNS servers leave them open and willing to respond to any IP address that queries them, and DNS amplification attacks take advantage of DNS servers that support open recursive relay. There are plenty of tools available that help hackers identify DNS servers with open resolvers, and there are millions of them on the internet at any given time. It’s important to note that these servers aren’t compromised; they are functioning as intended, but attackers are exploiting this functionality for malicious purposes.

It Can Be Outsourced

The DDoS amplification technique has been linked to DDoS-for-hire services, which means that perpetrators don’t need the requisite knowledge or resources to be able to attack a victim.

The Size of the Problem

Despite the fact that this approach has been around for a long time, the number of DNS amplification attacks is increasing. It has been reported that there was a 200% increase in DNS amplification attacks between 2012 and early 2015.

DNS amplification attacks can be very large (measured in Gigabits per second or Gbps) and can be big enough to cripple even a large hosting organization.

According to Akamai’s Security Bulletin: DNSSEC Amplification DDoS, there are a number of industries that are particularly vulnerable to DNS amplification attacks. Gaming is the biggest, accounting for over half (52%) of attacks. Financial services, media, high tech/consulting, and SaaS enablement companies also feel the heat. In fact, one of the larger DNS amplification attacks that Akamai mitigated was a financial services organization that was pummeled at peak with 45 Gbps bandwidth and 5.2 million packets per second.

Detection and Prevention/Mitigation

It’s hard to protect against this kind of attack as it comes from valid-looking servers with valid-looking traffic. For reflectors, there’s no way of knowing that the request is spoofed, and for victims, the traffic they are receiving is “legitimate” – it’s the original requests that initiated that traffic that were malicious.

For Reflectors

Organizations that operate DNS servers have a responsibility to be good corporate citizens and prevent the use of those servers as intermediaries in an attack.

  • Restrict recursive servers to your enterprise or customer IP ranges, or run split DNS.
  • Use rate limiting to limit the response rates by source and destination IP address to restrict the number of requests that can be accepted in a given time period.
  • Prevent support of large (greater than 512 bytes) UDP packets in a response. This will restrict the amplification potential, but DNSSEC – which improves DNS security – requires EDNS0 support, so this option may not be feasible in the long run.
  • Implement egress filtering on edge devices to prevent spoofed packets from leaving your network. While this can help prevent sending the amplified responses from being sent to the ultimate victim, it won’t prevent those responses from being generated and consuming your own network resources.
  • Use network flow analysis tools to detect DDoS behavior patterns using network flow data – NetFlow, Jflow, sFlow, Cflow and IPFIX – which contains valuable information about traffic traversing the network, such as IP addresses, port and protocol, exporting device, timestamps, VLAN and TCP flags, etc. Solutions that analyze this data can quickly detect and alert you on a high volume of incoming DNS requests – and immediately trigger mitigation.

For Victims

Victims of DNS amplification attacks will be overwhelmed by traffic from legitimate DNS servers. You need to be able to identify when a large number of DNS responses that you didn’t ask for are coming into the network. Keeping track of requests and responses can be difficult, but network flow analysis tools can help here as well to quickly – within seconds – detect a high volume of incoming DNS responses and immediately trigger mitigation.

Protect yourself against DNS amplification and other DDoS attacks – along with a range of other security threats – with FlowTraq.

FlowTraq monitors network flow traffic in real time and immediately detects deviations that indicate DDoS attacks, network reconnaissance, and other unwanted behavior on the network so you can act fast. FlowTraq detects a large range of DDoS attacks, including DNS amplification attacks, within seconds and can automatically trigger mitigations to leading DDoS scrubbers (including A10 TPS, Verisign and others) or black hole routes. In addition to helping you defend against DDoS attacks, FlowTraq can detect a wide range of other undesirable behavior in the network, including scanning, data exfiltration, insider threats, and more.

Try FlowTraq for yourself free for 14 days or schedule a demo today.