What is the DNS reflection-amplification attack?

A DNS reflection-amplification attack is a classic two-step Denial-of-Service (DoS) assault that involves the manipulation of open DNSIt is the hierarchical and decentralized naming system that identifies computers reachable through Internet Protocol networks. servers. The cybercriminal initially sends huge queries to DNS servers using a fake IP address. The DNS server then responds to the request, and launches an attack on the intended victim.

These attacks are more significant than the simulated request, and send considerable bandwidthIt is the maximum rate of data transfer across a given path. to the target server. The assault frequently leads to an organization's data becoming completely inaccessible. For example, such an attack may convert 100 MBs of DNS request traffic into 10 GBs of DoS traffic directed at a specific online site.

How it works

Amplification attacks use the difference in bandwidth utilization between the attacker and the targeted online site. When the cost discrepancy multiplies over numerous requests, the ensuing traffic volume causes network infrastructure to fail.

This is how it happens:

  • The attacker compounds this amplification by having each bot in a botnet make similar requests, and avoids discovery while benefiting from much a greater attack flow.

  • The target receives a response from the DNS resolvers.These are servers designed to receive DNS queries from web browsers and other applications. This is a consequence of each bot sending queries to open DNS resolvers with a fake IP address that is adjusted to the valid source IP address of the targeted victim.

  • The attacker frames the request to generate the most significant possible response from the DNS resolvers, and produces a considerable quantity of traffic.

Therefore, the target's network becomes jammed with the attacker's initial traffic, resulting in a denial of service.

How a DNS reflection-amplification attack works

Steps

DNS amplification has the following steps:

  1. The attacker sends UDP packets with fake IP addresses to a DNS precursorIt locates the DNS record and sends out additional requests in response to the client's DNS requests for more information about the record. via a hacked endpointEndpoints are where attackers execute code and exploit vulnerabilities, as well as where there are assets to be encrypted and leveraged.. The faked address on the packets points to the victim's accurate IP address.

  2. Each UDP packet sends a request to a DNS resolver, and frequently passes an option like "ANY" to get the widest answer possible.

  3. Following receipt of the queries, the DNS resolver sends a significant response to the faked IP address in an attempt to assist by replying.

  4. The answer is sent to the target's IP address, and the surrounding network infrastructure is overburdened, which results in a denial of service.

Prevention

Mitigation alternatives are limited to corporations that provide a service, because the server's infrastructure suffers due to the large volume of traffic generated. The internet service provider (ISP) or other upstream infrastructure providers may be unable to handle the incoming traffic without getting overloaded.

As a result, the ISP may blackhole all traffic to the intended victim's IP address to protect itself, while also bringing the target's site down. However, there are a few ways to mitigate them:

  • Reducing the number of DNS resolvers: Access to open DNS resolvers is critical in DNS amplification attacks. By exposing configured DNS resolvers to the Internet, an attacker has to discover a DNS resolver to use it. DNS resolvers should ideally only serve devices that originate within a trustworthy domain. In the case of reflection-based attacks, open DNS resolvers answer requests from anywhere on the Internet and make exploitation possible. By restricting a DNS resolver to exclusively responding to queries from trusted sources, the server becomes a poor vehicle for any form of amplification attack.

  • Sourcing IP verification: The UDP queries made by the attacker's botnet must have a source IP address spoofed to the victim's IP address. ISPs must reject any internal traffic with spoofed IP addresses as a significant component in lowering the efficacy of UDP-based amplification assaults. If a packet is transmitted from within the network with a source address to originate outside the web, it is a faked packet and we should discard it.

Free Resources

Copyright ©2026 Educative, Inc. All rights reserved