DNS amplification is a reflection attack: the attacker spoofs the victim's IP and sends small DNS queries to open resolvers. The resolver sends a large DNS response — sometimes 70x larger — directly to the victim. Multiply this across 100,000 open resolvers and you have a terabit-scale attack.
The Amplification Math
Attack arithmetic
A 40-byte DNS query for a large DNSSEC-signed zone can produce a 4,096-byte response — a 100x amplification factor. With 50,000 open resolvers sending simultaneously, a 1Gbps attacker generates 100Gbps of inbound traffic at the victim.
Why Open Resolvers Still Exist
- Misconfigured home routers and ISP equipment.
- Legacy DNS servers left open for 'convenience'.
- Cloud instances launched without firewall rules.
- Estimated 5+ million open resolvers still reachable as of 2025.
What the Target Sees
All traffic appears to come from legitimate DNS servers — IPs that are impossible to globally blacklist. Standard rate-limiting and IP blocklists fail. Only a scrubbing proxy that can distinguish legitimate DNS responses from reflection traffic can stop the attack effectively.
How Akarguard Stops DNS Amplification
- Traffic enters the scrubbing layer before reaching your infrastructure.
- Unsolicited UDP/53 responses from external resolvers are fingerprinted and dropped.
- Rate-limiting applied per source ASN prevents flood from saturating your pipe.
- Your origin IP remains hidden — attackers can't target you directly.