Was NATO Hit by a DNS Attack?

The latest developments in the Russia-Ukraine cyberwar battle have garnered huge media attention.  It was also recently revealed that the cyber attacks on the NATO websites and infrastructure have been linked to those same tensions.  The attacks, which targeted NATO and also Ukrainian media websites, were distributed denial-of-service attacks (DDoS) allegedly by the pro-Russia group Cyber Berkut (KiberBerkut). 

While there is not 100% certainty on the tools and attack vectors used, strong indicators suggest that the attackers used DNS Amplification and/or NTP Amplification for this attack. 

A Deeper Look into DNS Amplification Attacks

DNS Amplification attacks can have devastating impacts and Reflective DNS floods are a part of a wider set of these DNS-based attacks.  They are very dangerous and are also a favorite among attackers. Asymmetric in nature, a DNS flood generates a massive network flood using limited resources and IP spoofing.  This can make it very difficult to track.

What are the Mechanics of a Reflective DNS Attack?

The attacker sends DNS requests to 3rd party servers, using a spoofed source IP of the target victim server. The replies sent by 3rd party servers generate an attack on the victim with responses that are x3-100 times amplified compared to the request.
The attacker sends DNS requests to 3rd party servers, using a spoofed source IP of the target victim server. The replies sent by 3rd party servers generate an attack on the victim with responses that are x3-100 times amplified compared to the request.

Reflective Floods uses a two-step process to launch an attack:

  1. First, a large number of requests are sent to one or more DNS servers. The requests use a spoofed source IP of the target victim.

  2. Next, the DNS server receiving the requests replies to the spoofed IP, and unknowingly launches an attack on the target victim by responding to requests that the victim never sent. The target victim whose resources are exhausted, need not be a DNS server, but can be any server at all.

Another contributor to the destructiveness is message amplification.

Message amplification is when an attacker sends a small number of short requests that result in the replies sent by the DNS server to be greatly amplified, also exhausting the victim’s server resources.

This can be best illustrated by a simple equation:

Assume an attacker with a 5Mbps internet connection can send about 14k requests of the size 44 bytes per second. This small size of this request (14k RPS5Mbps) would not cause harm to any normal DNS server.

However, if the attacker has a crafted reply with the maximum size of 4096 bytes, the victim server will receive ~465 Mb of traffic beyond its normal traffic bandwidth.  

Only three such attackers are needed to reach a 1.4Gbps attack throughput. This will cause almost any service to immediately reach a denial of service state.

How Can You Protect Yourself from these Attacks?

The mechanics of Reflective DNS Attacks require that you defend yourself both from being an attack victim and an unknowingly assistant to attackers.

Here are some protection guidelines:


Any organization with internet access can be a target for DDoS attacks.  The most fundamental element of a protection plan should be constant network monitoring.

Configure your DNS Server

To prevent a case of your DNS server being used for an attack, make sure you do not run an open DNS service.  Another precaution is to rate limit responses from any single authoritative name servers.  Determine the baseline of how many responses you usually get and set a limit that drops responses when the rate is above this baseline.

Protect your Pipeline

The above protection methods are all important, but they will not prevent the saturation of your network pipe in the case of a massive attack.  Make sure you have the option to divert traffic to an MSSP or another entity offering such services.  In the case of a pipe-saturation attack, your on-premises equipment will have no way of mitigating the attack by itself.

Source IP Validation

Finally, the real solution to IP spoofing is source IP validation.  Note:  This should be handled by backbone providers, rather than individual organizations.

Like this article? Receive similar articles by subscribing to our blog today!

Werner Thalmeier

As a Solution Evangelist, Werner Thalmeier is responsible for driving Security Product Strategy for Radware in the EMEA region. Before joining our team, he headed the global product management team at M86 Security as VP of Product Management and was also previously VP of Product Management at Finjan. An active member of IT industry for over 20 years, Werner has gained extensive field experience working with vendors, customers, technology partners and resellers in various management and engineering positions.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center