T 5.153 DNS amplification attack

A DNS amplification attack is a denial-of-service attack (DoS attack). When a DoS attack is carried out, the attacker tries to set one or several services in a state in which they cannot be operated due to overload. As compared to DNS flooding (T 5.151 DNS flooding - denial-of-service), the target in this case is not the DNS server to which the requests are sent, but the recipient of the responses.

The fact that certain requests generate a relatively large amount of response data is taken advantage of. Here, it is possible to achieve an amplification factor of 50 and higher. This means that the response, measured in bytes, is 50 times larger than the request. Due to the number and size of the responses, the network bandwidth and/or the computer itself will become overloaded beyond their performance capacity. Thus, any technical IT component can be the target of the attack.

Example:

• A company (the target of the attack) operates a central security gateway. This security gateway is the only connection point between the internal network and the Internet. Now, the attacker misuses the DNS servers of several companies to carry out a DNS amplification attack against the security gateway of the attack's target. For this purpose, the attacker uses a bot network to continuously generate a large amount of requests. In addition to this, the attacker uses IP spoofing (T 5.48 IP spoofing) in order to enter the IP address of the security gateway as sender address; thus, all responses are sent to this address. Due to the large amount of data, the security gateway will become overloaded, which means that the company attacked is cut off from the Internet. A possible side-effect is that the DNS servers requested will become overloaded.