What is a DNS Amplification Attack?

A DNS amplification attack is a reflection-based distributed denial-of-service (DDoS) attack that exploits the way DNS answers can be far larger than the questions that prompt them. Rather than attacking a target directly, the attacker bounces traffic off third-party DNS servers, using a small amount of outbound bandwidth to generate a much larger flood aimed at the victim.

1. Spoof the source — the attacker sends DNS queries but forges the source IP address so it appears to come from the victim.
2. Ask a small question — the query is crafted to elicit a large reply, for example a request for all records of a domain, which can be dozens of times bigger than the query.
3. Reflect off resolvers — open resolvers that answer anyone receive the spoofed query and dutifully send the big response to the victim instead of the attacker.
4. Multiply across many servers — by spreading spoofed queries across thousands of resolvers, the combined responses saturate the victim's bandwidth.

Each DNS resolver involved acts as an unwitting reflector and amplifier, which is why the attack scales so effectively.

• UDP is easy to spoof — most DNS traffic uses UDP, which has no handshake, so a forged source address is trivial to set.
• Large amplification factor — a few dozen bytes of query can return a response many times its size, giving attackers significant leverage.
• Plenty of open resolvers — misconfigured servers that answer queries from anyone provide an abundant supply of reflectors.
• Weak source filtering — networks that do not validate the source address of outbound packets let spoofed traffic onto the internet.

• Saturated bandwidth — the victim's network link is flooded, making services unreachable for legitimate users.
• Collateral damage — shared infrastructure and neighboring services can be knocked offline alongside the intended target.
• Resource strain on reflectors — the abused resolvers also bear extra load, degrading service for their own users.

• Do not run open resolvers — restrict recursive resolvers so they answer only your own networks, removing them as reflectors.
• Apply response rate limiting — rate limiting on authoritative servers caps identical responses and blunts their usefulness as amplifiers.
• Filter spoofed source addresses — implement BCP38 ingress filtering so packets with forged source IPs cannot leave your network.
• Use upstream DDoS protection — scrubbing services and anycast capacity absorb large floods before they reach origin infrastructure.