• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

DNS Amplification Attacks

Author avatar of David CornellDavid Cornell
Updated — December 1, 2022 • 4 minute read
View blog >

DNS amplification attacks are one popular method attackers use to increase their arsenal by abusing larger services. Even though this type of attack has been happening for a long time, we are still seeing a large number of attacks using this method.

In this post I will briefly describe how these amplification attacks work and shed some light on how often they occur. I will then give you some ideas in how you can protect yourself from these attacks as a website operator and advise how you can avoid taking part in such attacks as a DNS server administrator or network administrator.

What is a DNS amplification attack?

Amplification attacks are a form of denial of service attack.  Attackers use open internet services such as DNS resolvers and NTP servers to increase the amount of bandwidth sent to the victim and overwhelming their capacity. With no bandwidth remaining to service real customer requests, the victim’s website is unable to service requests for real users. The reason it’s called an amplification attack is because the attacker only needs a small Internet connection, while still being able to deluge the victim with traffic.

How do DNS amplification attacks work?

The diagram below gives a high level overview of how a DNS amplification attack works:

Diagram of how a DNS amplification attack works

As you can see, an attacker can use relatively few machines with little bandwidth to launch fairly substantial attacks. This is done by spoofing (or faking) the source IP of the DNS request such that the response is not sent back to the computer that issued the request, but instead to the victim.

This is easy since the protocol that DNS relies on is UDP and as such there is no verification that the source IP address is in fact the sender. Using very simple tools the attacker can send many thousands of spoofed requests to open resolvers and the responses, which are much larger than the request, amplify the amount of bandwidth sent to the victim.

The chart below shows the number of attacks we see over a 24 hour period.

Graph of attacks seen over a 24 hour period

Digging into these attacks, we see that attackers often issue a special type of DNS request called an ANY request. ANY requests ask the DNS resolver for ALL information that it currently knows about the domain which may include where the mail servers are (MX records), what the IP addresses are (A records) and so on. Attackers use this type of query to maximize the size of the response sent to the victim.

Using threat analysis from Umbrella and Cisco Talos, we can outline the exact domains used in these attacks, how long the attack lasted, who the intended victims were and the intended size of the attack. We can also estimate the approximate source location of the attacks even though the packets are spoofed. This is possible because we use Anycast which is a networking technology used to route customer requests to the nearest Cisco Umbrella resolver in one of our datacenters around the globe. We can use this metric to estimate how distributed the attack is.

The table below shows a small sample of the domains used over the same 24 hour period:

Sample of the domains used

Attackers use both legitimate domains as well as domains used to increase the impact of the attack. For example, fkfkfkfc(.)biz is one such domain that was setup specifically to take part in these attacks.  They do this so they can fill up the DNS response to be as large as possible. Below is the dig output for this domain:

$ dig fkfkfkfc(.)biz @109.235.51.184

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> fkfkfkfc(.)biz @109.235.51.184
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24993
;; flags: qr aa rd; QUERY: 1, ANSWER: 236, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fkfkfkfc(.)biz. IN A

;; ANSWER SECTION:
fkfkfkfc(.)biz. 86400 IN A 204.46.43.157
fkfkfkfc(.)biz. 86400 IN A 204.46.43.158
fkfkfkfc(.)biz. 86400 IN A 204.46.43.159
fkfkfkfc(.)biz. 86400 IN A 204.46.43.160
… Repeated hundreds of times …
fkfkfkfc(.)biz. 86400 IN A 204.46.43.154
fkfkfkfc(.)biz. 86400 IN A 204.46.43.155
fkfkfkfc(.)biz. 86400 IN A 204.46.43.156

;; AUTHORITY SECTION:
fkfkfkfc(.)biz. 86400 IN NS ns21.fkfkfkfc.biz.
fkfkfkfc(.)biz. 86400 IN NS ns22.fkfkfkfc.biz.

;; ADDITIONAL SECTION:
ns21.fkfkfkfc(.)biz. 86400 IN A 109.235.51.184
ns22.fkfkfkfc(.)biz. 86400 IN A 109.235.51.184

 ;; Query time: 190 msec
;; SERVER: 109.235.51.184#53(109.235.51.184)
;; WHEN: Sat Mar  1 20:17:45 2014
;; MSG SIZE  rcvd: 3876

As you can see a request that is only 64 bytes becomes 3876 bytes sent to the victim. A recent attack measured by Cloudflare weighed in at 400Gbps, one of the largest attacks seen to date. That would require an attacker issuing over 200,000 of the above requests per second to open resolvers around the globe.

While some attacks are very short lived, we have seen several sustained attacks lasting many weeks. We also notice that while the custom crafted domains used in these attacks do change, it’s not very often, sometimes lasting many weeks.

How do you protect yourself from a DNS amplification attack?

As a website operator you may want to use a DDOS protection service such as those offered by Cloudflare, Verisign, and Arbor Networks.

As a DNS or NTP server administrator you should make sure your resolver is not open to the internet. If you use Bind you can disable recursive resolving like so:

options {    recursion no; };

You should also restrict Bind to answering questions from your internal network:

options {    allow-query {192.168.1.0/24;};};

If you use an external DNS resolver, check if it is open and suggest to the ISP or operator to restrict access to only their networks.

What can I do to protect my network from participating in such attacks?

Ensure that you are performing egress filtering on your edge devices. This type of filtering prevents spoofed packets from leaving your network, thereby preventing malicious devices in your network participating in attacks relying on the ability to send spoofed packets to the internet.

Trouble ahead?

In this blog I have explained one form of amplification attack that has been abused for a long time. NTP Server amplification attacks are becoming much more common as the amplification factor can be much higher. SNMP servers are now also being used to amplify traffic and have the potential for much larger impact since the responses can be much larger than DNS and NTP. As protocol writers, service developers, network administrators, and end users we have our work cut out for us.

At Cisco Umbrella we take this abuse of service very seriously and continue to fine tune our defenses.

Click to learn about Cisco DNS security.

Suggested Blogs

  • Cloud Application Security – Risks, Questions, Insights, and Solutions July 1, 2021 3 minute read
  • Cisco Umbrella discovers evolving, complex cyberthreats in first half of 2020 August 18, 2020 6 minute read
  • New research shows consumers want cybersecurity from service providers July 7, 2020 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella