Knowledge Base ISC Main Website Ask a Question/Contact ISC
What is a DNS Amplification Attack?
Author: Michael McNally Reference Number: AA-00897 Views: 11336 Created: 2013-04-01 22:48 Last Updated: 2013-04-09 16:54 0 Rating/ Voters

A DNS Amplification Attack is a Distributed Denial of Service (DDOS) tactic that belongs to the class of reflection attacks -- attacks in which an attacker delivers traffic to the victim of their attack by reflecting it off of a third party so that the origin of the attack is concealed from the victim.

Additionally, it combines reflection with amplification:  that is, the byte count of traffic received by the victim is substantially greater than the byte count of traffic sent by the attacker, in practice amplifying or multiplying the sending power of the attacker.

To achieve amplification and reflection, a DNS Amplification Attack takes advantage of several characteristics of basic DNS protocols:

  • The UDP transport used by basic DNS queries is ideal for reflection because it is substantially easier for an attacker to spoof their source address with UDP than it would be with a solely TCP-based protocol.
  • Although ISC advises against the practice of operating an unrestricted or "open" recursive resolver, there are nevertheless a high number of open resolvers on the internet that can be used by an attacker to reflect traffic.
  • The fact that a DNS reply may be many times larger than a DNS query allows the attacker to achieve amplification by spoofing a relatively small query that is known to generate a large answer in response.

To perform a DNS Amplification Attack, an attacker begins by identifying a large set of resolvers which can be used as reflectors.  Then, from one or more machines (usually a large number, typically part of a geographically distributed network of compromised machines such as a botnet) the attacker causes UDP DNS queries with to be sent to the reflecting resolvers, with the source IP addresses for the queries set to the address of the target (victim.)  The reflecting servers process the recursive query and send the response to the IP address from which they believe the queries originated.  Because of the spoofed origin, the replies are actually sent to the target.

From the point of view of the target, the effect is that of a bombardment of unrequested DNS query responses from a huge multitude of nameservers (any or all of the machines in the set of reflectors chosen by the attacker.)  None of the traffic reaching the target is generated directly by the attacker's machine or machines, making it difficult for the target to trace the source, and the multitude of reflectors makes it difficult to block them individually.  The unrequested DNS responses are discarded if/when they reach the target machine, but by the time they have done so they have consumed network resources and a small portion of CPU time on the target machine.  With a large set of resolvers to reflect off of and substantial sending bandwidth from multiple sources, an attacker can easily mount a very difficult to counteract attack against an unhardened target.

Example:

In March 2013, The Spamhaus Project was targeted by a massive DDOS launched in retaliation for their decision to list European ISP CyberBunker as a source of spam.  The event generated international news headlines due to the previously unprecedented size and scope of the DDOS.  DNS Amplification was cited by sources as the primary tactic exploited by the attackers.

© 2001-2014 Internet Systems Consortium

Feedback 2
  • #
    [Cathy Almond]: How does one defend said attack? 2013-06-21 11:50

    There is much discussion in various fora regarding mitigation of amplification attacks. You might be interested in Response Rate Limiting (RRL) which is now available in BIND 9.9.3 Subscription Version (our commercial BIND version) and which will be added to opensource BIND in future releases. See: https://kb.isc.org/article/AA-00994/189/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.9-Subscription-Version.html. If you are interested in trying RRL now (unsupported), please see http://www.redbarn.org/dns/ratelimits for patches that you can apply to your BIND source code tarball.

  • #
    [ ttotal]: how dows one defend said attack? 2013-06-15 18:08

    in all the minutes that i have been in IT i still cant fathom how ones self can stop the clouds, stop the sun from shinning and more importantly stop the raid from flooding, is there a point solution that will stop the masses?

Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu