Content
A DNS amplification attack is a type of Distributed Denial of Service (DDoS) attack in which an attacker exploits vulnerabilities in the Domain Name System (DNS) to amplify traffic and flood a targeted system with an overload of requests. The goal is to overload the system with massive traffic and make it unavailable.
How does a DNS amplification attack work?
A DNS amplification attack exploits the properties of the Domain Name System (DNS) to launch an amplified DDoS attack on a target. The target is flooded with enormous amounts of traffic, which can limit its accessibility or paralyze it completely. The attack works by amplifying DNS responses to small queries sent to open or misconfigured DNS servers.
Exploiting amplification
DNS queries are usually small (around 60–80 bytes), but DNS responses can often be much larger, especially for certain DNS records (e.g., TXT or ANY queries) that return large amounts of data. A DNS amplification attack exploits this size difference to amplify traffic.
IP spoofing (forging the sender IP)
The attacker forges the sender IP address in the DNS requests. Instead of using their own IP address, the attacker’s IP address is specified as the sender. The DNS servers that process these requests believe that the victim sent the request and in turn send their large DNS responses to that IP address.
Sending the forged DNS requests to open DNS resolvers
The attacker sends the forged DNS requests to open DNS resolvers or poorly configured DNS servers that respond to requests from any IP address. These open resolvers respond to the forged request and send the large DNS response to the victim’s IP address.
Massive traffic hits the victim
By repeatedly sending DNS requests with spoofed source addresses, many DNS servers are tricked into sending their answers to the victim. Since each request requires only a small amount of data, but the response is many times larger, the victim is bombarded with an excessive number of DNS responses. This results in a bandwidth overload.
The goal is to overload
The victim is confronted with an enormous volume of data traffic that can quickly exhaust network capacities. As a result, the victim’s servers are no longer able to process legitimate data traffic, leading to a denial of service, i.e., the server being unavailable.
Amplification Factor
The success of this attack depends on the size of the DNS responses in relation to the DNS query. Some queries (such as “ANY” queries) can return responses that are 50 times the size of the original query. By using IP spoofing and deploying many open DNS resolvers, the attacker can direct massive traffic to the victim with relatively little effort.
How to recognize a DNS amplification attack
Recognizing a DNS amplification attack is crucial to react quickly and minimize damage.
A sudden and massive increase in incoming data traffic, especially UDP traffic on port 53 (used for DNS), can be an early sign of a DNS amplification attack. The traffic volumes often significantly exceed normal usage.
A DNS server affected by a DNS amplification attack receives or sends an unusually large number of DNS responses in a very short period of time. The responses are often larger than usual because they often respond to “ANY” or similar queries that generate particularly large responses. Although DNS amplification attacks are characterized by IP spoofing, many queries may originate from a specific geographic region or from specific IP ranges. Such patterns can indicate a coordinated attack wave.
DNS servers usually keep detailed logs of queries and responses. If the server suddenly starts generating many queries from the same spoofed IP address or extremely large responses to small queries, this indicates a DNS amplification attack. An open DNS server that is being used in an attack often shows many recursive queries from unknown or unauthorized IP addresses.
A DNS amplification attack often results in increased network latency as the victim’s network is overloaded with excessive traffic. A typical symptom of a successful DNS amplification attack is loss of connectivity, both externally and internally. The victim’s bandwidth is completely consumed by the DNS responses.
Learn more about a GDPR-compliant, cloudbased and patented DDoS Protection that delivers, what it promises.
How can you protect yourself against such attacks?
To effectively protect against DNS amplification attacks, various preventive measures are required that affect both the configuration of the DNS servers and the monitoring of the network.
Avoiding open DNS resolvers
Open DNS resolvers are a prime target for DNS amplification attacks because they accept queries from any IP address and often return large responses. Attackers exploit this vulnerability by sending fake queries that cause the DNS server to send oversized responses to the victim. To prevent this, DNS servers should be configured to only process queries from authorized and trusted IP addresses. This significantly reduces the possibility of a DNS server being used as an amplifier in a DDoS attack.
Rate limiting
Rate limiting is an effective method for reducing the impact of DNS amplification attacks. Response rate limiting (RRL) can be used to restrict the number of DNS responses that a server sends to a specific IP address within a specified period of time. This prevents a server from generating a large number of amplified DNS responses to fake requests. This significantly limits the attack surface, since less data volume is sent to the target and the server is thus less effective as an amplifier in the attack.
Use DNSSEC
DNSSEC (Domain Name System Security Extensions) ensures the authenticity and integrity of DNS queries and responses by using cryptographic signatures. This prevents attackers from using forged DNS responses to manipulate or abuse traffic. Although DNSSEC does not directly prevent DNS amplification attacks, it protects the DNS system as a whole and makes it more difficult to exploit vulnerabilities. Therefore, implementing DNSSEC is an important step in making the entire DNS system more resilient to abuse and attacks.
Preventing IP spoofing
IP spoofing is the mechanism that allows attackers to forge the source address of their DNS requests and send the responses to a victim. To prevent DNS amplification attacks, it is crucial to block IP spoofing. This can be achieved by using egress filtering, which monitors outgoing network traffic and ensures that no packets with spoofed source IP addresses leave the network. Similarly, ingress filtering can check incoming traffic for spoofed IP addresses and block them.
Traffic monitoring and anomaly detection
Continuous monitoring of network traffic is critical to detect DNS amplification attacks early. Intrusion detection systems (IDS) make it possible to identify unusual increases in DNS traffic or asymmetric traffic patterns that indicate an attack. It is particularly important to monitor DNS traffic on port 53 (UDP) because of its role in DNS amplification attacks. By analyzing anomalies in the traffic, early action can be taken to block the malicious traffic and minimize the damage.
Share this post
