Thursday, February 16, 2012

No, #Anonymous can't DDoS the root DNS servers

This is what you'd see if the DNS blackout were successful
#Anonymous hackers have announced "Operation Global Blackout", promising to cause an Internet-wide blackout by disabling the core DNS servers. DNS is the phonebook of the Internet that translates machine names (like "www.facebook.com") to network addresses (like "66.220.158.25"). If hackers can disable the global DNS name system, then typing in your favorite website into your browser will produce an error.

But the attack is no longer practical. It's such a common idea that Wikipedia has a page devoted to it. For something so obvious, defenders have spent considerable time devising solutions. There are many reasons why such an attack won't cause a global blackout.

Reason #1: active response


Typical hacks work because it often takes a day for the victim to notice. Not so with critical Internet resources, like root DNS servers. Within minutes of something twitching, hundreds of Internet experts will converge to solve the problem.

We've seen this response in action after major Internet worms (Morris Worm, Slammer, Blaster) or undersea cable breaks destabilized the Internet. Despite devastating temporary effects on the Internet, defenders were able to react quickly and mitigate the problem, so that most people never noticed.

The easiest active response is to blackout the sources of the offending traffic. Defenders can quickly figure out where the attacks are coming from, and prevent packets from those sources from reaching the root DNS servers. Thus, people might see disruptions for a few minutes, but not likely any longer.

Reason #2: diversity


There are 13 root domain servers (labeled A through M), managed by different organizations, using different hardware, software, and policies. A technique that might take out 1 of them likely won't affect the other 12. To have a serious shot at taking out all 13, a hacker would have to test out attacks on each one. But, the owners of the systems would notice the effectiveness of the attacks, and start mitigating them before the coordinate attack against all 13 could be launched.

Reason #3: anycasting


Anycasting is a tweek to the Internet routing table so that traffic destined for an IP address is redirected to a different local server. Thus, while it may appear that the "K" root DNS server has only a single IP address "193.0.14.129", in fact there are 20 machines with that address spread throughout the world. When I trace the route to the "K" server from Comcast in Atlanta, it goes to a server located at an exchange point in Virginia. If you do your own traceroute, you are likely to find a different location for the server.

Physical location of the IP address 192.0.14.129
Route from Comcast in Atlanta to 192.0.14.129
(Notice how while the map indicates the only U.S. "K" server is in Florida, but my traceroute appears to go to Virginia; the map is probably out of date).

Reason #4: fat pipes


The root servers are not located on the edges of the Internet, but are instead located at nexus points on the Internet backbone where many links come together. Even using the "network amplification" technique described by #Anonymous, it won't overload the network connections leading to the root servers.

Such attacks might overwhelm the servers themselves, but here amplification is much less of a threat. Whereas the raw "bits-per-second" is the primary limiting factor for Internet links, "packets-per-second" is the primary limiting factor for servers. The amplification technique results is bigger packers, but not more of them, so amplification affects servers less.

Reason #5: gTLD servers


All a root server does is resolve the last part of the name, like ".com" or ".jp". It then passes the result to the "gtld-servers". That means while the servers are designed for millions of requests per second, they practically only serve a few thousand per second.

Indeed, the best way to cause a "global blackout" wouldn't be to attack the root servers themselves, but the "gtld-servers" the next level down, or even the individual domain-specific servers (like those for Google or Facebook) at the next level. If people can't get to their Google, Twitter, and Facebook, the Internet is down as far as they are concerned.

All root server does is resolve the ".com" portion of "www.facebook.com"

Reason #6: caching [update]


Your don't interact with the root DNS directly. Instead, you ask your Internet provider (Comcast, Verizon, AT&T, etc.) to do it for you. They don't need to repeatedly ask the same question to the root servers every time one of their customers clicks on "www.facebook.com". Instead, they can remember the response from the first lookup, then use that response for the rest of the customers who ask. This is called "caching" the response. The amount of time they cache the response, before redoing the lookup, is known as the "time-to-live" or "TTL".

The TTL for domains like ".com" is a couple days [edited]. That means, in theory, that the root servers could be down for a while before anybody would notice.

In their missive, the #Anonymous hackers claim that companies like Comcast ignore the TTL, and instead cache the response for things like ".com" for less than a day. I don't know. Regardless, it's a race against time: #Anonymous has to keep the root servers unavailable long enough for the major Internet providers to timeout their caches, while fighting the defenders who are racing to block the attacks and make the servers available again.

(I added this point in response to Michiel Klaver's comments below. I didn't include it in my original post because I haven't tested myself the veracity of #Anonymous's claims that Internet providers don't cache the root responses for a long time).

Consequence


The #Anonymous hackers can certain cause local pockets of disruption, but these disruptions are going to be localized to networks where their attack machines are located, or where their "reflectors" are located. They might affect a few of the root DNS servers, but it's unlikely they could take all of them down, at least for any period of time. On the day of their planned Global Blackout, it's doubtful many people would notice.


Note: just because I say #Anonymous can't do it doesn't it mean it can't be done. Rather than a "brute-force" attack flooding the target, searching for weaknesses is a better approach. I think I might be able to do it, given 6 months. There are others who know DNS better who could find a weakness in less time.

[update] When the root DNS servers do come under attack, you'll want to check out this page from Team Cymru monitors the health of the root DNS servers. They repeated query all the root servers from several locations around the Internet and measure how long it takes for their queries to be answered.

[update] Mr. Dan "DNS" Kaminsky has some good points at this Forbes article: Anonymous Plans To Take Down The Internet? We're Being Trolled.

[update] Mikko Hypponen points to this 2007 article: "There are not 13 root servers.

[update] IRC conversation about #OpGlobalBlackOut:  http://pastebin.com/n71BkMPi

36 comments:

Warren James said...
This comment has been removed by the author.
Warren James said...
This comment has been removed by the author.
Warren James said...
This comment has been removed by the author.
Michiel Klaver said...

You forgot to mention TTL, the root zone itself has a TTL of 41 days. Most recursing caching DNS servers located at all the ISPs will remember the root zone and not query them for a long period of time.

Cricket said...

Most of the NS records delegating top-level zones from the root have a TTL of 172800 seconds, or two days. Still, that's long enough so many of us wouldn't notice a 24-hour attack--if it were effective.

www.root-servers.org is a good source for information about the root infrastructure. The site claims there are 259 instances of root name servers around the world, though I think that number is probably a little low. Verisign, for instance, runs multiple physical servers in each location.

ja9333 said...

It's really funny that you guys think this is real. Its a hoax, or an overzealous new anon that got exited. anyone with half a brain realized that at first glance. Thanks for all the info though.

SimonHF said...

So if you had a bot-net with, say, 2 million different infected IPs and they all started generating a load (e.g. 50 thousand queries per second) on, say, the top 1 million DNS servers then there'd be a total load of approx. 100,000 queries per second per DNS server which would be enough to bring everything crashing down. It wouldn't be possible to block they'd be from all ISPs from all over the world. In reality this isn't going to happen because it's more profitable for the big bot-nets to send spam than play around with blocking the internet.

SimonHF said...

For comparison, Google DNS recently said they process about 70 billion DNS requests per day. 2 million bot-net IPs at 50k DNS queries per second would result in a daily load about 123,000 times greater! Or probably several thousand times greater than the estimated entire daily DNS traffic of the whole world.

Stéphane Bortzmeyer said...

Two errors; as said by Cricket, the TTL of .com is two days not "over a month".

And a NOT is missing in the sentence "The root
servers are located on the edges of the Internet".

Also, cannot post with OpenID, it keeps saying "The characters you entered didn't match the word verification." while it works witha Google account.

sep332 said...

Caching doesn't work if you ask for a different resource every time. You could ask for google.aaaaa then google.aaaab and so on. Then every request would have to be propagated to the root, because none of the DNS servers in between will have that cached.

Arenlor said...

First off, my DNS provider, OpenDNS does this cool thing where if the upstream DNS provider goes down their smartcache kicks in and just provides you with the last known good IP, so even if they took down the root servers for a month OpenDNS would be secure. Second, COM, NET, ORG, etc, don't change often. The DNS providers could just fake a lookup and go to the correct IP. Third, even if they did manage to do their LOIC attack directly on the servers this assumes that the servers couldn't handle the attack. If they can't take down the CIA for more than a few hours, how do they plan to take this down for any length of time?

Anonymous said...

what a physical attack on the dns servers cables routers ect. now that would be devastating

Remi said...

I am the legal Intellectual Property owner of Anonymous Operation Blackout. that was a fake. stop spreading misinformation.

Robert Graham said...

Remi said:
I am the legal Intellectual Property owner of Anonymous Operation Blackout.

Wow. How does one become a 'legal intellectual property owner'. What intellectual property are you talking about? Is it a trade-secret? A patent? A copyright? A trademark?

Trademark is the only intellectual property that can apply, but I don't see any registration for "Anonymous Operation Blackout" in the US trademark office. Is there another country where you have registered it?

By "legal", you of course mean police and courts will protect your intellectual property rights. Isn't that the opposite of what #Anonymous is all about?

As far as I can tell, you in fact aren't the "owner of the intellectual property" of "Anonymous Operation Blackout", legal or otherwise. You have no more right to that name than anybody else. The people claiming to blackout DNS on March 31 have just as much right to the name as you.

Robert Graham said...

Although, Remi, I'm on your side: it's probably just some guy trolling, rather than representative of what many #Anonymous hackers want to do.

Anonymous said...

It's very narrow minded to say it's impossible, just because YOU can't think of a way.

Anonymous said...

"Note: just because I say #Anonymous can't do it doesn't it mean it can't be done. I think I might be able to do it, given 6 months. There are several others who I know who might be able to do it. And, if we got into a room and brainstormed, I'm certain we could do it."

I was with you until that statement. I don't think you, or the others you are talking about, could do it. Why? Because as smart as you are, there are smarter people out there who have already tried...and failed.

It's just not possible, for all the reasons you specified in your post. Root is just way too distributed to attack. Any true attack would last a maximum of minutes before it's blocked and you get a visit from the party van.

Anonymous said...

It’s highly unlikely and very illogical to think Anonymous would do this (regardless of its feasibility). It’s also unlikely this is merely a mistake that took hold and spread like wildfire throughout the internet community.

If anything its highly likely this is a smear & fear campaign lead by 1 or more US government affiliated agency (like Homeland Security) to:
A) Create an anti-Anonymous movement amongst the general internet public
B) Create a patsy for a planned internet interruption

While it’s unlikely any hacker group could effectively take down the internet via these servers the same cannot be said about the government and what power it has and or what actions with regards to the internet it can initiate. Just because no bill specifically outing internet shutdown authority for the president has not been passed that alone does not mean that the president or a delegated authority does not have such power or that they will not use it. Government often does first and then gets official authority to do so after the fact.

George said...

If #Anonymous actually pulls off taking down the root DNS servers and we assume that the caching DNS servers operate a sub 1-day cache regardless of the TTL, can we assume that the ISPs wouldn't react? Seems to me the ISPs can tweak their caches to run even longer, possibly much longer than the TTL in an absolute worst case scenario.

Anonymous said...

what about an attack on the physical dns server equipment cables routers ect?

Anonymous said...

This does seem like false story, in that Anonymous doesn't seem to have any interest in taking everything down.
They seem to be against the whole mass-murdering coverup and covert restriction of rights, like the recent multi-pronged attacks of SOPA, PIPA and ACTA, but I don't see how taking everything down does anything.
The threat seems more like something SOPA, PIPA and ACTA supporters would suggest to justify more monitoring, control and fear.

Unknown said...

Why to call it hacking if everything is predefined? Also, if there is a will, there is definetly a way.

SyKoTiK said...

To state an obvious point I hadn't seen mentioned in the article or other comments, everything that Anonymous has attacked so far has had a reason and was a specific target. The PlayStation Network, for example, is obviously owned by Sony - Sony is the company that was pursuing legal ramifications against the person(s) involved in releasing the root key of their PS3 devices - henceforth, they took down the network that PS3s connect to... the PSN.

THIS, however, would have no justification. What did "the Internet" do to them (short of giving them a medium for their actions/rants/etc)? That was a rhetorical question, for the record. The REAL target(s) should be the actual supporters of SOPA, the operators/decision-makers of "Wall Street" themselves, the operators/decision-makers of the banks, and whoever else they deem a target... but ONLY as an individual person/entity. They wouldn't make the entire "globe" suffer like that unless there was no other choice. In this case, there IS another choice: target the actual individuals instead of making it global. Make THEM pay the price (or piss them off a little)... not everyone that may or MAY NOT have done anything to merit going without their internet access.

Not to mention one HUGE and VERY obvious reason this wouldn't happen at the hands of Anonymous (just to name one reason out of a countless number of reasons): medical facilities such as hospitals, clinics, etc. would potentially not be able to submit CRITICAL medical/health information wherever they need to send it to possibly save a life of a human being.

Remember, Anonymous are "hacktivists"... not anarchists. That's why this is all so clearly a hoax and fiction.

Anonymous said...

@Sykotyk : good point. you got it right.

TNCaver said...

@Sykotyk : Here are some reasons why Anonymous might target the global internet: bragging rights; show of power, cleverness and/or the ability to pull off future threats; LOLZ (i.e., they don't always need a reason you or I would consider legitimate or reasonable). This is, after all, the headless Anonymous we're talking about.

macewan said...

RG... you knew better than to waste time with such silly talk

SyKoTiK said...

@TNCaver:
I could agree with you that there may be the whole "just for fun" factor playing a part in this - if it does happen to be real - but the reason I'm still inclined to think it's a hoax is that if it were to happen the members of Anonymous would suffer not being able to access the internet as well (unless they gather the IP addresses of EVERY site (and all of the sites that site communicates with) before launching the attack, and navigating to the IP addresses directly rather than relying on the DNS resolution. But, I don't think anyone would go through the headache of doing that.

They might do it for bragging rights, because so many people are telling them that it can't be done, that they lack the capability, etc. and they may want to prove otherwise, but again... they'd suffer the consequence of not being able to get online along with the rest of the world.

Not to mention, as I said in my original post, that Anonymous are activists... not anarchists. When something as critical as medical facilities would be affected, things like morals kick in. Since we don't know who the members of Anonymous are, what their personal lives entail, etc., there's no way of us knowing whether someone in their family (i.e. their mother/father) may be hurt by them taking down the internet because they can't get the medical assistance they need due to an inability for the medical facilities to talk with one-another for vital patient information.

Anonymous said...

Personally it does seem very very difficult (nothing seems to be impossible when it comes to the internet and finding vulnerabilities if you know where to look). But personally it seems like a waste of a perfectly good botnet just to prove a point and destroy the internet for 1 hour. Why not use your botnet for a more useful thing like making a political statement and hitting someone or something that actually useful like a government website or a big corporations website rather then screw the whole world over for your own statement. Its a big statement that everyone will see but also get a lot of people angry at you as well for your screwing them over. How about some consideration for us smaller people rather then just thinking of yourselves all the time #anonymous?

Malibu Carl said...

Regarding the update on the article linking to Team Cymru's monitoring service, I'd like to add RIPE NCC's dnsmon (http://dnsmon.ripe.net/dns-servmon/server/), which provides a more comprehensive view of how DNS performs

Anonymous said...

Wow, way to be arrogant guys. Tell the script kiddies there's something they can't do. This was ridiculous and you never should have posted it. Way to enflame them, even if they *can't* pull it off.

Remi said...

blackout.AaronBale.com demands that you stop Infringing on #OpBlackout Intellectual Property Attribution Rights. #OpGlobalBlackout and #OpV are proven USAGOV funded terroristic sabotage, not real Anon. do your fucking homework and show some respect to real heros. Our legal, political, medical and ethical leaders are fucking tired of Media propoganda. DO YOUR GODDAMN HOMEWORK OR STFU. if you have any goddamn questions you can email me at owner@AaronBale.com. I better not see this terroristic bullshit in 48 hours "Errata Security"

Anonymous said...

I totally agree with you.
I'm in networking field myself and currently this looks like a faraway dream.
However you would really look bad if it worked! lol

Redirect removal said...

I personally find their behavior to be childish. It's nice to know that there is a force that will push back when pushed, but most of the times Anonymous only hurts innocent people with their actions.

No Name said...
This comment has been removed by a blog administrator.
No Name said...
This comment has been removed by a blog administrator.
Anthony Willis said...
This comment has been removed by a blog administrator.