Published February 11, 2014

Domain Name System (DNS) Flooder Threat Advisory

The Domain Name System (DNS) Flooder toolkit, or DNS Flooder v1.1, uses reflection and amplification techniques. This method allows attackers to launch powerful distributed denial of service (DDoS) attacks anonymously, with just a handful of servers. This cybersecurity threat advisory provides a detailed analysis of the DNS Flooder toolkit and recommended techniques for DDoS protection and DDoS mitigation.

What You’ll Learn

The DNS Flooder threat advisory includes details and DDoS mitigation for enterprises, such as:

  • Indicators of the use of the DNS Flooder toolkit
  • Analysis of the source code
  • Example query created by the DNS Flooder toolkit
  • Sample payload
  • Who is believed to be behind these attacks
  • The SNORT rule and target mitigation using ACL entries
  • Statistics and payloads from two observed DNS Flooder DDoS attack campaigns
  • The full source code of DNS Flooder

What You Need to Know

  • The DNS Flooder uses reflection and amplification DDoS attack techniques to allow malicious actors to initiate major cybersecurity attacks with minimal resources.
  • The DNS Flooder toolkit can launch reflection attacks through the attackers’ own servers, eliminating the need to find vulnerable DNS servers on the Internet.
  • The toolkit hides its IP address by spoofing the DNS request as if the query was sent from the attackers’ target.
  • The DNS request sent by the DNS flooder toolkit ensures the largest possible response by the server under attack
  • The speed and simplicity of the DNS Flooder toolkit makes it very likely that the number of cybersecurity attacks using this method will increase.


Using the DNS Flooder toolkit, cybercriminals are purchasing and setting up their own DNS servers to orchestrate major DDoS attacks against enterprises worldwide.

  • This DNS reflection toolkit can be deployed rapidly and was observed to be in widespread use as of Q3 and Q4 of 2013.
  • DNS Flooder v1.1 was first leaked on popular hackforums and has been used against Akamai customers.
  • The attack generated by the DNS Flooder toolkit may be confused with the attack, but it is not the same form of attack

This toolkit contains a new, popular method of crafting large DNS resource records.

  • The method used by the DNS Flooder toolkit allows malicious actors to amplify responses by a factor of 50 or more per request.
  • Malicious actors can customize their own DNS resource records, adding words and comments that may explain their particular attack campaign.
  • The DNS Flooder toolkit loops multiple times, with each iteration amplifying the response to the target.
  • Crafting the DNS resource record requires root or system-level access to the botnet servers, which is why attackers set up their own DNS servers.
  • This method expedites the availability of the DNS botnet for use and profit in the DDoS-for-hire market.

Contact Us