What is a DNS Reflection/Amplification DDoS Attack?

The Domain Name System (DNS) is a database that stores internet domain names and further translates them into IP addresses. A DNS reflection/amplification distributed denial-of-service (DDoS) attack is a common two-step DDoS attack in which the attacker manipulates open DNS servers. The cybercriminal first uses a spoofed IP address to send massive requests to DNS servers. 

The DNS server then replies to the request, creating an attack on the target victim. The size of these attacks is larger than the spoofed request, resulting in large amounts of traffic going to the victim server. The attack often results in complete inaccessibility of data for a company or organization.

What Are the Signs of a DNS Reflection/Amplification DDoS Attack?

What Are the Signs of a DNS Reflection/Amplification DDoS Attack?

It is extremely common for these types of attacks to occur on open DNS servers. When leveraging a botnet to generate spoofed DNS requests, the target will experience a flood of DNS replies, all coming from UDP source port 53. Comprehensive DDoS protection is the best defense against these DNS amplification attacks.

Learn How NETSCOUT Protects From DNS Amplification Attacks

Why Is a DNS Reflection/Amplification DDoS Attack Dangerous?

Why Is a DNS Reflection/Amplification DDoS Attack Dangerous?

DNS reflection/amplification DDoS attacks, while common, pose serious threats to an organization’s servers. When massive amounts of traffic are being pushed into the victim server, the attack traffic devours stored company resources and further slows and paralyzes systems, ultimately preventing real traffic from being able to access the DNS server.

How Can Companies Mitigate and Prevent a DNS Reflection/Amplification  DDoS Attack?

How Can Companies Mitigate and Prevent a DNS Reflection/Amplification DDoS Attack?

Although these attacks are difficult to mitigate, network operators can implement numerous strategies to combat them. To avoid having their own DNS servers used as reflectors, organizations should ensure that DNS servers used by clients are locally and internally based within the organization to mitigate any potential threats. This will also allow for full separation of DNS traffic initiated by internal clients and unsolicited DNS traffic arriving externally, allowing organizations to block unwanted DNS traffic.

To defend against DNS reflection/amplification attacks, organizations should block unsolicited DNS replies, only allowing replies that are requested by internal clients. Reflected DDoS attacks will often have similar responses in the DNS Reply section, allowing pattern detection tools to detect and remove unwanted replies.

How can NETSCOUT help?

NETSCOUT's Arbor DDoS solution has been protecting the world's largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.

Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.

Arbor Cloud

Tightly integrated, multi-layer DDoS protection

Arbor Edge Defense


Arbor SP/Threat Mitigation System

High Capacity On-Premise Solution for Large Organizations

NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Omnis Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.