What Is a DNS Amplification Attack?

Q: How does a DNS amplification attack work?

A DNS amplification attack works by exploiting the DNS protocol. Through this protocol, a client sends a DNS query to the server for the requested domain name or IP address. The server then processes and responds with an answer that contains resource records, which are used to locate hosts and other network resources.

A DNS amplification attack is a type of distributed denial-of-service (DDoS) attack in which the attacker exploits vulnerable DNS servers to send large volumes of legitimate traffic. The goal of a DNS amplification attack is to flood the target system with an overwhelming amount of data, making it unavailable for legitimate users.

To launch a DNS amplification attack, attackers use maliciously crafted Domain Name System (DNS) messages that are sent from vulnerable or misconfigured servers to generate enormous amounts of traffic. The benefits associated with this type of attack include increased anonymity since the source IP address can be spoofed, and relatively low costs for execution compared to other DDoS attacks.

What is DNS?

DNS stands for Domain Name System. It is a protocol that provides a way to connect domain names (such as www.example.com) to their associated IP addresses (such as 192.168.1.1). DNS servers act as the “phone books” of the internet, and are used by every single internet-connected device in order to access websites and other services on the web. Each domain name is registered with an internet service provider (ISP), and DNS helps route traffic from users around the world to proper web pages or other resources hosted under that specific domain name/IP address combination.

Prevent DNS amplification attacks and DDoS attacks with Akamai

Akamai offers end-to-end DDoS protection that acts as a first line of defense, providing dedicated edge, distributed DNS, and cloud mitigation strategies designed to prevent collateral damage and single points of failure. Our purpose-built DDoS clouds offer dedicated scrubbing capacity and higher quality of mitigation, which can be fine-tuned to the specific requirements of web applications or internet-based services.

One of the most effective ways to stop DNS amplification attacks and other DDoS attacks is with Akamai Prolexic, a battle-tested cloud scrubbing service that protects entire data centers and internet-facing infrastructure from DDoS attacks across all ports and protocols. With Prolexic, traffic is routed via BGP anycast across globally distributed, high-capacity scrubbing centers, where our Security Operations Command Center (SOCC) can deploy proactive and/or custom mitigation controls to stop attacks instantly. By routing traffic to the nearest scrubbing center, Prolexic can stop attacks closer to the source to maximize performance for users and maintain network resiliency through cloud distribution. Once scrubbing is complete, clean traffic is returned to the customer origin via logical or dedicated active connections.

Available as an always-on or on-demand service, Prolexic offers flexible integration models to serve the needs of a variety of security postures across hybrid origins.

With Akamai Prolexic, your security teams can:

Reduce risk of DDoS attacks, thanks to proactive mitigation controls and Prolexic’s zero-second SLA
Stop highly complex, SSL/TLS Exhaustion DDoS attacks without sacrificing quality of mitigation
Unify security postures by consistently applying DDoS mitigation policies throughout your organization, regardless of where applications are hosted
Optimize incident response to ensure business continuity with service validation exercises, custom runbooks, and operational readiness drills
Scale security resources with our fully managed solution that is backed by 225+ frontline SOCC responders

Frequently Asked Questions (FAQ)

An amplification attack is a type of cyberattack in which the attacker sends out a large request, such as to a Domain Name System (DNS) server or Internet Control Message Protocol (ICMP) ping, and receives an extremely large response back. This amplification of requests can be used by the attacker to launch DDoS attacks against target networks or services. The larger the response sent back, the more traffic it can generate and thus put additional strain on web servers or other network resources being targeted. These types of attacks are facilitated by vulnerabilities in computer systems that allow malicious actors to send requests with spoofed sender addresses, amplifying their original request many times over.

An amplification attack is a type of cyberattack in which the attacker sends out a large request, such as to a DNS server or ICMP ping, and receives an extremely large response back. This amplifies the traffic from the sender and can be used by them to launch DDoS attacks against target networks or services.

A reflection attack is another type of DDoS attack, which involves exploiting vulnerabilities on internet servers to send requests with spoofed sender addresses that reflect off valid components of a network hosting the protocol being reflected. This creates multiple copies of requests, flooding the target network or service with traffic, making it difficult for legitimate users to access resources. However, unlike an amplification attack, here there is no increase in size of data sent back; instead only one single request reflects off multiple valid targets, resulting in more traffic but no amplification effect.

A DNS amplification attack works by exploiting the Domain Name System (DNS) protocol. Through this protocol, a client sends a DNS query to the server for the requested domain name or IP address. The server then processes and responds with an answer that contains resource records, which are used to locate hosts and other network resources.

One of the best ways to protect against DNS attacks is to ensure that your server configurations are secure and up to date. This could include ensuring that recursive query support is disabled on public servers, as well as configuring firewall rules to block incoming requests from known attack sources. Additionally, it’s recommended that you apply rate-limiting policies to limit the number of requests allowed from a single IP address or subnet.

Implementing cybersecurity tools such as an intrusion detection system (IDS) or intrusion prevention system (IPS) can also help detect and prevent DNS amplification attacks. These systems can be configured to look for certain characteristics of malicious packets such as specific queries or responses with certain flags set indicating spoofed source addresses, etc. Additionally, many newer IDS/IPS systems come with built-in features for detecting and preventing DNS amplification attacks.

To further reduce the risk of attacks, it’s important to keep your software up to date by applying security patches in a timely manner. As attackers often exploit vulnerabilities in outdated software, this can be an effective measure for reducing the chance of successful DNS amplification attacks against your network. It’s also important to monitor your network traffic on a regular basis and look out for suspicious behavior such as unusually large amounts of queries and responses coming from a single source or large numbers of requests sent over a short period of time.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Additional Resources

DDoS Defense in a Hybrid Cloud World

All DDoS mitigation is not created equal. See how many cloud service providers fall short, and what to look out for.

Learn more

DDoS Threats in EMEA 2024

Our latest research gives you the knowledge you need to better defend against rising DDoS attacks in EMEA.

Download report

What can an analysis of malicious DNS traffic reveal about an organization’s risk exposure?

Attack superhighway C2 analysis reveals enterprise attackers

DNS is one of the oldest internet infrastructures. However, an incredible amount of attack traffic passes through it. Details about the most prevalent threats and more can be found in this report.

Download report

Learn more about related topics and technologies on the pages listed below.