DNS Amplification
A DDoS technique that abuses open resolvers to convert small spoofed queries into large responses aimed at a victim IP.
DNS amplification is a reflective DDoS attack: the attacker sends UDP DNS queries with the victim's IP spoofed as the source, the resolver answers, and the victim receives the response. A 60-byte query asking for ANY or DNSKEY can return 4,000+ bytes, giving an amplification factor of 50x or more. Open resolvers (recursive servers willing to answer anyone) are the abused infrastructure. Mitigations include disabling open recursion, BCP 38 source-address validation at network egress to block spoofing in the first place, and Response Rate Limiting (RRL) on authoritative servers to throttle repeated identical answers.
Reference
Related terms
See also
Referenced on
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Amplification Attack Explained: How Open Resolvers Enable Massive DDoS
- DNS Water Torture Attack: How Random Subdomain Floods Overwhelm Nameservers
- How to Report a DDoS Attack to Your ISP: Evidence, Templates, and Escalation Steps
- How to Report Brute Force SSH and RDP Attacks: Log Evidence and Abuse Report Templates
- How to Report IP Address Abuse: The Complete Guide to Filing Reports That Get Results
- Phantom Domain Attack: How Unresponsive Domains Exhaust DNS Resolvers
- What Is an Open DNS Resolver? Why It's Dangerous and How to Fix It