You may have heard about a class of attacks called DNS amplification attacks (PDF) recently, they are a real nasty and subtle class of DDOS attack. Like ping flooding and smurfing they depend on sending large amounts of data across a pipe and drowning out any legit data.You may notice he amplification part in the name, and that is the key here. What it does is turn a few bytes of data into a stream many times as large. In the case of the one discussed at Defcon, it took a 20 byte packet and turned it into 8.5K, with this ratio, you can take a cable modem and turn it into gigs a second of traffic. Toss a botnet into this, and you can crush the life out of any target you want.

The mechanism it works on is pretty simple. There is a DNS query of a type called 'any', and in the real world, it is pretty useless. If you send that query to an authoritative DNS server, it will return anything it has, which is everything. If you send it to a non-authoritative source, it simply returns what it has, usually little or nothing. One other thing to note is that DNS as was originally specified has a 512 byte maximum message size. This was later extended so that if you needed more, it could do that. If your server didn't like the extended size, it would stop using UDP and set up a TCP connection, hugely expensive in computational terms, to send the data.