Query Details

DNS Amplification Attack — Open Resolver Abuse

06 DNS Amplification Open Resolver

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(15m)
| where DnsQueryTypeName in~ ("ANY", "DNSKEY", "RRSIG", "TXT")
      or DnsQueryType in (255, 48, 46)
| summarize
    AmpQueryCount   = count(),
    UniqueTargets   = dcount(DnsQuery),
    RecordTypes     = make_set(DnsQueryTypeName),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated)
  by SrcIpAddr, SrcHostname
| where AmpQueryCount > 200
| extend QueriesPerMinute = round(todouble(AmpQueryCount) / 15.0, 1)

Explanation

This query is designed to detect potential DNS amplification attacks, which are a type of Distributed Denial of Service (DDoS) attack. Here's a simplified breakdown:

  • Purpose: The query identifies patterns that suggest DNS amplification attacks, where attackers send small DNS queries with a fake source IP address (the victim's IP) to open DNS resolvers. These resolvers then send back large responses to the victim, significantly increasing the traffic volume.

  • Detection Criteria:

    • It looks for DNS queries of specific types ("ANY", "DNSKEY", "RRSIG", "TXT") that are known to generate large responses.
    • It focuses on queries made in the last 15 minutes.
    • It counts how many such queries are made by each source IP address and hostname.
    • If a source makes more than 200 such queries in 15 minutes, it is flagged as suspicious.
  • Severity and Impact: The severity of this detection is marked as "Medium," and it is associated with the "Impact" tactic in the MITRE ATT&CK framework, specifically technique T1498.002 (Reflection Amplification).

  • Alert Details:

    • If the criteria are met, an alert is generated with details about the source hostname and IP address, the number of queries made, the types of records queried, and the rate of queries per minute.
  • Data Source: The query uses data from Windows DNS logs, specifically the ASimDnsActivityLogs.

This rule helps network administrators identify and mitigate potential DNS amplification attacks by flagging unusual and potentially harmful DNS query patterns.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsHostIpAddressQueryRecordTypesTimeGenerated

Operators

ASimDnsActivityLogswhereagoin~insummarizecountdcountmake_setminmaxbyextendroundtodouble

Severity

Medium

Tactics

Impact

MITRE Techniques

Frequency: 15m

Period: 15m

Actions

GitHub