A Domain Name Server (DNS) amplification and reflection attack is a type of distributed denial of service (DDoS) attack. The attack strategy uses publicly accessible, open DNS servers to overwhelm a targeted system with DNS response traffic. The attackers send spoofed requests to these servers using the victim’s address instead of the attacker’s address. Therefore, without a security countermeasure, all the DNS servers’ responses go to the victim.
When DFPs are under DNS Amplification/Reflection attack, DNS requests used for the attack should be rate limited or dropped. Protection of DNS forwarding proxy from DNS amplification and DNS reflection attacks ensures that DNS service will not be degraded, and that network bandwidth and other resources are not over-utilized.
Using Response Rate Limiting (RRL), the controlling of excessive UDP responses that are the same or similar can be accomplished through configuration of the DNS Forwarding Proxy. Implementing RRL ensures that not all of the DNS Forwarding Proxy’s resources are not exhausted by a single DNS user. Using RRL, the network infrastructure can be protected against DDoS attacks, resulting in no impact or degradation of services.