DNS Amplification Attacks

DNS amplification attacks exploit a simple truth: DNS servers are helpful. Send them a small question, they'll send back a detailed answer. Now imagine you could make them send that answer to someone else—someone who never asked.

That's the attack. And it turns the Internet's infrastructure into a weapon against itself.

The Mechanics

Here's how it works:

1. An attacker sends a DNS query to an open DNS server. The query is small—maybe 60 bytes.
2. The attacker crafts the query to request something large: all DNS records for a domain, especially one with DNSSEC signatures. The response might be 3,000 bytes.
3. The attacker spoofs the source IP address, replacing their real address with the victim's.
4. The DNS server, doing its job perfectly, sends the large response to the address in the query—the victim.

The attacker sent 60 bytes. The victim received 3,000. That's 50:1 amplification.

Now multiply by thousands of DNS servers, all receiving spoofed queries simultaneously. A modest botnet sending 1 Gbps of queries becomes a 50 Gbps flood aimed at the victim.

The DNS servers aren't malfunctioning. They're doing exactly what they're supposed to do. That's the problem.

The Postcard Analogy

Imagine you could write someone else's address as the return address on a postcard, then drop postcards into mailboxes across the city, each one requesting a thick catalog be mailed back.

The postal service delivers faithfully. The catalogs arrive at the victim's door—hundreds of them, then thousands. The victim is buried in mail they never requested, from senders who think they're being helpful.

The system works exactly as designed. And that's what makes it exploitable.

Why DNS Is Vulnerable

DNS has several properties that make it effective for amplification:

UDP is trusting. DNS typically uses UDP, which doesn't verify source addresses before responding. The server has no way to confirm the query actually came from the claimed IP.

Responses can be huge. DNSSEC signatures, TXT records, and multiple record types can inflate responses to 50x or 100x the query size.

Open resolvers exist everywhere. Many DNS servers respond to queries from anyone on the Internet—not just authorized clients. They're doing free work for strangers, and attackers exploit that generosity.

Amplification Factors

Not all DNS queries are equal:

• Simple A records: Minimal amplification (2-3x)
• DNSSEC-signed records: 50:1 or higher
• ANY queries: Historically 100:1+, though most servers now refuse them
• Large TXT records: Significant amplification if the attacker knows what to request

Attackers continuously probe for new query types that yield maximum amplification.

The Scale of Damage

A botnet of 1,000 machines, each sending 1 Mbps of traffic, would normally generate a 1 Gbps attack. With 50:1 amplification, the same botnet generates 50 Gbps—enough to overwhelm most organizations.

The largest DNS amplification attacks have exceeded 300 Gbps. At that scale, even major infrastructure buckles.

The Open Resolver Problem

Open recursive resolvers—DNS servers that answer queries from anyone—provide the ammunition for these attacks.

A properly configured resolver only responds to its own users. An open resolver responds to the entire Internet. It gains nothing from this generosity, but attackers gain a weapon.

The Internet community has made progress: awareness campaigns, secure-by-default configurations, ISPs identifying and closing open resolvers. But hundreds of thousands still exist.

Detection Patterns

For victims: Massive DNS response traffic arriving from many different servers. Large packets from port 53. No corresponding outbound queries.

For DNS operators: Unusual query volumes. Queries from strange geographic sources. Requests for high-amplification record types. Source IPs that never wait for responses (because they're spoofed).

For networks: Response-to-query ratios that don't make sense. Traffic patterns that suggest amplification abuse.

Defense Strategies

For Potential Victims

• Upstream filtering: Work with ISPs or DDoS protection services to filter attack traffic before it reaches you
• Over-provisioning: More bandwidth provides absorption capacity
• DDoS mitigation services: Expert filtering and massive capacity

For DNS Operators

• Disable open recursion: Only respond to authorized clients
• Response Rate Limiting (RRL): When a server sees many identical queries from one source—characteristic of amplification attacks—RRL drops responses. Legitimate users rarely trigger this.
• Refuse ANY queries: Remove a major amplification vector
• Monitor for abuse: Know when your server is being weaponized

For Network Providers

• Implement BCP 38: This is the big one

The Solution That Could End This

BCP 38 (Best Current Practice 38) describes source address validation: networks should block outbound packets with source IPs that don't belong to that network.

If every network implemented BCP 38, IP spoofing would become impossible. Amplification attacks would die. The postcard trick only works because the postal service doesn't verify return addresses.

But BCP 38 adoption is incomplete. Many networks—particularly in developing countries or with less sophisticated operators—don't implement source filtering. As long as attackers can find networks that allow spoofing, amplification attacks remain viable.

This is a collective action problem. The networks that don't implement BCP 38 aren't the ones suffering the attacks. The cost falls elsewhere.

The Ongoing Battle

As defenses improve, attackers adapt:

• When DNS amplification becomes harder, they shift to other protocols (NTP, SSDP, memcached)
• They search for new DNS record types with high amplification
• They exploit newly discovered open resolvers before they're secured

This cat-and-mouse continues. DNS amplification remains a significant threat despite real progress.