DNS Amplification Check

The DNS Amplification Attack is a really simple yet relatively new kind of denial of service attack. It exploits the connectionless message exchange that has place in a DNS query.

Like all attacks of its family, it’s based on the key concept of “spoofing“: the ability for an attacker to send IP packages with an arbitrary source address. The attacker sends a small DNS request to a vulnerable “open resolver” server, asking for a much larger response and presenting himself with the victim’s IP. The victim then receives a larger DNS query response (from 20 up to 179 times larger then original requests).

Thanks to this “amplification factor“, an attacker can cause the bandwidth exhaustion of the victim’s connectivity, using only a fraction of the traffic needed. Often this attack is perpetrated using botnets or zombie networks, lowering even more the bandwidth needed by the attacker to reach his goal.

There are some deployable countermeasures: configure the servers to respond only for domains under theirs authority, avoid to expose “open resolver” servers on the Internet, limit the DNS responses and the EDNS extension max size.

Check for vulnerability: