DNS Amplification Attack

DNS amplification attack is a sophisticated denial of service attack that takes advantage of DNS servers' behavior in order to amplify the attack. In order to launch a DNS amplification attack, the attacker performs two malicious tasks. First, the attacker spoofs the IP address of the DNS resolver and replaces it with the victim's IP address. This will cause all DNS replies from the DNS servers to be sent to the victim's servers.

Second, the attacker finds an Internet domain that is registered with many DNS records. During the attack, the attacker sends DNS queries that request the entire list of DNS records for that domain. This results in large replies from the DNS servers, usually so big that they need to be split over several packets.

Using very few computers, the attacker sends a high rate of short DNS queries to the multiple DNS servers asking for the entire list of DNS records for the Internet domain it chose earlier. The DNS servers look for the answer and provide it to the DNS resolver. However, because the attacker spoofed the IP address of the DNS resolver and set it to be the IP address of the victim, all the DNS replies from the servers are sent to the victim.

The attacker achieves an amplification effect because for each short DNS query it sends, the DNS servers reply with a larger response, sometimes up to 100 times larger. Therefore, if the attacker generates 3 Mbps of DNS queries, it is actually amplified to 300Mbps of attack traffic on the victim.

The victim is bombed with a high rate of large DNS replies where each reply is split over several packets. This requires the victim to reassemble the packet, which is a resource consuming task, and to attend to all of the attack traffic. Soon enough, the victim's servers become so busy handling the attack traffic that they cannot service any other request from legitimate users and the attacker achieves a denial-of-service.

DDoSPedia Index