|This is what you'd see if the DNS blackout were successful|
But the attack is no longer practical. It's such a common idea that Wikipedia has a page devoted to it. For something so obvious, defenders have spent considerable time devising solutions. There are many reasons why such an attack won't cause a global blackout.
Reason #1: active response
Typical hacks work because it often takes a day for the victim to notice. Not so with critical Internet resources, like root DNS servers. Within minutes of something twitching, hundreds of Internet experts will converge to solve the problem.
We've seen this response in action after major Internet worms (Morris Worm, Slammer, Blaster) or undersea cable breaks destabilized the Internet. Despite devastating temporary effects on the Internet, defenders were able to react quickly and mitigate the problem, so that most people never noticed.
The easiest active response is to blackout the sources of the offending traffic. Defenders can quickly figure out where the attacks are coming from, and prevent packets from those sources from reaching the root DNS servers. Thus, people might see disruptions for a few minutes, but not likely any longer.
Reason #2: diversity
There are 13 root domain servers (labeled A through M), managed by different organizations, using different hardware, software, and policies. A technique that might take out 1 of them likely won't affect the other 12. To have a serious shot at taking out all 13, a hacker would have to test out attacks on each one. But, the owners of the systems would notice the effectiveness of the attacks, and start mitigating them before the coordinate attack against all 13 could be launched.
Reason #3: anycasting
Anycasting is a tweek to the Internet routing table so that traffic destined for an IP address is redirected to a different local server. Thus, while it may appear that the "K" root DNS server has only a single IP address "126.96.36.199", in fact there are 20 machines with that address spread throughout the world. When I trace the route to the "K" server from Comcast in Atlanta, it goes to a server located at an exchange point in Virginia. If you do your own traceroute, you are likely to find a different location for the server.
|Physical location of the IP address 188.8.131.52|
|Route from Comcast in Atlanta to 184.108.40.206|
Reason #4: fat pipes
The root servers are not located on the edges of the Internet, but are instead located at nexus points on the Internet backbone where many links come together. Even using the "network amplification" technique described by #Anonymous, it won't overload the network connections leading to the root servers.
Such attacks might overwhelm the servers themselves, but here amplification is much less of a threat. Whereas the raw "bits-per-second" is the primary limiting factor for Internet links, "packets-per-second" is the primary limiting factor for servers. The amplification technique results is bigger packers, but not more of them, so amplification affects servers less.
Reason #5: gTLD servers
All a root server does is resolve the last part of the name, like ".com" or ".jp". It then passes the result to the "gtld-servers". That means while the servers are designed for millions of requests per second, they practically only serve a few thousand per second.
Indeed, the best way to cause a "global blackout" wouldn't be to attack the root servers themselves, but the "gtld-servers" the next level down, or even the individual domain-specific servers (like those for Google or Facebook) at the next level. If people can't get to their Google, Twitter, and Facebook, the Internet is down as far as they are concerned.
|All root server does is resolve the ".com" portion of "www.facebook.com"|
Reason #6: caching [update]
Your don't interact with the root DNS directly. Instead, you ask your Internet provider (Comcast, Verizon, AT&T, etc.) to do it for you. They don't need to repeatedly ask the same question to the root servers every time one of their customers clicks on "www.facebook.com". Instead, they can remember the response from the first lookup, then use that response for the rest of the customers who ask. This is called "caching" the response. The amount of time they cache the response, before redoing the lookup, is known as the "time-to-live" or "TTL".
The TTL for domains like ".com" is a couple days [edited]. That means, in theory, that the root servers could be down for a while before anybody would notice.
In their missive, the #Anonymous hackers claim that companies like Comcast ignore the TTL, and instead cache the response for things like ".com" for less than a day. I don't know. Regardless, it's a race against time: #Anonymous has to keep the root servers unavailable long enough for the major Internet providers to timeout their caches, while fighting the defenders who are racing to block the attacks and make the servers available again.
(I added this point in response to Michiel Klaver's comments below. I didn't include it in my original post because I haven't tested myself the veracity of #Anonymous's claims that Internet providers don't cache the root responses for a long time).
The #Anonymous hackers can certain cause local pockets of disruption, but these disruptions are going to be localized to networks where their attack machines are located, or where their "reflectors" are located. They might affect a few of the root DNS servers, but it's unlikely they could take all of them down, at least for any period of time. On the day of their planned Global Blackout, it's doubtful many people would notice.
Note: just because I say #Anonymous can't do it doesn't it mean it can't be done. Rather than a "brute-force" attack flooding the target, searching for weaknesses is a better approach. I think I might be able to do it, given 6 months. There are others who know DNS better who could find a weakness in less time.
[update] When the root DNS servers do come under attack, you'll want to check out this page from Team Cymru monitors the health of the root DNS servers. They repeated query all the root servers from several locations around the Internet and measure how long it takes for their queries to be answered.
[update] Mr. Dan "DNS" Kaminsky has some good points at this Forbes article: Anonymous Plans To Take Down The Internet? We're Being Trolled.
[update] Mikko Hypponen points to this 2007 article: "There are not 13 root servers.
[update] IRC conversation about #OpGlobalBlackOut: http://pastebin.com/n71BkMPi