Description of DNS Amplification Attacks

In this article, I will briefly describe the principle of DDoS DNS Amplification attacks.

Since no connection is established to the DNS server via UDP, but only via TCP. Then the attacker can send UDP requests with a fake IP address, and the DNS server will respond to this fake IP address (the victim’s IP address). That is, an attacker can personally or with the help of bots request information about a domain from one or several public DNS servers by substituting the victim’s address as the address of the request source and public DNS servers will respond to the victim’s address. The more information in the response, the more traffic will go to the victim, thus it is possible to fill the victim’s Internet channel of several tens of gigabits.

You can check the DNS server on special services, for example, here

If the DNS server is used for the local network as a caching server, then it is necessary to restrict access to it and recursive requests via ACL, for example, as I described in the article:
Installing and Configuring DNS Server BIND9
IPTables rules for DNS

If the DNS server is only authoritative, then recursive queries must be disabled:

allow-transfer {"none";};
allow-recursion {"none";};
recursion no;

Also, if necessary, on the authoritative DNS server, you can configure the RRL (Response Rate Limiting) function to limit the number of responses and requests to the server for each IP address; you can also do this through IPTables.

It is also necessary to properly configure the logs so as not to fill up all disk space with them and detect flooding, see my article:
Configuring Bind9 logs

If the traffic of the DDoS attack is larger than your uplink channel, then higher-level providers can often add your server’s IP address to BGP blackhole in order to avoid channel overflow and after that your IP address will not be available.

Leave a comment

Leave a Reply