DDoS Attack Detection and Mitigation
Quantifying DNS amplification impact and resilience in local infrastructure
From crafted packets to CPU graphs, see how reflection attacks ripple through your DNS stack.
Project Information
Technologies
Abstract
Recreated DNS reflection and amplification attacks in a controlled LAN to measure amplification factors, target-side latency and server resource usage. Custom Scapy scripts spoofed victims while varying query types (A, MX, NS, ANY) at 10k–50k packets/s. The study documents latency spikes above 100 ms for ANY requests, CPU saturation during amplified attacks and evaluates mitigation strategies.
About
A BIND9 resolver is configured on Ubuntu machines acting as reflector and victim. Scapy scripts generate spoofed DNS queries at controlled packet rates, while Wireshark, dig, ping and psutil capture network and resource metrics. Amplification factors are computed by comparing request/response sizes for A, MX, NS and ANY records. Latency samples reveal that higher amplification correlates with poorer responsiveness, especially for ANY (>100 ms). When traffic is increased to 50k pps the server cannot respond to all queries, leading to partial reflections and CPU usage soaring from 4% to ~25%. The investigation concludes with mitigation recommendations (rate limiting, response size reduction, ingress filters).
Key Results
Key Findings
- •Measured amplification factors were 1.46× (A), 4.14× (MX), 4.46× (NS) and 7.30× (ANY), with ANY producing the strongest reflection.
- •At 10k packets/s the mean dig latency climbed to ~44 ms for MX, ~96 ms for NS and >100 ms for ANY compared with the pre-attack baseline.
- •Raising the flood to 50k packets/s pushed mean query time to 174 ms (peaks 400 ms) and DNS server CPU usage from ~4% to 24.5% (peaks >30%).
- •ICMP ping latency stayed ≤48 ms during all attacks, indicating congestion was confined to DNS processing rather than general networking.