DNS Amplification Attacks and Defense
Understand how DNS amplification DDoS attacks work, why they are effective, and how to defend your DNS infrastructure.
How DNS Amplification Works
A DNS amplification attack is a type of DDoS (Distributed Denial of Service) attack that exploits open DNS resolvers to flood a target with massive amounts of traffic. The attacker sends small DNS queries with the victim's IP as the source address (IP spoofing), and the DNS resolver sends large responses to the victim.
Attacker (spoofed source: victim IP)
-> Small query (60 bytes): "ANY record for example.com?"
-> Open resolver
-> Large response (3,000+ bytes) -> Victim
The key factors that make this attack effective:
- Amplification -- The response is 30-70x larger than the query.
- Reflection -- The response goes to the victim, not the attacker.
- Distribution -- The attacker uses thousands of open resolvers worldwide.
Amplification Factor
The amplification factor depends on the query type and the domain's records:
| Query Type | Typical Response Size | Amplification Factor |
|---|---|---|
| ANY | 2,000-4,000 bytes | 30-70x |
| TXT (DKIM, SPF) | 500-2,000 bytes | 10-30x |
| DNSSEC-signed | 1,000-3,000 bytes | 20-50x |
| A record | 50-100 bytes | 1-2x |
The ANY query type is the most abused because it returns all record types, generating the largest responses.
The Open Resolver Problem
An open resolver is a recursive DNS server that accepts queries from any source on the internet. Millions of misconfigured DNS servers and home routers act as open resolvers, providing attackers with an army of amplification points.
# Test if a server is an open resolver
dig @target-ip example.com
# If you get a valid response, the server is open
Defending Against DNS Amplification
If You Run a DNS Resolver
- Restrict recursion to authorized clients only:
# BIND configuration options { allow-recursion { 10.0.0.0/8; 192.168.0.0/16; }; }; - Rate limit responses to prevent abuse:
# BIND Response Rate Limiting rate-limit { responses-per-second 10; window 5; }; - Disable ANY queries -- Many resolvers now refuse ANY queries (RFC 8482).
If You Are the Target
- Upstream filtering -- Contact your ISP to filter spoofed traffic before it reaches your network.
- Anycast -- Distribute your infrastructure across many PoPs to absorb attack traffic.
- DDoS mitigation services -- Cloudflare, Akamai, and AWS Shield can absorb amplification attacks.
- Firewall rules -- Rate-limit or block unsolicited DNS responses at your border.
Network-Level Prevention
- BCP38 (Ingress Filtering) -- ISPs should filter outbound packets with spoofed source addresses. If every ISP implemented BCP38, amplification attacks would be impossible.
- Source address validation -- Routers verify that packets originate from authorized address ranges.
Impact and Scale
DNS amplification attacks have generated some of the largest DDoS attacks on record:
- Spamhaus (2013) -- 300 Gbps attack using DNS amplification.
- GitHub (2018) -- 1.35 Tbps attack using memcached amplification (similar technique).
Even moderate amplification attacks can overwhelm typical web servers. A 10 Gbps amplified flood costs the attacker minimal bandwidth but requires significant infrastructure to absorb.