I received an interesting E-Mail from my ISP recently. It said (translated from german): “Security warning: we detected an open DNS resolver on your system. Open DNS resolvers can be misused for DDoS reflection attacks against third parties.”

I was indeed running a publicly exposed DNS server that acted as nameserver for a domain. After I secured my DNS server, I decided to explore the mentioned DDoS reflection attacks. The result is damplify, a CLI tool that can execute DNS amplification attacks: https://github.com/Nick-Triller/damplify

Obviously, the tool was created for educational purposes only. The attack vector is simple: the attacker sends DNS queries with spoofed source IP to recursive resolvers. The resolvers send their responses to the spoofed source IP. As the responses from the recursive resolvers can be many times bigger than the query, the traffic is amplified. Furthermore, blocking the traffic is hindered as it originates from a large number of legitimate systems.

DNS amplification attack overview

DNS amplification attack overview

I enjoy it greatly when a random spark of curiosity leads to a nice little weekend project!