Amplification based DoS attacks are not a new concept they were abused heavily in the 90s with ip directed broadcast attacks also known as smurf attacks.
DNS amplification attacks rely on the fact UDP DNS requests are small and can be easily spoofed with the returned data being much larger then the original request ending up hitting the victims network.
Below is a sample DIG request for Amazon.com
Lets look at the packet size in wireshark
And the response
If you look at the request and response the request was 81 bytes and the response was 879 bytes with some quick research it wouldn’t be hard to find other domains with a better rate of return however this is still a significant return on a small request.
Spoofing a DNS ALL request for ebay.com from 126.96.36.199 and capturing it in tshark.
This covers the basic theory of the attack.
Attackers spoof DNS requests from the victims IP -> DNS servers respond with huge responses filling the connection of the victim.
In the wild DNS servers are often compromised and extremely large TXT records are configured resulting in replies up to 4000 bytes enhancing amplification.
Combine this entire attack with a botnet and it’s very easy to generate Gbps with relatively low traffic being sent from botnet nodes.
For more details on these attacks in the wild check out the defcon 14 talk by Randal Vaughn – http://www.youtube.com/watch?v=-mBzpMeiqec
There are a number of methods to prevent your DNS servers from being abused in this way the easiest is filtering recursive requests and rate limiting DNS traffic.
You can check for known open resolvers on your network here – http://openresolverproject.org/