Dec 15 2013
DNS amplification explained
A DNS amplification attack is a type of distributed denial of service (DDoS) attack that takes advantage of the fact that a small DNS query can generate a much larger response. An attacker can direct a large volume of network traffic to a victim’s system by initiating relatively small DNS queries. The attacker spoofs the IP address of the victim to reflect the network traffic using the DNS server. This makes it difficult to trace the attacker.
In order to launch a DNS amplification reflection attack the attacker needs to perform two tasks. First the attacker spoofs the address of the victim. This is the reflection part, it will cause all the reply’s from the DNS server to be directed to the victim’s server. This can easily be done since in UDP no handshake (like in TCP) is being done between the client and the server. Secondly the requester searches for responses that are several times bigger than the request. The attacker achieves an amplification factor because the response is many times larger than the request. The amplification can even be larger when DNSSEC is used, because of the signatures used the size of the response increases.
Explained by NLnetlabs: download