DNS Amplification Attack
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/dns-amplification/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/dns-amplification/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/dns-amplification/)Use the native HTML custom element.
คำนิยาม
การโจมตี DDoS ที่ใช้ประโยชน์จาก DNS resolver แบบเปิดโดยส่งคิวรีขนาดเล็กพร้อม IP ต้นทางปลอม ทำให้การตอบกลับขนาดใหญ่ท่วมเหยื่อ ปัจจัยการขยาย 50 เท่าหรือมากกว่าทำให้ DNS เป็นเวกเตอร์สะท้อนที่ทรงพลัง
The Mechanics of Amplification
DNS amplification is a DDoSDistributed Denial of Service. An attack that overwhelms a target server or network with massive traffic from many compromised sources (a botnet), rendering the service unavailable to legitimate users. technique that exploits the asymmetry between small DNS queries and large DNS responses. An attacker sends UDP queries to open DNS resolversA DNS resolution mode where the server performs the full lookup on behalf of the client, querying root, TLD, and authoritative servers in sequence until it finds the answer. Most DNS resolvers operate recursively. with the source address spoofed to the victim's Public IP AddressA globally unique IP address assigned by an ISP that is routable on the public internet. Every device directly accessible from the internet must have a public IP address.. The resolver sends its (often much larger) response to the victim. Amplification factors of 28x to 54x are common with ANY queries or DNSSEC-enabled zones returning large RRSIG record sets.
Why Open Resolvers Are the Enabler
The attack requires open recursive resolvers that accept queries from arbitrary source IPs without rate limiting. BCP38 (network ingress filtering) would prevent IP spoofing at the source network level, but many ISPs and hosting providers do not enforce it. Lists of millions of open resolvers are publicly available, making large-scale amplification campaigns trivially easy to execute with minimal attacker bandwidth.
Mitigation Strategies
Resolver operators should restrict their servers to known client IP ranges, implement Response Rate Limiting (RRL) to throttle responses to suspicious sources, and enable source IP verification. Network operators should implement BCP38 filtering at their upstream gatewaysA network device (typically a router) that serves as the access point from a local network to other networks. The default gateway is the first hop for traffic destined outside the local subnet.. Victims can work with upstream providers and CDNs to scrub amplified UDP traffic before it saturates links. DNSSECDomain Name System Security Extensions. A suite of IETF specifications that adds cryptographic authentication to DNS responses using digital signatures, preventing DNS spoofing and cache poisoning attacks. ironically increases amplification potential due to larger response payloads — a trade-off zone operators should weigh carefully. IP Blacklist Check