Home / Blogs

Report on DNS Amplification Attacks

In this newly released paper Randal Vaughn and Gadi Evron discuss the threat of Distributed Denial of Service (DDoS) attacks using recursive DNS name servers open to the world. The study is based on case studies of several attacked ISPs reported to have on a volume of 2.8Gbps. One reported event indicated attacks reaching as high as 10Gbps and used as many as 140,000 exploited name servers.

According to the paper, the general threat has been known for several years, the massive attacks seen recently and the abuse of extended DNS functionality is what makes these new attacks so dangerous.

The paper begins with an overall description of the attacks, utilizing UDP spoofing and IP packet fragmentation. Then it continues to a very detailed and technical description of how it all works.

In the conclusions the paper also discusses some possible solution suggestions.

Based on the knowledge we have received, the paper is a pre-release made in response to recent threats and lack of information available to the operational community—the paper was originally planned as an academic paper.

To obtain a full PDF copy of this paper click here.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


John Palmer  –  Mar 23, 2006 6:27 PM

We need to be careful in proposing a suggested solution.

Inclusive Namespace roots provide public resolvers for users whose ISPs are too stubborn or dumb to provide their users with choice. Customers of such ISPs can simply decide to use the public resolvers provided by the INS roots, like Public Root or ORSC.

Shutting off user choice by suggesting that ISPs block outbound 53/TCP, 53/UDP will take away that choice.

I’m sure that some ICANN synchophants will be happy about this and if I were the suspicious type, I’d say that this sudden “awareness” of a “severe security problem” that has been around for a long time may be planned by those who are becoming uncomfortable with the ever increasing number of people who are abandoning the ICANN root in favor of DNS Service Providers (DSPs) who provide a view of the entire internet and don’t impose non-related policies (UDRP) on domain registrants.

What better way to kill the INS than by putting up a security straw man and scaring people, especially ISPs, into taking away DNS choices from internet citizens. I am especially suspicious about this after seeing who was quoted in the recent MSNBC piece about the so-called “new” security risk that has “just been discovered”. His jihad against allowing internet citizens to have freedom to chose their DSP from among global choices is well known to all.

Watch out here - there may be more to this story than meets the eye…

The Famous Brett Watson  –  Mar 24, 2006 12:52 AM

I think the conspiracy theorising is a little over the top in the face of an actual multi-gigabit DDoS attack. TCP SYN flooding was a purely theoretical attack for a while there too before anyone actually exploited it maliciously. Such is the nature of the beast.

In any case, the suggested solution is not to block outbound DNS queries from rank-and-file hosts, but for DNS servers to offer recursive service only to those hosts considered “local”. Where this can’t be achieved by a configuration change to the DNS server, it could be achieved by firewalling the server.

John Palmer  –  Mar 24, 2006 4:02 PM

That’s another aspect of the problem, and perhaps the more dangerous to internet freedom and that is demonizing all ORNs.

There is a legitimate reason for ORNs to exist. The reason is to allow users whose ISPs don’t support the INS to use it if they want.

Whats the difference between an ISP intercepting all 53/UDP and 53/TCP requests and forwarding them to its own resolver whose hints file contains the list of corrupt and ancient ICANN root servers and blacklisting the addresses of INS resolvers?

From the end-user’s point of view - nothing. They are still denied choice, one way or the other. Turning off all INS ORNs is closing off the only avenue some users have to access the inclusive namespace.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC


Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global