DNS Amplification Attacks in the Wild

A Honeypot-Based Study of Adversary Tactics, Techniques, and Procedures

Bachelor Thesis (2026)
Author(s)

R.M.W.M. van Unen (TU Delft - Electrical Engineering, Mathematics and Computer Science)

Contributor(s)

H.J. Griffioen – Mentor (TU Delft - Electrical Engineering, Mathematics and Computer Science)

M.J.G. Olsthoorn – Graduation committee member (TU Delft - Electrical Engineering, Mathematics and Computer Science)

Faculty
Electrical Engineering, Mathematics and Computer Science
More Info
expand_more
Publication Year
2026
Language
English
Graduation Date
23-06-2026
Awarding Institution
Delft University of Technology
Project
CSE3000 Research Project
Programme
Computer Science and Engineering
Faculty
Electrical Engineering, Mathematics and Computer Science
Downloads counter
11
Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

DNS amplification is one of the most common forms of distributed denial-of-service (DDoS) attack, yet most large-scale measurements of how attackers abuse DNS in practice date back about a decade. This paper revisits the problem by deploying a DNS amplification honeypot on a university research cluster and analysing the traffic it received over an eleven-day period in 2026. The honeypot behaved as an open resolver, forwarded queries to a real upstream resolver so that responses looked genuine, logged every packet, and ratelimited sources to avoid being weaponised. We collected 3,513 packets from 502 unique source addresses and used the logs to study the temporal pattern of the traffic, the geography and networks of the sources, the domains and query types abused, and the behavioural profiles of the sources. We found that the great majority of traffic was internetwide scanning rather than attacks: only five sources crossed a request-count attack threshold, and only one of these showed behaviour consistent with a genuine amplification attack. ANY queries were still present (9.3% of packets) but were no longer dominant, and we observed almost no DNSKEY or NSEC3 queries, which suggests the shift anticipated after RFC 8482 has not clearly occurred in our data. Our most notable finding is a coordinated group of sources that repeatedly issued a single high-amplification query (google.com TXT, amplification factor 28) without ever crossing the attack threshold, showing that a purely count-based classifier misses the most amplification-relevant behaviour. We discuss why the number of observed attacks was lower than expected and release our code and anonymised dataset to support reproducibility.

Files

RP_Paper_Final_Ruben.pdf
(pdf | 0.6 Mb)
License info not available