Incident Response, TDR

More than 24M home routers enabling DNS amplification DDoS attacks


Tens of millions of the home routers we rely on everyday for internet access are enabling Domain Name System (DNS) based distributed denial-of-service (DDoS) attacks, and owners may never even know it, according to research by DNS software provider Nominum.

Working collaboratively with the Open Resolver Project, Nominum learned that open DNS proxies in more than 24 million home routers are allowing for DNS-based DDoS attacks, according to a Wednesday post, which adds that 5.3 million of the routers were used to generate attack traffic in February.

The DDoS attack in question is known as a DNS amplification attack, which essentially involves an attacker spoofing an IP address, sending small DNS queries to the internet service provider (ISP) that return large answers, and then sending those amplified answers to the target.

“It's a really low bar in terms of sophistication and the capabilities that attackers need,” Bruce Van Nice, Nominum director of product marketing who headed up the research, told on Wednesday. “They just need to send DNS queries. They need to sit somewhere on the internet where they can spoof an IP address. It's pretty easy to do.”

The issue with this particularly sneaky and effective attack is that most home routers are not provided by the ISPs, meaning the internet provider cannot access the device for preventive upgrades, Van Nice said, adding that the set it and forget it mentality of the consumer, and the lack of owner awareness of even an ongoing attack, compounds the problem.

Some best practices to prevent this type of attack includes query and size rate limiting, preventing access to DNS resolvers from outside the network, blocking amplification domains with threat lists, logging DNS data for analysis, and monitoring, Van Nice said, pointing to research he sent to

“DNS is critical to the internet,” Van Nice said. “If you're dealing with it, it's important you let the correct traffic through. You need to look very carefully at incoming queries and manage that traffic so you never over-filter."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.