What Is A DNS Amplification DDoS Attack? Table of Contents What Is A DNS Amplification Attack? How Does A DNS Amplification Attack Work? How Can A DNS Amplification Attack Be Mitigated? What Is A DNS Amplification Attack? Domain Name System (DNS) are the directories used to resolve between machine-readable addresses of websites (such as 191.168.0.1:80) and human-readable names (e.g. radware.com) In a DNS amplification attack, an attacker uses IP address spoofing to launch a reflected DNS attack against a target. How Does A DNS Amplification Attack Work? In a DNS amplification attack, the attacker sends altered source IP of the intended victim to the DNS resolvers. Each query to the open DNS resolvers is legitimate and small in nature, however they have altered source IP address of the intended target victim. The queries to the open DNS resolvers are structured in a way to maximize the response size from the DNS resolvers. This results in DNS resolvers sending large responses to the intended target IP. Many such queries to as many open DNS resolvers can amplify responses to the target IP address. This can be amplified manyfold by using a distributed botnet. How Can A DNS Amplification Attack Be Mitigated? For the DNS amplification attack to work, attackers need access to open DNS resolvers. Since the objective is to amplify DNS resolver responses to the intended target IP address of the victim, the mitigation should include specific measures that reduce the availability of open DNS resolvers that only respond to request from trusted sources and source IP addresses should be verified. IPS and IDS can perform packet filtering for both incoming (ingress) and outgoing (egress) packets into and from a secure network. This is done by separating the network into a secure and unsecure zone. This can prevent attacks from within the secure network to outside address as well as prevent outside attacker spoofing the address of machine within a secure zone. Verifying IP addresses can also mitigate flooding a target IP address. The target network may also implement volume and rate limits to prevent DDoS attack using DNS amplification. Newer approaches block attacks without impacting legitimate traffic by using machine-learning and behavioral-based algorithms to understand what constitutes legitimate behavior profile and then automatically block malicious attacks. This increases protection accuracy while minimizing false positives. Related Articles What Is a Web DDoS Tsunami Attack? A Web DDoS Tsunami attack is an evolved type of HTTP DDoS Flood cyberattack that is sophisticated, aggressive and very difficult to detect and mitigate without blocking legitimate traffic. Ping of Death A Ping of Death (PoD) attack is a form of DDoS attack in which an attacker sends the recipient device simple ping requests as fragmented IP packets that are oversized or malformed. IP Spoofing Spoofing refers to altering an address to impersonate someone else. The spoofing may be used to launch DDoS attacks in Internet Protocol (IP), Address Resolution Protocol (ARP) and in the Domain Name System (DNS). DNS Flood Attack (DNS Flooding) Domain Name System (DNS) are the directories used to resolve between machine-readable addresses of websites (such as 191.168.0.1:80) and human-readable names (e.g. radware.com) Radware product links Cloud DDoS Protection Service On-Premise DDoS Protection