#OpGlobalBlackout: No, #Anonymous can't DDoS the root DNS servers
#Anonymous hackers have announced "Operation Global Blackout", promising to cause an Internet-wide blackout by disabling thecore DNS servers. DNS is the phonebook of the Internet that translates machine names (like "www.facebook.com") to network addresses (like "66.220.158.25"). If hackers can disable the global DNS name system, then typing in your favorite website into your browser will produce an error.
But the attack is no longer practical. It's such a common idea that Wikipedia has a page devoted to it. For something so obvious, defenders have spent considerable time devising solutions. There are many reasons why such an attack won't cause a global blackout.
Reason #1: active response
Typical hacks work because it often takes a day for the victim to notice. Not so with critical Internet resources, like root DNS servers. Withing minutes of something twitching, hundreds of Internet experts will convene in to solve the problem.
We've seen this response in action after major Internet worms (Morris Worm, Slammer, Blaster) or undersea cable breaksdestabilized the Internet. Despite devastating effects on the Internet, defenders were able to react quickly and mitigate the problems, such that most people never noticed a problem.
The easiest active response is to blackout the sources of the offending traffic. Defenders can quickly figure out where the attacks are coming from, and prevent packets from those sources from reaching the root DNS servers. Thus, people might see disruptions for a few minutes, but not likely any longer.
Reason #2: diversity
There are 13 root domain servers (labeled A through M), managed by different organizations, using different hardware, software, and policies. A technique that might take out 1 of them likely won't affect the other 12. To have a serious shot at taking out all 13, a hacker would have to test out attacks on each one. But, the owners of the systems would notice the effectiveness of the attacks, and start mitigating them before the coordinate attack against all 13 could be launched.
Reason #3: anycasting
Anycasting is a tweek to the Internet routing table so that traffic destined for an IP address is redirected to a different local server. Thus, it may appear that the "K" root DNS server has only a single IP address "193.0.14.129", in fact there are 20 machines with that address spread throughout the world. When I trace the route to the "K" server from Comcast in Atlanta, it goes to a server located at an exchange point in Virginia. If you do your own traceroute, you are likely to find a different location for the server.
 |
| Physical location of the IP address 192.0.14.129 |
 |
| Route from Comcast in Atlanta to 192.0.14.129 |
(Notice how while the map indicates the only U.S. "K" server is in Florida, but my traceroute appears to go to Virginia; the map is probably out of date).
Reason #4: fat pipes
The root servers are located on the edges of the Internet, but are instead located at nexus points on the Internet backbone where many links come together. Even using the "network amplification" technique described by #Anonymous, it won't overload the network connections leading to the root servers.
Such attacks might overwhelm the servers themselves, but here amplification is much less of a threat. Whereas the raw "bits-per-second" is the primary limiting factor for Internet links, "packets-per-second" is the primary limiting factor for servers. The amplification technique results is bigger packers, but not more of them, so is less of a threat.
Reason #5: gTLD servers
All a root server does is resolve the last part of the name, like ".com" or ".jp". It then passes the result to the "gtld-servers". That means while the servers are designed for millions of requests per second, they practically only server a few thousand.
Indeed, the best way to cause a "global blackout" wouldn't be to attack the root servers themselves, but the servers the "gtld-servers" the next level down, or even the individual domain-specific servers (like those for Google or Facebook) at the next level. If people can't get to their Google, Twitter, and Facebook, the Internet is down as far as they are concerned.
 |
| All root server does is resolve the ".com" portion of "www.facebook.com" |
Consequence
The #Anonymous hackers can certain cause local pockets of disruption, but these disruptions are going to be localized to networks where their attack machines are located, or where their "reflectors" are located. They might affect a few of the root DNS servers, but it's unlikely they could take all of them down, at least for any period of time. On the day of their planned Global Blackout, it's doubtful many people would notice.
Note: just because I say #Anonymous can't do it doesn't it mean it can't be done. I think I might be able to do it, given 6 months. There are several others who I know who might be able to do it. And, if we got into a room and brainstormed, I'm certain we could do it.
Tweet
Memorial
Knowledge is suppressed because of its power to change.
Online since 30-jan-2010
Security tips #1
Donate
Donate & Help us out. Server(
cost money.
Security tips #2
Avoiding Social Engineering and Phishing Attacks
Dealing with Cyberbullies
Preventing and Responding to Identity Theft
Recognizing and Avoiding Spyware
Recovering from Viruses, Worms, and Trojan Horses
Understanding Denial-of-Service Attacks
Understanding Hidden Threats: Corrupted SoftwareFiles
Understanding Hidden Threats: Rootkits and Botnets
Who's new
- ciberprov
- michael.nguyen
- mornjinfeng
- aniketdaptardar
- hadriker
- Alanw
Security vids #1
Team Cymru Research NFP is a specialized Internet security research firm and 501(c)3 non-profit dedicated to making the Internet more secure. Team Cymru helps organizations identify and eradicate problems in their networks, providing insight that improves lives.
Team Cymru the video series 1 to 10
Team Cymru the video series 11 to 20
Team Cymru the video series 21 to 30
Team Cymru the video series 31 to 40
Team Cymru the video series 41 to 50
Team Cymru the video series 51 to 60
Who's online
There are currently 0 users and 25 guests online.
Security vids #2
The Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world’s leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure.
CERIAS is unique among such national centers in its multidisciplinary approach to the problems, ranging from purely technical issues (e.g., intrusion detection, network security, etc) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among them.
CERIAS Security: Attribute-Based Access Control
CERIAS Security: Information Flow Analysis in Security Enhanced Linux
CERIAS Security: Towards Mining Syslog Data
Weapons of Mass Disruption Gallery Launch: Reitinger Remarks
Weapons of Mass Disruption: Mike McConnell on The Nightmare Scenario
Comments
Mr. Graham, if you believe that given 6 months, you and a group of people you personally know could bring down the net, why do you think that Anonymous, which reportedly consists of nearly a million IT experts worldwide and is sometimes pretty coordinated, couldn't have already thought of a way to do this?
Granted, the methods they're using for the current planned attack are outdated and can be protected against fairly easily, but that doesn't mean that they don't have something else up their sleeve. From what I've read, it appears that their goal right now isn't to bring down the world internet for more than a few minutes. Their goal is publicity -- They want the attention.
If they wanted to bring things down for longer than that, they wouldn't announce it first using those methods; they would likely use their back-channels and so forth.
Minor typo in point #3: article text and screenshots use/show: 193.0.14.129 but the caption text under the two screenshots shows: 192.0.14.129.
Post new comment