DNS reflection attack
(also DNS DDoS attack)
DNS reflection attack definition
A DNS reflection attack is a type of DDoS attack that exploits open DNS servers to amplify the volume of traffic directed towards a target. A DNS reflection attack is conducted by using spoofed IP addresses to overwhelm a DNS server. Attackers achieve this amplification by sending forged DNS queries to open DNS servers, which in turn respond with larger DNS responses to the victim’s IP address. This results in overwhelming the victim’s network or server with a high volume of traffic, leading to service disruption or denial of service.
DNS reflection attack protection
Robust DNS server security. Good practices to create a strong security system for DNS servers include DNS activity logging, keeping the DNS cache locked, separating authoritative from recursive name servers, monitoring the DNS server closely and updating it frequently.
Block certain DNS servers. A list of suspicious DNS servers can be created to prevent DNS reflection attacks. If there is no information on which DNS servers are suspicious, all open recursive relay servers can be simply blocked instead.
Response Rate Limiting. Response Rate Limiting (RRL) is a mitigation tool used to protect DNS servers from DNS amplification attacks.