What Is A DNS Amplification DDoS Attack?


Table of Contents

What Is A DNS Amplification Attack?

  • Domain Name System (DNS) are the directories used to resolve between machine-readable addresses of websites (such as 191.168.0.1:80) and human-readable names (e.g. radware.com)
  • In a DNS amplification attack, an attacker uses IP address spoofing to launch a reflected DNS attack against a target.

How Does A DNS Amplification Attack Work?

  • In a DNS amplification attack, the attacker sends altered source IP of the intended victim to the DNS resolvers.
  • Each query to the open DNS resolvers is legitimate and small in nature, however they have altered source IP address of the intended target victim.
  • The queries to the open DNS resolvers are structured in a way to maximize the response size from the DNS resolvers.
  • This results in DNS resolvers sending large responses to the intended target IP. Many such queries to as many open DNS resolvers can amplify responses to the target IP address.
  • This can be amplified manyfold by using a distributed botnet.

How Can A DNS Amplification Attack Be Mitigated?

  • For the DNS amplification attack to work, attackers need access to open DNS resolvers. Since the objective is to amplify DNS resolver responses to the intended target IP address of the victim, the mitigation should include specific measures that reduce the availability of open DNS resolvers that only respond to request from trusted sources and source IP addresses should be verified.
  • IPS and IDS can perform packet filtering for both incoming (ingress) and outgoing (egress) packets into and from a secure network. This is done by separating the network into a secure and unsecure zone. This can prevent attacks from within the secure network to outside address as well as prevent outside attacker spoofing the address of machine within a secure zone.
  • Verifying IP addresses can also mitigate flooding a target IP address.
  • The target network may also implement volume and rate limits to prevent DDoS attack using DNS amplification. Newer approaches block attacks without impacting legitimate traffic by using machine-learning and behavioral-based algorithms to understand what constitutes legitimate behavior profile and then automatically block malicious attacks. This increases protection accuracy while minimizing false positives.

Radware product links

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia