What is a DNS Reflection/Amplification DDoS Attack?
The Domain Name System (DNS) is a database that stores internet domain names and further translates them into IP addresses. A DNS reflection/amplification distributed denial-of-service (DDoS) attack is a common two-step DDoS attack in which the attacker manipulates open DNS servers. The cybercriminal first uses a spoofed IP address to send massive requests to DNS servers. The DNS server then replies to the request, creating an attack on the target victim. The size of these attacks is larger than the spoofed request, resulting in large amounts of traffic going to the victim server. The attack often results in complete inaccessibility of data for a company or organization.
What Are the Signs of a DNS Reflection/Amplification DDoS Attack?
It is extremely common for these types of attacks to occur on open DNS servers. When leveraging a botnet to generate spoofed DNS requests, the target will experience a flood of DNS replies, all coming from UDP source port 53. Comprehensive DDoS protection is the best defense against these DNS amplification attacks.
Learn How NETSCOUT Protects From DNS Amplification Attacks
Why Is a DNS Reflection/Amplification DDoS Attack Dangerous?
DNS reflection/amplification DDoS attacks, while common, pose serious threats to an organization’s servers. When massive amounts of traffic are being pushed into the victim server, the attack traffic devours stored company resources and further slows and paralyzes systems, ultimately preventing real traffic from being able to access the DNS server.
How Can Companies Mitigate and Prevent a DNS Reflection/Amplification DDoS Attack?
Although these attacks are difficult to mitigate, network operators can implement numerous strategies to combat them. To avoid having their own DNS servers used as reflectors, organizations should ensure that DNS servers used by clients are locally and internally based within the organization to mitigate any potential threats. This will also allow for full separation of DNS traffic initiated by internal clients and unsolicited DNS traffic arriving externally, allowing organizations to block unwanted DNS traffic.
To defend against DNS reflection/amplification attacks, organizations should block unsolicited DNS replies, only allowing replies that are requested by internal clients. Reflected DDoS attacks will often have similar responses in the DNS Reply section, allowing pattern detection tools to detect and remove unwanted replies.