Unravelling the DNS DDoS Threat Landscape

The Domain Name System (DNS) is the backbone of the internet, translating human-readable domain names into machine-readable IP addresses. This pivotal system enables users to access applications across the web. Without DNS, the internet as we know it today would be impossible to use. However, as the internet evolves and plays an increasingly central role in our lives, the complexity and frequency of DNS DDoS threats have been on the rise. DNS attacks can have far-reaching consequences, affecting critical infrastructure, services, and the economy on a global scale. Imagine being unable to access your favourite websites and applications – it is not just annoying; it is a business nightmare.

In this blog post, we will delve into the challenges posed by the modern DNS DDoS threat landscape and the popular DNS DDoS attack vectors.

Shifting Tides: A Changing Attack Landscape

There has been a significant shift that has been witnessed in DDoS attack trends, transitioning from targeting lower-level network layers (L3/L4) to becoming more sophisticated and moving on to the Application layer. This shift has catalysed the exponential growth of DNS DDoS attacks. DNS, due to its pivotal role in internet traffic routing, has become a popular target for these assaults. When a DNS server falls victim to a DoS attack, users cannot access the websites, services or APIs associated with that server because their browsers and applications cannot resolve the IP addresses corresponding to those domain names. As a result, the legitimate user experience is significantly degraded or entirely disrupted.

The Alarming Rise in Threats: Data and Figures

Numbers can be boring, but these are a bit scary. According to Radware’s H1 2023 Threat Landscape report, the frequency of DNS Flood attacks in the first month of Q2 2023 was quadruple that of the same month in Q2 2022. We also recorded the most significant DNS Flood over the past two years, with a peak attack rate reaching 1.29 million DNS queries per second in April 2023.

Figure 1: DNS Flood attack vector ratio evolution over time

Top 5 DNS DDoS Threats to Watch Out For

As a global cybersecurity provider, Radware tracks attack trends across its cloud security network. These are the top DNS DDoS threats we currently see:

In this type of DNS attack, the attacker floods DNS servers with requests for non-existent domains, resulting in DNS recursion and NXDOMAIN responses. This causes the server to process numerous requests for domain names that do not exist, thus consuming the server’s resources instead of processing legitimate requests and leading to a denial-of-service situation.

DNS Flood Attack
Attackers utilize a network of compromised computers called botnets to send a massive volume of DNS requests to the target DNS server, which floods the DNS server and causes it to become unresponsive. This behavior allows the attacker to successfully compromise the DNS service utilizing a surprisingly small number of botnets.

DNS Water Torture
DNS water torture also known as DNS Random Sub-domain attack is a slow and steady DDoS attack in which the attacker sends a constant stream of small, legitimate-looking DNS queries to the victim’s DNS server at a slow rate. Each individual query by itself might not cause significant harm, but the continuous flow of queries gradually overwhelms the DNS server’s resources and causes performance degradation or complete unresponsiveness over time.

Phantom Domain Attack
This attack involves the attacker setting up one or more phantom domains that do not respond to DNS queries and sending requests to the victim’s DNS server to resolve the phantom domains. The victim’s DNS server gets overwhelmed when it tries to resolve the phantom domains through non-responsive servers. This causes the recursive server to spend valuable resources waiting for responses that will never come.

DNS Amplification Attack
This happens when attackers exploit the misconfigured DNS servers such that the DNS response is much larger than the DNS request. The attacker sends a large number of small DNS queries with a spoofed source IP address to the targeted DNS server. The server then sends the amplified responses to the victim’s IP address, overwhelming its network capacity. With this attack technique, a relatively small botnet can carry out a volumetric flood of large responses toward the victim, thus saturating its Internet pipe.
According to Radware’s H1 2023 Threat Landscape report, DNS amplification was the amplification attack vector that generated the most volume in H1 2023, representing 61.6% of the total amplification volume, with an amplification factor of 160x.

In each case, the attacker’s objective is to disrupt the DNS service and make the websites and online services that rely on it inaccessible. These attacks exploit different aspects of the DNS protocol, making them challenging to defend against and highlighting the importance of implementing robust DNS security measures.

The Devastating Impact of a DNS DDoS Attack

Imagine a sudden blackout in the heart of a bustling city. Streetlights flicker, traffic halts, and chaos ensues. In the digital realm, a DNS Distributed Denial of Service (DDoS) attack is the equivalent of that blackout – a swift and crippling disruption that can bring an organization’s online presence to its knees. The aftermath of a DNS DDoS attack paints a grim picture:

Digital Isolation
A DNS DDoS attack can cut off an organization from its customers, partners, and the entire online world. Websites become inaccessible, apps stop working, and emails go undelivered. It’s like a store with locked doors during peak shopping hours.

Damaged Reputation
Trust takes years to build and seconds to crumble. An attack can tarnish an organization’s reputation, eroding the trust customers have in the brand which can negatively impact the business and potentially push them towards competitors.

Operational Challenges
Internal operations can grind to a halt. Employees rely on digital tools for communication, collaboration, and productivity. An attack disrupts these processes, leaving teams stranded and businesses struggling to function.

Financial Hemorrhage
Every moment of downtime translates to potential revenue loss. The longer the attack persists, the deeper the financial wound, affecting bottom lines and growth prospects.


In a world where digital continuity is paramount, a DNS DDoS attack isn’t just a technical hiccup; it’s a multi-dimensional crisis and the imperative to protect DNS infrastructure cannot be overstated. Not securing the DNS infrastructure properly is like leaving an open window for cyber criminals—offering them free access to your network, your resources and risking your online business availability.

Organizations must fortify their defenses against the rising tide of DNS DDoS attacks, ensuring a secure and seamless online experience for their users. Radware provides the industry a complete solution for protecting DNS critical infrastructure against today’s most advanced DNS DDoS attacks. Radware uses advanced behavioral-based detection and automatic real-time signatures to identify the DNS attacks and automatically stop it so that organizations can effectively safeguard their critical infrastructure, ensure uninterrupted service availability, and protect customer trust.

Pooja Gupta

Pooja Gupta is a Cloud Security Strategist in Radware's security group and works closely with public cloud providers as a cloud alliance lead. In addition, she works on positioning and messaging for Radware’s DDoS Protection Solutions. Prior to joining Radware, Pooja worked in Vodafone Idea's Enterprise Business Division as a National Sales Manager and at Mu Sigma, a data analytics firm, as a Data Scientist. She holds a Bachelor of Engineering degree in Electronics and Communication Engineering from Ramaiah Institute of Technology, Bangalore, and an MBA in Marketing from Symbiosis Institute of Business Management in Pune, India.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center