ninja at @prismacsi- human rights activist

DNS Amplification DDoS Attack


The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain namesassigned to each of the participating entities

How to Work?

When I want to go to with my browser, the browser first asks me if i can translate address to me The system looks in the /etc/hosts directory. If there is an ip address on the domain it will use it. Otherwise it goes to the DNS resolver provided by DHCP. If not, it goes to the root server.


By leaving the DNS recursion query on, you allow an attacker to use your DNS on your behalf. DNS Amplification attacks, a professional attack technique, attack by sending packets to you via a DNS server that is in your domain (If 1 DNS packet is 50 bytes, this packet will be returned in response to 10x ie 500 bytes).

Thus, the attacker will not only use your bandwidth, but at the same time will also provide his / her own privacy, creating the perception that the attacker is like you. How do we know if our DNS server is open for the recursion query?

You can learn in two shapes

  1. If you want to check the settings of your DNS server

  2. From the outside DNS server will do DNS Recursion query.


Using a script located in Nmap it helps to detect the weakness of the dns server 1 to get 10 Let’s first scan the DNS server list that we found using this script of NMAP.

// nmap scan command
nmap -sU -p 53 --script=dns-recursion -iL /file/path/for/dns-server-list

Saddam DNS Amplification Tool

Saddam is DDoS tool about,

  1. DNS Amplification (Domain Name System)
  2. NTP Amplification (Network Time Protocol)
  3. SNMP Amplification (Simple Network Management Protocol)
  4. SSDP Amplification (Simple Service Discovery Protocol)
  // how to install
  git clone

you need install pinject module

// pinject install
git clone
// pinject install
cd Pinject && cp ../Saddam

and we can use right now

python -h

With Saddam, you can set up dns recursive attacks and control your dns servers against amplification attacks.

We will just scan some DNS Server for learning. They are public servers

Saddam git:(master)  python benchmark -d
	   _____           __    __
	  / ___/____ _____/ /___/ /___ _____ ___
	  \__ \/ __ `/ __  / __  / __ `/ __ `__ \
	 ___/ / /_/ / /_/ / /_/ / /_/ / / / / / /
	/____/\__,_/\__,_/\__,_/\__,_/_/ /_/ /_/

Protocol|  IP  Address  |     Amplification     |     Domain
  dns   | |   5x (45B -> 229B)    |
  dns   ||   4x (45B -> 223B)    |
  dns   | |   4x (45B -> 191B)    |
  dns   | |   5x (45B -> 267B)    |
  dns   | |   4x (45B -> 180B)    |
  dns   | |   5x (45B -> 255B)    |
  dns   |  |   4x (45B -> 191B)    |
  dns   | |   5x (45B -> 255B)    |
  dns   |  |    1x (45B -> 45B)    |
  dns   |  |    1x (45B -> 45B)    |
  dns   | |   3x (45B -> 143B)    |
  dns   ||    1x (45B -> 45B)    |
Total tested: 19

Follow me with twitter @berkdusunur