Table of Contents
Introduction
A DNS reflection amplification attack is the one-two punch of DDoS attacks. The reflection aspect is the first punch, the jab. It’s the precursor to a more significant blow and is when the attacker sizes up the target and sets the tempo. The amplification aspect is the second punch, the cross. That’s when the attacker leans in for a more powerful hit.
In this blog, we’ll explore how DNS reflection/amplification attacks work and the impact this type of DDoS attack can have on organizations. We’ll also offer guidance on DNS DDoS protection to mitigate and protect against this cyber threat.
The Signs of a DNS Reflection/Amplification DDoS Attack
Domain Name System (DNS) servers are the lifeline that connect people and organizations over the internet. DNS servers allow you to access websites and applications using domain names and URLs rather than complex IP addresses. One of the ways threat actors use DDoS attacks is to leverage publicly available DNS servers and disrupt targeted organizations with an overwhelming volume of traffic.
How DNS Reflection Attacks Work
DNS reflection is the first part of the attack where the criminal uses a spoofed IP address and botnets to flood open DNS servers with a massive number of requests. However, instead of the responses going to the attacker, the responses go to a targeted victim. The DNS server ends up doing the attacker’s dirty work for them, reflecting traffic onto the target.
Understanding Amplification in DDoS Attacks
The second part of the DNS reflection/amplification attack is DNS amplification. The attacker takes advantage of the DNS protocol’s design where small requests can lead to much larger responses. When the DNS server replies to the spoofed IP address, the responses are amplified sometimes by a factor of 50X or more. Just like a boxer’s one-two punch, attackers can inflict a lot more damage using minimal resources with the reflection/amplification combination.
Consequences of DNS Reflection/Amplification Attacks
As we’ve already discussed, the immediate impact of a DNS reflection/amplification attack is denial of service. When massive volumes of traffic/responses are sent to the victim server, the server’s resources are consumed with bogus traffic that keeps legitimate users from being able to access the server.
Downtime has a ripple effect on business operations and can cause financial losses. Depending on the volume of malicious traffic, outages can last for hours to days or even longer.
Ultimately, the impact on an organization could include customer churn, operational costs to mitigate and deal with the aftermath of an attack, reputational damage, and lost revenue.
Compounding the impact, threat actors may be using the attack as a distraction. While the organization is working on fixing the damage and bringing services back up, a threat actor could be moving laterally within the environment, looking for data to steal or encrypt or other systems to exploit and damage.
How to Protect Against DNS Reflection/Amplification Attacks
There are several strategies DNS administrators and security teams can use to mitigate and prevent DNS reflection/amplification attacks, including the following:
Best practices
Practical tips like disabling open DNS servers, spoofing prevention, and traffic limiting mitigate the risk of DNS reflection/amplification attacks. Specifically:
- Close open DNS servers: Public DNS servers should be configured to accept queries only from trusted IP addresses and reject queries from external sources. By disabling open resolvers, DNS servers are less likely to be exploited in a reflection attack.
- Validate source IP addresses: Enabling source IP validation through techniques like ingress filtering can ensure that DNS queries with spoofed IP addresses are blocked before reaching DNS servers.
- Implement traffic limiting: DNS security extensions authenticate DNS responses to reduce the risk of DNS amplification attacks. DNS response rate limiting can help prevent servers from sending a massive volume of responses to a single IP address.
Technologies
Extra layers of protection in the form of tools and technologies can mitigate and even protect against DNS reflection/amplification attacks.
- Monitor DNS traffic: With an understanding of your baseline traffic, continuous monitoring can help detect DNS traffic anomalies.
- Use DNS firewalls: Block malicious queries and responses before they reach the network to mitigate DNS related threats.
- Deploy a proven DDoS protection solution: The most effective solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack, ensure you stay ahead of emerging threats, and protect you against follow-on threats to your operations.
Conclusion
A DNS reflection/amplification attack is the one-two punch of DDoS attacks. DNS reflection is the first part of the attack where the criminal uses a spoofed IP address to flood open DNS servers with a massive number of requests. However, instead of the responses going to the attacker, the responses go to a targeted victim. Amplification comes in when the attacker leverages the DNS protocol to send small requests that generate much larger responses and inflict even more damage. The resulting denial of service can disrupt operations for hours or days and cause significant financial and reputational damage to the business.
There are several best practices and technologies to mitigate and prevent DNS reflection/amplification attacks, including practical tips focused on DNS server protection like disabling open DNS servers, source IP validation, traffic limiting and monitoring, and DNS firewalls.
However, the most effective way to protect against a gamut of DDoS attacks, including DNS reflection/amplification attacks, is by implementing an advanced DDoS protection solution. DDoS protection coupled with intelligence to stay ahead of emerging and evolving threats, provides uninterrupted service availability even in the midst of a DDoS attack. Comprehensive DDoS protection can also defend against follow-on malicious activity including data leakage, ransomware attacks, and other threats to your operations. Visit our threat intelligence research center for more information on DDoS defense in depth.
FAQ
In a DNS reflection attack a cybercriminal uses a spoofed IP address to flood open DNS servers with a massive number of requests. The DNS server replies to the requests, creating an attack on the targeted victim.
DNS amplification is the second phase of a reflection/amplification attack. The attacker doubles down by also leveraging the DNS protocol to send small requests that generate much larger responses. This amplifies the damage to the targeted victim.
The impact of DNS reflection/amplification attacks is denial of service which prevents legitimate users from accessing services and, ultimately, can inflict significant financial and reputational damage to the organization.
There are several best practices and technologies to mitigate and prevent DNS reflection/amplification attacks, including disabling open DNS servers and using source IP validation, traffic limiting and monitoring, DNS firewalls, and DDoS protection solutions.
Yes. Purpose-built DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even during a DNS reflection/amplification DDoS attack. Advanced DDoS protection can defend against the gamut of DDoS attacks as well as other malicious activity that can harm an enterprise.
