What is DNS Amplification attack? How does it works?


DNS Amplification is a reflection based distributed denial of service attack.

The attacker spoofs look-up requests to domain name system (DNS) servers to hide the source of the exploit and direct the response to the target. Through various techniques, the attacker turns a small DNS query into a much larger payload directed at the target network.

The attacker sends a DNS look-up request using the spoofed IP address of the target to vulnerable DNS servers. Most commonly, these are DNS servers that support open recursive relay. The original request is often relayed through a botnet for a larger base of attack and further concealment. The DNS request is sent using the EDNS0 extension to the DNS protocol allowing for large DNS messages. It may also use the DNS security extension (DNSSEC) cryptographic feature to add to the size of the message.

What is reflection based attack?

In computer security, a reflection attack is a method of attacking a challenge-response authentication system that uses the same protocol in both directions. That is, the same challenge-response protocol is used by each side to authenticate the other side.

DNS Amplification Attacks are a way for an attacker to magnify the amount of bandwidth they can target at a potential victim. Imagine you are an attacker and you control a botnet capable of sending out 100Mbps of traffic. While that may be sufficient to knock some sites offline, it is a relatively trivial amount of traffic in the world of DDoS. In order to increase your attack’s volume, you could try and add more compromised machines to your botnet. That is becoming increasingly difficult. Alternatively, you could find a way to amplify your 100Mbps into something much bigger.


Unfortunately, due to the massive traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack. However, it is possible to reduce the number of servers that can be used by attackers to generate the traffic volumes.

While the only effective means of eliminating the use of recursive resolvers in this type of attack is to eliminate unsecured recursive resolvers, this requires an extensive effort by various parties. According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately “25 million pose a significant threat” of being used in an attack [1]. However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole. Where possible, configuration links have been provided to assist administrators with making the recommended changes. The configuration information has been limited to BIND9 and Microsoft’s DNS Server, which are two widely deployed DNS servers on federal networks. If you are running a different DNS server, please consult your vendor’s documentation for configuration details.

If you found out our article to be useful then please leave a feedback in comment!


Please enter your comment!
Please enter your name here