[AfrICANN-discuss] No, #Anonymous can't DDoS the root DNS servers

Anne-Rachel Inné annerachel at gmail.com
Thu Feb 16 11:59:53 SAST 2012


http://erratasec.blogspot.com/2012/02/no-anonymous-cant-ddos-root-dns-servers.htmlNo,
#Anonymous can't DDoS the root DNS
servers<http://erratasec.blogspot.com/2012/02/no-anonymous-cant-ddos-root-dns-servers.html>
Posted by Robert David Graham (@ErrataRob<https://twitter.com/#%21/ErrataRob>)

 <http://3.bp.blogspot.com/-MOublYgiLN0/Tzy8W_hL6FI/AAAAAAAAAjQ/NEzv0DA8wpQ/s1600/dns-fail.png>
This
is what you'd see if the DNS blackout were successful #Anonymous hackers
have announced "Operation Global Blackout <http://pastebin.com/NKbnh8q8>",
promising to cause an Internet-wide blackout by disabling the core DNS
servers <http://en.wikipedia.org/wiki/Root_name_server>. DNS is the
phonebook of the Internet that translates machine names (like "
www.facebook.com") to network addresses (like "66.220.158.25"). If hackers
can disable the global DNS name system, then typing in your favorite
website into your browser will produce an error.

But the attack is no longer practical. It's such a common idea that
Wikipedia has a page devoted to
it<http://en.wikipedia.org/wiki/Distributed_denial_of_service_attacks_on_root_nameservers>.
For something so obvious, defenders have spent considerable time devising
solutions. There are many reasons why such an attack won't cause a global
blackout.

Reason #1: active response
Typical hacks work because it often takes a day for the victim to notice.
Not so with critical Internet resources, like root DNS servers. Withing
minutes of something twitching, hundreds of Internet experts will convene
in to solve the problem.

We've seen this response in action after major Internet worms (Morris Worm,
Slammer <http://en.wikipedia.org/wiki/SQL_Slammer>, Blaster) or undersea
cable breaks<http://erratasec.blogspot.com/2008/02/cable-cut-conspiracy.html>destabilized
the Internet. Despite devastating effects on the Internet,
defenders were able to react quickly and mitigate the problems, such that
most people never noticed a problem.

The easiest active response is to blackout the sources of the offending
traffic. Defenders can quickly figure out where the attacks are coming
from, and prevent packets from those sources from reaching the root DNS
servers. Thus, people might see disruptions for a few minutes, but not
likely any longer.

Reason #2: diversity
There are 13 root domain servers (labeled A through M), managed by
different organizations, using different hardware, software, and policies.
A technique that might take out 1 of them likely won't affect the other 12.
To have a serious shot at taking out all 13, a hacker would have to test
out attacks on each one. But, the owners of the systems would notice the
effectiveness of the attacks, and start mitigating them before the
coordinate attack against all 13 could be launched.

Reason #3: anycasting
Anycasting is a tweek to the Internet routing table so that traffic
destined for an IP address is redirected to a different local server. Thus,
it may appear that the "K" root DNS server has only a single IP address
"193.0.14.129", in fact there are 20 machines with that address spread
throughout the world. When I trace the route to the "K" server from Comcast
in Atlanta, it goes to a server located at an exchange point in Virginia.
If you do your own traceroute, you are likely to find a different location
for the server.


<http://1.bp.blogspot.com/-kYVo5PguV7E/Tzy7X1tL5FI/AAAAAAAAAi4/NNQJrCcIACU/s1600/dns-anycast-map.png>
Physical
location of the IP address 192.0.14.129
<http://1.bp.blogspot.com/-9vXoqkpknmM/Tzy71b4pkFI/AAAAAAAAAjI/qgFB6XaBUgU/s1600/dns-anycast-traceroute.png>
Route
from Comcast in Atlanta to 192.0.14.129 (Notice how while the map indicates
the only U.S. "K" server is in Florida, but my traceroute appears to go to
Virginia; the map is probably out of date).

Reason #4: fat pipes
The root servers are located on the edges of the Internet, but are instead
located at nexus points on the Internet backbone where many links come
together. Even using the "network amplification" technique described by
#Anonymous, it won't overload the network connections leading to the root
servers.

Such attacks might overwhelm the servers themselves, but here amplification
is much less of a threat. Whereas the raw "bits-per-second" is the primary
limiting factor for Internet links, "packets-per-second" is the primary
limiting factor for servers. The amplification technique results is bigger
packers, but not more of them, so is less of a threat.

Reason #5: gTLD servers
All a root server does is resolve the last part of the name, like ".com" or
".jp". It then passes the result to the "gtld-servers". That means while
the servers are designed for millions of requests per second, they
practically only server a few thousand.

Indeed, the best way to cause a "global blackout" wouldn't be to attack the
root servers themselves, but the servers the "gtld-servers" the next level
down, or even the individual domain-specific servers (like those for Google
or Facebook) at the next level. If people can't get to their Google,
Twitter, and Facebook, the Internet is down as far as they are concerned.


<http://1.bp.blogspot.com/-8U8eBQK4PVs/Tzy8ceDUnrI/AAAAAAAAAjY/4CXKO8IIpyI/s1600/dns-gtld-lookup.png>
All
root server does is resolve the ".com" portion of "www.facebook.com"
Consequence
The #Anonymous hackers can certain cause local pockets of disruption, but
these disruptions are going to be localized to networks where their attack
machines are located, or where their "reflectors" are located. They might
affect a few of the root DNS servers, but it's unlikely they could take all
of them down, at least for any period of time. On the day of their planned
Global Blackout, it's doubtful many people would notice.

------------------------------
Note: just because I say #Anonymous can't do it doesn't it mean it can't be
done. I think I might be able to do it, given 6 months. There are several
others who I know who might be able to do it. And, if we got into a room
and brainstormed, I'm *certain *we could do it.
 0digg

<http://www.blogger.com/email-post.g?blogID=37798047&postID=5683638794905809264>
<http://www.blogger.com/email-post.g?blogID=37798047&postID=5683638794905809264>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20120216/be367643/attachment.htm


More information about the AfrICANN mailing list