What is a DNS amplification attack?
A DNS amplification attack is a reflection-based DDoS technique where an attacker abuses misconfigured open DNS resolvers to flood a victim with large response packets. The attacker sends small DNS queries (~60 bytes) with the victim's IP address as the spoofed source. The DNS servers respond with much larger replies (1,000-4,000+ bytes) sent to the spoofed source — the victim. Result: the attacker's bandwidth is amplified 50-100x.
DNS amplification has been responsible for many of the largest DDoS attacks in history, with peaks exceeding 300 Gbps. The technique requires no compromised systems, just abuse of poorly-configured public DNS servers.
How DNS amplification works
- Attacker crafts spoofed DNS query. Source IP is set to the victim's IP, not the attacker's. Query asks for a large DNS record (TXT, ANY, or DNSSEC).
- Query sent to open DNS resolver. Public DNS server that accepts queries from anyone (rather than filtering to authorized clients).
- Resolver responds to victim. Sends the large response to the spoofed source IP.
- Victim is flooded. Response packets are 50-100x bigger than the original queries.
- Repeat at scale. Attacker sends thousands of queries per second across many resolvers.
Why amplification factor matters
| Query type | Query size | Response size | Amplification factor |
|---|---|---|---|
| Standard A record | ~60 bytes | ~80 bytes | 1.3x |
| ANY query | ~60 bytes | ~3,000 bytes | 50x |
| DNSSEC TXT | ~60 bytes | ~4,000 bytes | 67x |
| Maximum (rare) | ~60 bytes | ~6,000 bytes | 100x |
An attacker with 1 Gbps of bandwidth can generate ~50-100 Gbps of attack traffic against a victim using amplification.
Why open DNS resolvers exist (and shouldn't)
An "open resolver" accepts DNS queries from any source IP. This is rarely intentional — it's a misconfiguration. Properly configured DNS servers either:
- Authoritative servers — answer for specific domains; ignore recursive queries from random sources.
- Recursive resolvers for specific clients — only respond to queries from your own subscribers (ISPs) or internal network (corporate).
An open resolver is a recursive DNS server that responds to anyone — accidentally or due to misconfiguration. They're abundant on the internet (estimated millions still exist) despite years of cleanup efforts.
Mitigation: defending against DNS amplification
For potential victims (any organization)
- Use a CDN/DDoS service. Cloudflare, Akamai, AWS Shield absorb amplification attacks at edge with massive backbone capacity.
- Provision sufficient bandwidth. Modern attacks regularly hit 100+ Gbps.
- Rate-limit DNS responses to your IPs. ISPs can drop unexpected DNS response traffic at network edge.
- Monitor for sudden spike traffic. 5-minute detection is the difference between minor and major outage.
For DNS server operators (preventing abuse)
- Disable open recursion. Recursive resolvers should only answer queries from authorized clients.
- Implement Response Rate Limiting (RRL). Cap responses per source IP per second. Mainstream BIND, NSD, Knot DNS support RRL.
- Filter ANY queries. Refuse or rate-limit ANY queries — they're rarely needed legitimately and are highly amplifiable.
- Deploy DNS Cookies (RFC 7873). Token-based mechanism to verify request authenticity.
For ISPs/networks (BCP 38)
- Implement source-address validation (BCP 38). Drop outgoing traffic with source IPs that don't belong to your network. Prevents your network from being used as a launching point. Adoption is patchy globally but improving.
Other reflection attack types
DNS amplification is part of a broader category of reflection attacks. Similar amplification exists in:
- NTP amplification — Network Time Protocol monlist queries (amplification ~556x). Largely mitigated by NTP server config updates.
- Memcached amplification — UDP memcached responses (amplification ~50,000x — record-holder). Caused 2018 GitHub attack of 1.35 Tbps.
- SSDP amplification — Simple Service Discovery Protocol on home routers.
- SNMP amplification — Network management protocol.
FAQ: DNS amplification attacks
Can I be victim of a DNS amplification attack?
Yes — anyone with public IPs can be targeted. Most defenses depend on having sufficient bandwidth + DDoS protection (CDN/scrubbing service). For most websites, a major CDN handles this.
How do I check if my DNS server is an open resolver?
Use tools like dig +recurse @your-server-ip example.com from outside your network. If it returns an answer, your server is open. Online tools like "openresolver project" also test.
Are DNS amplification attacks still common?
Yes, though they're a smaller share of total DDoS traffic now compared to early 2010s. Memcached and other higher-amplification vectors have partially overtaken DNS.
Does DNSSEC make amplification worse?
Yes — DNSSEC responses are much larger than non-DNSSEC, providing higher amplification factors. Trade-off: DNSSEC is necessary for response authenticity, but operators must rate-limit accordingly.
Can BCP 38 stop DNS amplification?
If universally deployed, yes — spoofed source IPs would be impossible. But adoption is patchy globally; until then, victims and DNS operators must defend independently.
What's the largest DNS amplification attack on record?
The 2013 Spamhaus attack (~300 Gbps) and 2014 Cloudflare attack (~400 Gbps) were among the largest pure-DNS-amplification events. Modern records are held by other reflection vectors (Memcached).
Test DDoS protection with LoadFocus
If you're validating your DDoS defenses (always coordinate with your CDN before any high-volume test), LoadFocus runs HTTP load tests up to 12,500 VUs from 25+ regions — useful for exercising rate limits and WAF rules. Sign up free at loadfocus.com/signup.
Related LoadFocus Tools
Put this concept into practice with LoadFocus — the same platform that powers everything you just read about.