What can happen during a DNS amplification attack when a spoofed IP is used?

In this scenario, the key idea is volumetric traffic from reflection. A DNS amplification attack leverages UDP, which is connectionless, to send a flood of small DNS queries to open resolvers while spoofing the victim’s IP address as the source. Each query triggers a much larger DNS response that is sent to the spoofed address, not back to the attacker. Because many such responses arrive simultaneously, the victim’s network link becomes saturated, overwhelming legitimate traffic and effectively causing a denial of service. That’s why the outcome described is that the spoofed IP is flooded with large DNS responses, preventing normal internet traffic. The responses are delivered to the victim, not withheld, and there isn’t a “successful” connection established with the spoofed IP—DNS over UDP doesn’t involve a handshake, so no lasting connection is formed. While DNS servers might experience high load, the hallmark effect is the victim’s bandwidth being flooded, not the resolver’s CPU alone.