DNS Amplification Source

• High-volume outbound UDP traffic to port 53 from a single source with a spoofed victim IP
• Queries for large DNS record types (ANY, TXT, DNSKEY) that produce maximum-size responses
• Burst patterns of DNS queries targeting the same set of open resolvers
• Source IP appearing in DDoS attack attribution reports or Shadowserver open resolver datasets
• NetFlow showing large outbound UDP/53 packet counts but tiny corresponding inbound DNS query traffic

Check if your resolver is open (can be abused)

# Query from an external host — should return REFUSED for external domains
dig @YOUR_RESOLVER_IP ANY isc.org +bufsize=4096 +short
# If it returns records, your resolver is open and can be amplified

Detect DNS amplification traffic leaving your network

# tcpdump — high-volume UDP/53 outbound with large payload
tcpdump -i eth0 -nn 'udp and dst port 53 and length > 100' | \
  awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10

iptables — rate-limit outbound DNS queries per source

# Allow 10 DNS queries/second per internal IP; log and drop excess
iptables -A OUTPUT -p udp --dport 53 -m limit --limit 10/s --limit-burst 20 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j LOG --log-prefix "DNS_AMP_OUT: "
iptables -A OUTPUT -p udp --dport 53 -j DROP

Snort rule — detect ANY query floods

alert udp $HOME_NET any -> any 53 \
  (msg:"DNS ANY query flood (amplification source)"; \
   content:"|00 FF|"; offset:2; depth:2; \
   threshold:type threshold, track by_src, count 100, seconds 10; \
   sid:5000001;)

BIND DNS Response Rate Limiting (RRL) — if running a resolver

options {
    rate-limit {
        responses-per-second 5;
        window 5;
    };
};

1. Disable open recursion on DNS resolvers — Configure resolvers to answer only for authorised clients: in BIND, allow-recursion { 10.0.0.0/8; 192.168.0.0/16; };; in Unbound, access-control: 0.0.0.0/0 refuse.
2. Implement BCP38 source address validation — Drop outbound packets with source IPs not belonging to your allocated address space; this prevents your network from sending spoofed query packets.
3. Enable DNS Response Rate Limiting (RRL) — BIND 9.9+ and Unbound support RRL to limit response rates per client, reducing amplification contribution even if the resolver is open.
4. Block DNS ANY queries — iptables -A INPUT -p udp --dport 53 -m string --string "|00 FF|" --algo bm --from 40 -j DROP or configure BIND to refuse ANY record type queries.
5. Deploy DNSSEC selectively — DNSSEC responses are large (containing cryptographic keys), so enabling DNSSEC increases amplification potential; use it only where necessary and pair with RRL.
6. Monitor outbound DNS traffic baselines — Alert when outbound UDP/53 traffic from any host exceeds 3× its rolling 7-day average.
7. Coordinate with upstream ISP — For active amplification attacks, work with your ISP to implement upstream filtering using BGP Flowspec or RTBH null routing of the victim's IP.

2013 — Spamhaus 300 Gbps DNS amplification DDoS: Attackers used approximately 30,000 open DNS resolvers to reflect amplified responses toward Spamhaus.org after Spamhaus blacklisted the hosting provider Cyberbunker. At 300 Gbps, the attack was the largest ever recorded at the time and caused significant congestion at European internet exchange points, affecting unrelated internet users across the continent.

2014 — CloudFlare client targeted with 400 Gbps DNS reflection: In February 2014, a CloudFlare customer was targeted with a 400 Gbps DDoS attack using DNS reflection. Attackers queried open resolvers for DNSSEC-signed zones, which produce responses 60–70 bytes in response to 36-byte queries — an amplification factor of approximately 50×. CloudFlare absorbed the attack at their network edge.