What is a DNS Amplification Attack?
  • 05 Oct 2018
  • 2 Minutes to read
  • Contributors
  • PDF

What is a DNS Amplification Attack?

  • PDF

Article summary

A DNS Amplification Attack is a Distributed Denial of Service (DDOS) tactic that belongs to the class of reflection attacks -- attacks in which an attacker delivers traffic to the victim of their attack by reflecting it off of a third party so that the origin of the attack is concealed from the victim.

Additionally, it combines reflection with amplification: that is, the byte count of traffic received by the victim is substantially greater than the byte count of traffic sent by the attacker, in practice amplifying or multiplying the sending power of the attacker.

To achieve amplification and reflection, a DNS Amplification Attack takes advantage of several characteristics of basic DNS protocols:

  • The UDP transport used by basic DNS queries is ideal for reflection because it is substantially easier for an attacker to spoof their source address with UDP than it would be with a solely TCP-based protocol.
  • Although ISC advises against the practice of operating an unrestricted or "open" recursive resolver, there are nevertheless a high number of open resolvers on the internet that can be used by an attacker to reflect traffic.
  • The fact that a DNS reply may be many times larger than a DNS query allows the attacker to achieve amplification by spoofing a relatively small query that is known to generate a large answer in response.

To perform a DNS Amplification Attack, an attacker begins by identifying a large set of resolvers which can be used as reflectors.  Then, from one or more machines (usually a large number, typically part of a geographically distributed network of compromised machines such as a botnet) the attacker causes UDP DNS queries with to be sent to the reflecting resolvers, with the source IP addresses for the queries set to the address of the target (victim.)  The reflecting servers process the recursive query and send the response to the IP address from which they believe the queries originated.  Because of the spoofed origin, the replies are actually sent to the target.

From the point of view of the target, the effect is that of a bombardment of unrequested DNS query responses from a huge multitude of nameservers (any or all of the machines in the set of reflectors chosen by the attacker.)  None of the traffic reaching the target is generated directly by the attacker's machine or machines, making it difficult for the target to trace the source, and the multitude of reflectors makes it difficult to block them individually.  The unrequested DNS responses are discarded if/when they reach the target machine, but by the time they have done so they have consumed network resources and a small portion of CPU time on the target machine.  With a large set of resolvers to reflect off of and substantial sending bandwidth from multiple sources, an attacker can easily mount a very difficult to counteract attack against an unhardened target.

Example:

In March 2013, The Spamhaus Project was targeted by a massive DDOS launched in retaliation for their decision to list European ISP CyberBunker as a source of spam. The event generated international news headlines due to the previously unprecedented size and scope of the DDOS. DNS Amplification was cited by sources as the primary tactic exploited by the attackers.