Dark Arts
  • index
  • BUY ME A BOOK
  • 🪄Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • 🕷️Aragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • 🧪Potions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • 🎆Spells
    • 📜Linux Scroll
    • 📜WebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • 🖼️Flaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • 🌼Marauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • ☠️Death Eaters
    • Post Exploitation
      • Windows
      • Linux
  • 🪄OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • 🚂Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • ⛲Port Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • 🔆DUELS
    • Pivoting
    • SMB Relay Attack
  • 🗺️Marauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • 🎧SIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • 🥃Sky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • 🔷Obsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • 💢Threat Modeling
    • Why Threat Model?
  • 📡THREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • 📱Anything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • 🎉Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  • Identifying an Open Recursive DNS Resolver
  • Crafting a Spoofed DNS Request
  • Requesting Large DNS Responses
  • Amplification and Response
  • Flooding the Victim with Amplified Traffic
  • Amplification Factor
  1. Dark Magic
  2. Reconnaissance
  3. Active
  4. DNS

DNS Amplification DDoS Attack Breakdown

A DNS Amplification DDoS attack leverages the inherent design of the DNS protocol to generate amplified traffic, exploiting public DNS resolvers with recursion enabled. The attacker sends small queries that generate disproportionately large DNS responses, overwhelming the victim’s network infrastructure.

Identifying an Open Recursive DNS Resolver

An open recursive DNS resolver responds to DNS queries from any source. Attackers use tools such as zmap or masscan to identify such servers exposed to the public internet. These servers are critical targets since they respond to queries not originating from within their own network.

Crafting a Spoofed DNS Request

Attackers send a DNS query to the open DNS resolver, but with the source IP address spoofed to that of the victim. This is possible because DNS typically uses UDP (User Datagram Protocol), which doesn’t establish a connection, making IP spoofing easier.

Requesting Large DNS Responses

The attacker requests DNS records that result in large response sizes, which amplify the impact on the victim. Commonly abused record types include:

  • ANY record: This returns all available DNS records for a given domain (e.g., A, AAAA, MX, TXT, etc.), which produces a large response.

  • DNSSEC records: These records (such as DNSKEY and RRSIG) include additional cryptographic data, significantly increasing the size of the response.

The DNS request sent by the attacker is small, typically 60-100 bytes, while the corresponding DNS response can be several kilobytes, creating a high amplification factor.

Amplification and Response

When the DNS resolver processes the query, it sends the much larger response to the spoofed source IP (the victim’s IP). Due to the UDP nature of DNS, the server doesn’t verify the sender’s IP, and thus the response is sent directly to the victim.

The amplification factor can vary, but in some cases, it can be as high as 100x. For example, a 60-byte query can generate a 4,000-byte response. This drastically increases the traffic directed to the victim.

Flooding the Victim with Amplified Traffic

The attacker repeats this process at scale, often using a botnet of compromised machines to send multiple queries from different sources to numerous open DNS resolvers, all spoofed with the victim’s IP address. This results in a massive flood of large DNS responses targeting the victim’s server or network.

The sheer volume of incoming data overwhelms the victim’s resources, including:

  • Bandwidth saturation: The victim’s network is flooded with high-volume traffic, potentially exhausting available bandwidth.

  • Processing overload: The victim’s DNS resolver or server may be overwhelmed by processing the large volume of incoming packets, causing it to crash or slow down.

Amplification Factor

The amplification factor is the ratio between the size of the original DNS query and the response. For example:

  • A 60-byte query (e.g., requesting an ANY record) could generate a 4,000-byte response, resulting in a 66:1 amplification factor.

  • The attacker’s goal is to exploit servers with high amplification potential to maximize traffic directed at the victim.

PreviousZone TransferNextMisc. Techniques

Last updated 9 months ago

🪄