Imagine sending a postcard that weighs 60 grams and receiving a package that weighs 4 kilograms in return — delivered not to you, but to someone else’s doorstep. Now imagine doing that a million times per second. That’s DNS amplification.
It remains one of the most powerful volumetric DDoS attack techniques ever devised, and it exploits a fundamental feature of the internet’s most critical infrastructure: the Domain Name System.
How DNS Works (The 30-Second Version)
Every time you visit a website, your computer sends a DNS query to a resolver asking “What’s the IP address for example.com?” The resolver responds with the answer. This happens billions of times per day across the internet, and the entire system runs on UDP — a fast, connectionless protocol that doesn’t verify the sender’s identity.
That last detail is the vulnerability attackers exploit.
The Anatomy of a DNS Amplification Attack
A DNS amplification attack combines two techniques: reflection and amplification.
Step 1: Spoofing the Source
Because DNS queries use UDP, there’s no handshake — the resolver has no way to verify that the source IP address in the query is genuine. The attacker forges (spoofs) the source IP, replacing their own address with the victim’s IP address.
Step 2: Choosing the Right Query
Not all DNS queries produce the same response size. A simple A record lookup might return 60 bytes. But a query for ALL records (type ANY), DNSSEC-signed zones, or TXT records containing SPF or DKIM data can return responses of 3,000 to 4,000 bytes — or more.
The attacker crafts queries specifically designed to trigger the largest possible response.
Step 3: Finding Open Resolvers
An open DNS resolver is a DNS server that accepts queries from any source on the internet, not just its own network’s clients. There are millions of misconfigured open resolvers worldwide — and they’re catalogued in publicly available lists.
Step 4: The Flood
The attacker sends millions of small DNS queries (each ~60 bytes) to hundreds or thousands of open resolvers. Every query has the victim’s IP address as the source. Every resolver dutifully sends its large response (up to 4,000+ bytes) to the victim.
The result: the attacker sends 1 Gbps of spoofed queries and the victim receives up to 54 Gbps of DNS response traffic. The victim’s network is overwhelmed by traffic from legitimate DNS servers — servers that are impossible to block without also blocking real DNS functionality.
Amplification Factors: The Numbers
Different DNS record types produce dramatically different amplification ratios:
| Query Type | Query Size | Response Size | Amplification Factor |
|---|---|---|---|
| A record (simple) | ~60 bytes | ~120 bytes | 2x |
| ANY record | ~60 bytes | ~3,000 bytes | 50x |
| DNSSEC-signed zone | ~60 bytes | ~4,000 bytes | 67x |
| TXT (SPF/DKIM) | ~60 bytes | ~2,000 bytes | 33x |
For context, an attacker with a 1 Gbps connection generating ANY queries can theoretically direct 50-67 Gbps of DNS response traffic at a single target. A botnet with 10 Gbps of aggregate upload bandwidth can generate over 500 Gbps — enough to saturate most network providers.
Why DNS Amplification Is Especially Dangerous
The Traffic Is “Legitimate”
The DNS responses flooding the victim come from real, legitimate DNS servers. The packets are well-formed, protocol-compliant DNS responses. This makes simple filtering extremely difficult — you can’t distinguish DNS amplification traffic from normal DNS responses without deeper analysis.
The Attacker’s Cost Is Low
The attacker needs only a small amount of bandwidth. The amplification factor means their actual resource investment is 50-67x smaller than the damage they inflict. A cheap botnet or even a single server with spoofing capabilities can generate devastating attacks.
The Attack Is Untraceable
Because every query uses a spoofed source IP, the DNS resolvers log the victim’s address — not the attacker’s. Forensic investigation is extremely difficult, as the actual attack traffic originates from thousands of legitimate DNS servers worldwide.
No Connection State to Exploit
Unlike TCP-based attacks that require some form of state management, DNS amplification is entirely stateless. Each spoofed query is independent. The attacker can start and stop instantly, change targets mid-attack, and vary query types to adjust the amplification ratio.
It’s Not Just DNS: The Amplification Family
DNS was the pioneer, but attackers have discovered amplification vulnerabilities in numerous UDP-based protocols:
| Protocol | Port | Amplification Factor | Status |
|---|---|---|---|
| DNS | 53 | 28-54x | Still widely exploited |
| NTP (monlist) | 123 | 556x | Mostly patched, still dangerous |
| Memcached | 11211 | 10,000-51,000x | Devastating; largely mitigated |
| SSDP | 1900 | 30x | Common in IoT botnets |
| CLDAP | 389 | 56-70x | Increasingly popular |
| CharGen | 19 | 358x | Rare but still exists |
| SNMP | 161 | 6x | Less common |
The principles are identical: a small spoofed request yields a disproportionately large response directed at the victim.
How to Defend Against DNS Amplification
For DNS Server Operators
The most impactful mitigation happens at the source. If you operate a DNS server:
Disable open resolution. Configure your recursive resolver to accept queries only from your own network’s IP ranges. This single change eliminates your server as a potential amplification reflector.
Rate-limit DNS responses. Implement Response Rate Limiting (RRL) to cap the number of identical responses sent to the same destination within a time window. This reduces the effectiveness of amplification without impacting legitimate queries.
Disable ANY queries. The ANY query type exists primarily for debugging and produces the largest responses. Most production DNS servers should reject or minimize ANY queries.
For Network Operators
Implement BCP38 (Source Address Validation). If every network on the internet verified that outgoing packets actually originate from their assigned IP ranges, IP spoofing would be impossible and amplification attacks would cease to function. Unfortunately, adoption remains incomplete after decades of advocacy.
Block spoofed traffic at the edge. Use uRPF (Unicast Reverse Path Forwarding) or similar mechanisms to drop packets with source addresses that couldn’t have originated from the interface they arrived on.
For Attack Targets
This is where it gets difficult. When you’re on the receiving end of a DNS amplification attack, the traffic arriving at your network is:
- From thousands of different source IPs (all legitimate DNS servers)
- Well-formed UDP packets on port 53
- Indistinguishable from real DNS traffic at a packet level
Traditional firewalls struggle here. Blocking UDP port 53 stops the attack but also kills your outbound DNS. Blocking source IPs blocks legitimate DNS resolvers. Rate limiting all UDP drops legitimate traffic indiscriminately.
How CoreTech Neutralizes DNS Amplification
CoreEdge™ handles DNS amplification attacks through multi-layered analysis that goes beyond simple packet filtering.
Source validation is the first layer. CoreEdge™ examines DNS response packets and correlates them against outbound DNS query patterns. If your network sent zero DNS queries to a particular resolver, but this resolver is now sending thousands of DNS responses per second to your IP — that traffic is amplification and gets dropped immediately.
Protocol-aware filtering recognizes the structure of DNS amplification. Attack responses typically share characteristics: they’re responses to ANY queries, they contain identical or similar response data, and they arrive in patterns inconsistent with normal DNS resolution. CoreEdge™ applies DNS-specific heuristics to distinguish attack responses from legitimate ones.
UDP rate limiting applies per-source thresholds to DNS response traffic. A legitimate DNS resolver might send your network 10-20 responses per second. An amplification reflector sends thousands. CoreEdge™‘s per-source rate limiting (RATE_LIMIT_SRC) throttles abusive sources while legitimate DNS resolution continues uninterrupted.
Geographic filtering adds an additional dimension. If your business operates exclusively in the Middle East but you’re receiving massive DNS responses from resolvers in South America and Southeast Asia, GeoIP-based rules can filter traffic from regions where you have no legitimate DNS query patterns.
CoreDetection™ identifies DNS amplification attacks autonomously by monitoring the ratio of inbound DNS responses to outbound DNS queries. When this ratio spikes beyond statistical baselines, the behavioral engine classifies the anomaly and deploys protocol-specific filtering rules to CoreEdge™ within seconds.
Recognizing a DNS Amplification Attack
If you suspect you’re under attack, look for these indicators:
Bandwidth graphs show a sharp, sustained spike dominated by UDP port 53 inbound traffic. Normal DNS response traffic is negligible; during amplification, it can reach hundreds of gigabits.
Source addresses are geographically distributed and belong to legitimate DNS server operators. Running reverse lookups on source IPs will show they’re genuine recursive resolvers — not botnets.
Packet sizes are large and uniform. DNS amplification responses are typically 3,000-4,000 bytes each. Normal DNS responses to your queries are much smaller and vary in size.
Your outbound DNS queries don’t correlate. You’re receiving DNS responses you never requested. This is the definitive indicator.
Prevention Starts Before the Attack
The most effective DNS amplification defense is having filtering rules in place before the first spoofed packet arrives. CoreEdge™ customers configure UDP port 53 rate limits, per-source thresholds, and protocol validation rules through the Client Portal. When an amplification attack begins, these pre-configured rules engage instantly — before CoreDetection™‘s automated analysis even completes.
10-day free trial — full CoreEdge™ capacity, full CoreDetection™ analysis, full self-service firewall management.
Want to see this in action?
Get a live demonstration of CoreTech's DDoS mitigation platform.
