DNS Amplification DDoS Attack Breakdown
A DNS Amplification DDoS attack leverages the inherent design of the DNS protocol to generate amplified traffic, exploiting public DNS resolvers with recursion enabled. The attacker sends small queries that generate disproportionately large DNS responses, overwhelming the victim’s network infrastructure.
Identifying an Open Recursive DNS Resolver
An open recursive DNS resolver responds to DNS queries from any source. Attackers use tools such as zmap
or masscan
to identify such servers exposed to the public internet. These servers are critical targets since they respond to queries not originating from within their own network.
Crafting a Spoofed DNS Request
Attackers send a DNS query to the open DNS resolver, but with the source IP address spoofed to that of the victim. This is possible because DNS typically uses UDP (User Datagram Protocol), which doesn’t establish a connection, making IP spoofing easier.
Requesting Large DNS Responses
The attacker requests DNS records that result in large response sizes, which amplify the impact on the victim. Commonly abused record types include:
ANY record: This returns all available DNS records for a given domain (e.g., A, AAAA, MX, TXT, etc.), which produces a large response.
DNSSEC records: These records (such as DNSKEY and RRSIG) include additional cryptographic data, significantly increasing the size of the response.
The DNS request sent by the attacker is small, typically 60-100 bytes, while the corresponding DNS response can be several kilobytes, creating a high amplification factor.
Amplification and Response
When the DNS resolver processes the query, it sends the much larger response to the spoofed source IP (the victim’s IP). Due to the UDP nature of DNS, the server doesn’t verify the sender’s IP, and thus the response is sent directly to the victim.
The amplification factor can vary, but in some cases, it can be as high as 100x. For example, a 60-byte query can generate a 4,000-byte response. This drastically increases the traffic directed to the victim.
Flooding the Victim with Amplified Traffic
The attacker repeats this process at scale, often using a botnet of compromised machines to send multiple queries from different sources to numerous open DNS resolvers, all spoofed with the victim’s IP address. This results in a massive flood of large DNS responses targeting the victim’s server or network.
The sheer volume of incoming data overwhelms the victim’s resources, including:
Bandwidth saturation: The victim’s network is flooded with high-volume traffic, potentially exhausting available bandwidth.
Processing overload: The victim’s DNS resolver or server may be overwhelmed by processing the large volume of incoming packets, causing it to crash or slow down.
Amplification Factor
The amplification factor is the ratio between the size of the original DNS query and the response. For example:
A 60-byte query (e.g., requesting an ANY record) could generate a 4,000-byte response, resulting in a 66:1 amplification factor.
The attacker’s goal is to exploit servers with high amplification potential to maximize traffic directed at the victim.
Last updated