DNS Amplification Attack – Unlike DNS Floods, DNS amplification attacks are asymmetrical DDoS attacks in which the attacker sends out a small look-up query with spoofed target IP, making the spoofed target the recipient of much larger DNS responses. With these attacks, the attacker’s goal is to saturate the network by continuously exhausting bandwidth capacity. Vulnerabilities in DNS servers are exploited to turn initially very small queries into much larger payloads. This, in turn, brings the victim’s servers down.
The reflection is achieved by eliciting a response from a DNS resolvers to a spoofed IP address. During the attack, the perpetrator sends a DNS query with a forged IP address to an open DNS resolver, prompting it to reply back to that address with a DNS response. Because numerous forged queries are being sent out, and because DNS resolvers reply simultaneously, the victim’s network is overwhelmed.
The attack is even more dangerous, if the reflection is amplified. This can be accomplished, for example, by using the EDNS0 DNS protocol extension while sending the DNS request, or by using the cryptographic feature of the DNS security extension (DNSSEC) to increase message size. Spoofed queries of the type “ANY”, that return all known information about a DNS zone in a single request, can also be used. A DNS request message, in this way, that is of some 60 bytes, can be pushed to elicit a response message of over 4000 bytes to the target server, resulting in a 70:1 amplification factor. This increases the volume of traffic the targeted server receives, and accelerates the rate at which the server’s resources will be drained. DNS amplification attacks generally relay DNS requests through one or more botnets, drastically increasing the volume of traffic directed at the targeted servers and making it much harder to track the perpetrator’s activity.