A Domain Name Server (DNS) amplification attack is a popular form of
distributed denial of service (DDoS) that relies on the use of publically
accessible open DNS servers to overwhelm a victim system with DNS response
A Domain Name Server (DNS) Amplification attack is a popular form of
Distributed Denial of Service (DDoS), in which attackers use publically
accessible open DNS servers to flood a target system with DNS response traffic.
The primary technique consists of an attacker sending a DNS name lookup request
to an open DNS server with the source address spoofed to be the target's
address. When the DNS server sends the DNS record response, it is sent instead
to the target. Attackers will typically submit a request for as much zone
information as possible to maximize the amplification effect. In most attacks
of this type observed by US-CERT, the spoofed queries sent by the attacker are
of the type, "ANY" which returns all known information about a DNS zone in a
single request. Because the size of the response is considerably larger than
the request, the attacker is able to increase the amount of traffic directed at
the victim. By leveraging a botnet to produce a large number of spoofed DNS
queries, an attacker can create an immense amount of traffic with little
effort. Additionally, because the responses are legitimate data coming from
valid servers, it is extremely difficult to prevent these types of attacks.
While the attacks are difficult to stop, network operators can apply several
possible mitigation strategies.
While the most common form of this attack that US-CERT has observed
involves DNS servers configured to allow unrestricted recursive resolution for
any client on the Internet, attacks can also involve authoritative name servers
that do not provide recursive resolution. The attack method is similar to open
recursive resolvers, but is more difficult to mitigate since even a server
configured with best practices can still be used in an attack. In the case of
authoritative servers, mitigation should focus on using Response Rate Limiting
to restrict the amount of traffic.