Query Details
06 DNS Amplification Open Resolver
Query
id: a1b2c3d4-0006-4a5b-8c9d-dns006amplify
name: DNS Amplification Attack — Open Resolver Abuse
description: |
Detects patterns consistent with DNS amplification / reflection attacks.
Attackers send small DNS queries with a spoofed source IP (victim) to open
resolvers; the resolver returns a large response to the victim, amplifying
the traffic by a factor of 10–100x (especially with ANY/DNSKEY responses).
This rule detects a client issuing high-volume ANY record queries or
querying for DNSSEC records (DNSKEY, RRSIG) that elicit large responses,
and where the query rate is abnormally high.
MITRE T1498.002 — Reflection Amplification
severity: Medium
requiredDataConnectors:
- connectorId: WindowsDnsAma
dataTypes:
- ASimDnsActivityLogs
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- Impact
relevantTechniques:
- T1498.002
tags:
- DNS Amplification
- Reflection DDoS
- ANY query
- DNSSEC
query: |
ASimDnsActivityLogs
| where TimeGenerated > ago(15m)
| where DnsQueryTypeName in~ ("ANY", "DNSKEY", "RRSIG", "TXT")
or DnsQueryType in (255, 48, 46)
| summarize
AmpQueryCount = count(),
UniqueTargets = dcount(DnsQuery),
RecordTypes = make_set(DnsQueryTypeName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname
| where AmpQueryCount > 200
| extend QueriesPerMinute = round(todouble(AmpQueryCount) / 15.0, 1)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SrcHostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
alertDetailsOverride:
alertDisplayNameFormat: "DNS Amplification — {{SrcHostname}} sent {{AmpQueryCount}} ANY/DNSKEY queries"
alertDescriptionFormat: "Potential DNS amplification source: {{SrcHostname}} ({{SrcIpAddr}}) sent {{AmpQueryCount}} amplification-type queries in 15 minutes (~{{QueriesPerMinute}} q/min). Record types: {{RecordTypes}}"
customDetails:
AmpQueryCount: AmpQueryCount
QueriesPerMinute: QueriesPerMinute
RecordTypes: RecordTypes
Explanation
This query is designed to detect potential DNS amplification attacks, which are a type of Distributed Denial of Service (DDoS) attack. Here's a simplified breakdown:
-
Purpose: The query identifies patterns that suggest DNS amplification attacks, where attackers send small DNS queries with a fake source IP address (the victim's IP) to open DNS resolvers. These resolvers then send back large responses to the victim, significantly increasing the traffic volume.
-
Detection Criteria:
- It looks for DNS queries of specific types ("ANY", "DNSKEY", "RRSIG", "TXT") that are known to generate large responses.
- It focuses on queries made in the last 15 minutes.
- It counts how many such queries are made by each source IP address and hostname.
- If a source makes more than 200 such queries in 15 minutes, it is flagged as suspicious.
-
Severity and Impact: The severity of this detection is marked as "Medium," and it is associated with the "Impact" tactic in the MITRE ATT&CK framework, specifically technique T1498.002 (Reflection Amplification).
-
Alert Details:
- If the criteria are met, an alert is generated with details about the source hostname and IP address, the number of queries made, the types of records queried, and the rate of queries per minute.
-
Data Source: The query uses data from Windows DNS logs, specifically the ASimDnsActivityLogs.
This rule helps network administrators identify and mitigate potential DNS amplification attacks by flagging unusual and potentially harmful DNS query patterns.
Details
David Alonso
Released: March 26, 2026
Tables
Keywords
Operators