There are 3 parties in this attack: the attacker and the victim, plus a (relatively) innocent DNS server.

Attacker sends a request to the DNS server requesting information, but forges the source IP address of the request to the that of the victim as though the victim requested the information. This request packet might be around 50-60 bytes large. Important to note this same request is sent over and over again non-stop at the attacker’s maximum transmit speeds.

The DNS server responds with the answer to the query, but the information contained within is much larger. One simple example is the query for type “ANY” on isc.org which returns about 446 bytes of a response packet, but it goes to the victim rather than the attacker since the original request source was forged.

So for each 60 bytes consumed by the attacker’s internet connection, 446 bytes actually hit the victim which is a 7.4x multiplication factor. So if an attacker has 100 megabit of internet available, they can use a DNS reflection attack to hit someone with 740 megabits of data. And I’m sure with some effort you could find a query that makes a much larger response. That 740 megabits comes from the DNS server’s internet connection, but big companies who have DNS servers usually have fast internet. And that’s what’s happening: the attacker is taking advantage of someone else’s internet to both hit someone with a lot of data and remain hidden themselves.

In a real attack there would be multiple DNS servers (ab)used in case one maxes out or gets pulled down.