{
	"id": "fc262809-ca58-4b60-97e8-9a0f01f40a19",
	"created_at": "2026-04-06T00:15:56.622838Z",
	"updated_at": "2026-04-10T13:11:56.517846Z",
	"deleted_at": null,
	"sha1_hash": "8a0ae114b43846b6d50af73cd7a20e1f67f1ebb1",
	"title": "DNS amplification DDoS attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79986,
	"plain_text": "DNS amplification DDoS attack\r\nArchived: 2026-04-05 16:01:30 UTC\r\nWhat is a DNS amplification attack?\r\nThis DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an\r\nattacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with\r\nan amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.\r\nHow does a DNS amplification attack work?\r\nAll amplification attacks exploit a disparity in bandwidth consumption between an attacker and the targeted web\r\nresource. When the disparity in cost is magnified across many requests, the resulting volume of traffic can disrupt\r\nnetwork infrastructure. By sending small queries that result in large responses, the malicious user is able to get\r\nmore from less. By multiplying this magnification by having each bot in a botnet make similar requests, the\r\nattacker is both obfuscated from detection and reaping the benefits of greatly increased attack traffic.\r\nA single bot in a DNS amplification attack can be thought of in the context of a malicious teenager calling a\r\nrestaurant and saying “I’ll have one of everything, please call me back and tell me my whole order.” When the\r\nrestaurant asks for a callback number, the number given is the targeted victim’s phone number. The target then\r\nreceives a call from the restaurant with a lot of information that they didn’t request.\r\nAs a result of each bot making requests to open DNS resolvers with a spoofed IP address, which has been changed\r\nto the real source IP address of the targeted victim, the target then receives a response from the DNS resolvers. In\r\norder to create a large amount of traffic, the attacker structures the request in a way that generates as large a\r\nresponse from the DNS resolvers as possible. As a result, the target receives an amplification of the attacker’s\r\ninitial traffic, and their network becomes clogged with the spurious traffic, causing a denial-of-service.\r\nhttps://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/\r\nPage 1 of 3\n\nA DNS amplification can be broken down into four steps:\r\n1. The attacker uses a compromised endpoint to send UDP packets with spoofed IP addresses to a DNS\r\nrecursor. The spoofed address on the packets points to the real IP address of the victim.\r\n2. Each one of the UDP packets makes a request to a DNS resolver, often passing an argument such as\r\n“ANY” in order to receive the largest response possible.\r\n3. After receiving the requests, the DNS resolver, which is trying to be helpful by responding, sends a large\r\nresponse to the spoofed IP address.\r\n4. The IP address of the target receives the response and the surrounding network infrastructure becomes\r\noverwhelmed with the deluge of traffic, resulting in a denial-of-service.\r\nWhile a few requests is not enough to take down network infrastructure, when this sequence is multiplied across\r\nmultiple requests and DNS resolvers, the amplification of data the target receives can be substantial. Explore more\r\ntechnical details on reflection attacks.\r\nHow is a DNS amplification attack mitigated?\r\nFor an individual or company running a website or service, mitigation options are limited. This comes from the\r\nfact that the individual’s server, while it might be the target, is not where the main effect of a volumetric attack is\r\nfelt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The\r\nInternet Service Provider (ISP) or other upstream infrastructure providers may not be able to handle the incoming\r\ntraffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP\r\nhttps://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/\r\nPage 2 of 3\n\naddress, protecting itself and taking the target’s site off-line. Mitigation strategies, aside from offsite protective\r\nservices like Cloudflare DDoS protection, are mostly preventative Internet infrastructure solutions.\r\nReduce the total number of open DNS resolvers\r\nAn essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly\r\nconfigured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to\r\ndiscover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted\r\ndomain. In the case of reflection based attacks, the open DNS resolvers will respond to queries from anywhere on\r\nthe Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to\r\nqueries from trusted sources makes the server a poor vehicle for any type of amplification attack.\r\nSource IP verification – stop spoofed packets leaving network\r\nBecause the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the\r\nvictim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for\r\nInternet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent\r\nfrom inside the network with a source address that makes it appear like it originated outside the network, it’s\r\nlikely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress\r\nfiltering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks and help them\r\nrealize their vulnerability.\r\nHow does Cloudflare mitigate DNS amplification attacks?\r\nWith a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless\r\nyou are the size of Cloudflare), it's trivial to block reflection attacks such as DNS amplification attacks. Although\r\nthe attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is\r\nno longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across\r\nmany Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the\r\ntargeted server’s infrastructure. During a recent six month window our DDoS mitigation system \"Gatebot\"\r\ndetected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all\r\nof them. Learn more about Cloudflare's advanced DDoS Protection.\r\nSource: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/\r\nhttps://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/"
	],
	"report_names": [
		"dns-amplification-ddos-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434556,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8a0ae114b43846b6d50af73cd7a20e1f67f1ebb1.pdf",
		"text": "https://archive.orkl.eu/8a0ae114b43846b6d50af73cd7a20e1f67f1ebb1.txt",
		"img": "https://archive.orkl.eu/8a0ae114b43846b6d50af73cd7a20e1f67f1ebb1.jpg"
	}
}