A distributed denial of service or DDoS is one of the most dangerous cyber threats that online businesses face daily. The amplification can be explained with simple words: increase, intensification, magnification, etc. The dimension such type of attack can reach is scary, don’t you think so?
What is a DDoS amplification attack?
A DDoS amplification attack is a volumetric and reflection-based cyber attack. It occurs when perpetrators take advantage of the public recursive DNS servers to overwhelm a network, website, application, online service, or a server with an amplified traffic amount. This drives the victim to an inaccessible status (denial of service).
This type of attack is considered asymmetric because it can cause really huge damage with a few actions and resources. And unfortunately, perpetrators have different options to choose from for amplifying the traffic, the ICMP (Internet control message protocol), UDP (user datagram protocol), or TCP (transmission control protocol).
How does a DDoS amplification attack work?
We already mentioned a DDoS amplification attack is reflection-based. And that means the way of executing it is to create a fake IP address of the victim to send it information requests. Then attackers have to choose the amplification way to multiply the power of the attack. In other words, what they will use for sending the requests (ICMP, UDP, TCP, etc.). When the server answers those requests, the answers will be sent to the victim’s IP address.
Now, a DDoS amplification attack is implemented through the use of public recursive DNS servers. The reason is simple. They are open, so they are going to answer all DNS requests. However, recursive servers are not configured to check or verify. They are only searchers of answers (DNS information).
And being a DDoS attack, there’s a big network of infected devices (botnet) located at different points of the globe ready to send DNS requests that will end at the fake IP address of the victim.
As you see, by sending a DNS request (for an A record, for example), the server will respond with multiple DNS records (all of the A records), which are so much larger. This is the way traffic gets really big and hard to handle. Resources of the victim system will be highly demanded, everything will get slow, the operation will suffer, and eventually, it will fall down.
Can you prevent a DDoS amplification attack?
Yes, there are security strategies you can implement to prevent a DDoS amplification attack.
Actually, experts recommend prevention better than mitigation. Once the attack is on, the traffic sources can be thousands, maybe millions of bots, globally distributed. To trace every source of the traffic to fight it back can be a waste of time and resources. This also makes it very hard to locate the perpetrators.
- Configure DNS recursive servers to only answer requests from legit sources. DNS servers poorly configured represent risk.
- Implement a response rate limiting on the authoritative servers. This will keep traffic loads on acceptable limits.
- Use DNS Anycast to distribute the traffic and prevent overload.
- Enable a DNS firewall on your network for filtering and allow only DNS answers that match requests sent by local DNS servers.
- Get efficient DDoS protection.
A DDoS amplification attack can really harm your business. Not having defenses to prevent it or mitigate it in the worst scenario means to play with fire! And remember, with this level of disrupting attack, there’s not a single strategy that can protect your business. Instead, it’s the combination of different strategies that can keep it safe!