What are DNS Amplification Attacks
DNS amplification attacks are a version of distributed denial-of-service attacks (also known as DDoS). These DNS amplification attacks use DNS servers as amplifiers.
The attack itself is rather simple: the attacker has their botnet send tens of thousands of DNS requests to one or more public DNS resolvers. The bots use the target’s IP address as sender IP so that the DNS resolver’s replies are sent to the target instead of the attacker. That way, the DNS resolvers submit tens of thousands of replies to the target.
This is what the communication structure looks like (the example has just one bot attacking):
The attacker also exploits a specific feature of the DNS protocol: requests directed to DNS servers are often much smaller than their replies. A request with just a few bytes can trigger a reply with thousands of bytes. For example, a 50-byte request can result in a 5000-byte reply – an amplification factor of 100. This means that the attacker need only send a fraction of the data volume that is supposed to hit their target. A bot with a bandwidth of 10 Mbps can run an attack on the order of 1 Gbps, and an entire botnet can easily reach hundreds of Gbps.
Even a simple request for an A record with a packet size of 74 bytes can lead to a 508-byte reply (an amplification factor of approximately 7). A request and reply like this might look as follows (no layer-2 and layer-3 header shown):
- Request from client (IP A.B.C.D) to DNS resolver (IP Q.W.E.R) for “www.thefqdn.de”, packet size of 74 bytes (©Link11)
This is what the botnet communication looks like including amplification:
The target faces several threats:
- Internet connection overload
- Overload of the components processing the packets
The worst possible outcome of this type of attack is complete failure of the target’s internet connection.
Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.
Follow Link11 on Twitter
A simple visualization of how the Underground Cybercrime Economy cashes in on data and DDoS attacks. To learn more,…
9 Retweets 9Read More
How to protect your business and website from DDoS attacks during the biggest sales period of the year:…
5 Retweets 6Read More
What are DDoS Attacks and how do cybercriminals use them as weapons to shut down IT infrastructures? And more impor…
7 Retweets 5Read More
This is why (and how) you should block bots on your business website (includes a list of most common bot attacks):…
13 Retweets 9Read More
What is Web Application Firewall, why do you need it and how does it protect your company? Learn more by reading ou…
3 Retweets 5Read More
@RandyLoss Hah, you weren't the only one saying that.
0 Retweets 0
@vxtrade Your company might ;)
0 Retweets 1
@deckhand25 He is not, but close enough! ;)
0 Retweets 1
What would you do if you received a 180 000€ DDoS extortion email warning to exceed your web infrastructure defense…
1 Retweets 4Read More
Get a detailed and up to date overview of the global DDoS threat landscape by taking a look at our DDoS Report from…
6 Retweets 5Read More
@SecurityParalok Link11 DDoS Protection can help!
0 Retweets 0