DNS Security: Defending the Domain Name System provides tactics on how to protect a Domain Name System (DNS) framework by exploring common DNS vulnerabilitiesRead more
DNS Amplification attack is a type of distributed denial-of-service (DDoS) attack, where the attacker floods a website with so many fake DNS lookup requests that it eats up the network bandwidth until the site fails.
In order to launch a DNS amplification attack, the attacker performs two malicious tasks. First, the attacker spoofs the IP address of the DNS resolver and replaces it with the victim's IP address. This will cause all DNS replies from the DNS servers to be sent to the victim's servers. Second, the attacker finds an Internet domain that is registered with many DNS records. During the attack, the attacker sends DNS queries that request the entire list of DNS records for that domain. This results in large replies from the DNS servers, usually so big that they need to be split over several packets. Using very few computers, the attacker sends a high rate of short DNS queries to the multiple DNS servers asking for the entire list of DNS records for the Internet domain it chose earlier. The DNS servers look for the answer and provide it to the DNS resolver. However, because the attacker spoofed the IP address of the DNS resolver and set it to be the IP address of the victim, all the DNS replies from the servers are sent to the victim. The attacker achieves an amplification effect because for each short DNS query it sends, the DNS servers reply with a larger response, sometimes up to 100 times larger.
While the only effective means of eliminating the use of recursive resolvers in this type of attack is to eliminate unsecured recursive resolvers, this requires an extensive effort by various parties. According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately “25 million pose a significant threat” of being used in an attack. However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole. Where possible, configuration links have been provided to assist administrators with making the recommended changes. The configuration information has been limited to BIND9 and Microsoft’s DNS Server, which are two widely deployed DNS servers on federal networks. If you are running a different DNS server, please consult your vendor’s documentation for configuration details.