DNS Amplification Attack
What is DNS Amplification Attack?
DNS Amplification AttackA reflection DDoS attack that abuses open DNS resolvers by sending small queries with the victim's spoofed IP, causing resolvers to send large DNS responses to the victim.
In a DNS amplification attack, the adversary sends UDP DNS queries (typically ANY, TXT, or DNSSEC record queries that produce large responses) to many open or misconfigured recursive resolvers, with the source IP forged as the victim's. The resolvers send the much larger DNS replies back to the victim, multiplying the attacker's bandwidth by factors that often exceed 50×. The aggregated traffic can saturate the victim's link or upstream provider. Mitigations include closing or restricting open resolvers, applying response-rate limiting (RRL), enforcing source-address validation at network edges (BCP 38), using anycast DNS and DDoS scrubbing, and avoiding overly large EDNS or DNSSEC responses where possible.
● Examples
- 01
An attacker sends ANY queries to thousands of open resolvers; each tiny query yields several-kilobyte responses to the victim.
- 02
Mirai-derived botnets abuse residential CPE devices acting as open recursors to launch multi-hundred-gigabit DNS amp floods.
● Frequently asked questions
What is DNS Amplification Attack?
A reflection DDoS attack that abuses open DNS resolvers by sending small queries with the victim's spoofed IP, causing resolvers to send large DNS responses to the victim. It belongs to the Attacks & Threats category of cybersecurity.
What does DNS Amplification Attack mean?
A reflection DDoS attack that abuses open DNS resolvers by sending small queries with the victim's spoofed IP, causing resolvers to send large DNS responses to the victim.
How do you defend against DNS Amplification Attack?
Defences for DNS Amplification Attack typically combine technical controls and operational practices, as detailed in the full definition above.