<h3 class="post-title entry-title">
<a href="http://erratasec.blogspot.com/2012/02/no-anonymous-cant-ddos-root-dns-servers.html">http://erratasec.blogspot.com/2012/02/no-anonymous-cant-ddos-root-dns-servers.html</a></h3><h3 class="post-title entry-title"><a href="http://erratasec.blogspot.com/2012/02/no-anonymous-cant-ddos-root-dns-servers.html">No, #Anonymous can't DDoS the root DNS servers</a>
</h3>
<div class="post-header-line-1"><span class="post-author vcard">
Posted by
<span class="fn">Robert David Graham (<a href="https://twitter.com/#%21/ErrataRob">@ErrataRob</a>) </span>
</span>
<span class="post-timestamp">
</span>
</div>
<div class="post-body entry-content">
<table class="tr-caption-container" style="float:right;margin-left:1em;text-align:right" cellpadding="0" cellspacing="0"><tbody>
<tr><td style="text-align:center"><a href="http://3.bp.blogspot.com/-MOublYgiLN0/Tzy8W_hL6FI/AAAAAAAAAjQ/NEzv0DA8wpQ/s1600/dns-fail.png" style="clear:right;margin-bottom:1em;margin-left:auto;margin-right:auto"><img src="http://3.bp.blogspot.com/-MOublYgiLN0/Tzy8W_hL6FI/AAAAAAAAAjQ/NEzv0DA8wpQ/s320/dns-fail.png" border="0" height="254" width="320"></a></td>
</tr>
<tr><td class="tr-caption" style="text-align:center">This is what you'd see if the DNS blackout were successful</td></tr>
</tbody></table>#Anonymous hackers have announced "<a href="http://pastebin.com/NKbnh8q8">Operation Global Blackout</a>", promising to cause an Internet-wide blackout by disabling the <a href="http://en.wikipedia.org/wiki/Root_name_server">core DNS servers</a>.
DNS is the phonebook of the Internet that translates machine names
(like "<a href="http://www.facebook.com">www.facebook.com</a>") to network addresses (like "66.220.158.25").
If hackers can disable the global DNS name system, then typing in your
favorite website into your browser will produce an error.<br>
<br>
But the attack is no longer practical. It's such a common idea that Wikipedia has a <a href="http://en.wikipedia.org/wiki/Distributed_denial_of_service_attacks_on_root_nameservers">page devoted to it</a>.
For something so obvious, defenders have spent considerable time
devising solutions. There are many reasons why such an attack won't
cause a global blackout.<br>
<br>
<h2>Reason #1: active response</h2><br>
Typical hacks work because it often takes a day for the victim to
notice. Not so with critical Internet resources, like root DNS servers.
Withing minutes of something twitching, hundreds of Internet experts
will convene in to solve the problem.<br>
<br>
We've seen this response in action after major Internet worms (Morris Worm, <a href="http://en.wikipedia.org/wiki/SQL_Slammer">Slammer</a>, Blaster) or<a href="http://erratasec.blogspot.com/2008/02/cable-cut-conspiracy.html"> undersea cable breaks</a>
destabilized the Internet. Despite devastating effects on the Internet,
defenders were able to react quickly and mitigate the problems, such
that most people never noticed a problem.<br>
<br>
The easiest active response is to blackout the sources of the offending
traffic. Defenders can quickly figure out where the attacks are coming
from, and prevent packets from those sources from reaching the root DNS
servers. Thus, people might see disruptions for a few minutes, but not
likely any longer.<br>
<br>
<h2>Reason #2: diversity</h2><br>
There are 13 root domain servers (labeled A through M), managed by
different organizations, using different hardware, software, and
policies. A technique that might take out 1 of them likely won't affect
the other 12. To have a serious shot at taking out all 13, a hacker
would have to test out attacks on each one. But, the owners of the
systems would notice the effectiveness of the attacks, and start
mitigating them before the coordinate attack against all 13 could be
launched.<br>
<br>
<h2>Reason #3: anycasting</h2><br>
Anycasting is a tweek to the Internet routing table so that traffic
destined for an IP address is redirected to a different local server.
Thus, it may appear that the "K" root DNS server has only a single IP
address "193.0.14.129", in fact there are 20 machines with that address
spread throughout the world. When I trace the route to the "K" server
from Comcast in Atlanta, it goes to a server located at an exchange
point in Virginia. If you do your own traceroute, you are likely to find
a different location for the server.<br>
<br>
<table class="tr-caption-container" style="margin-left:auto;margin-right:auto;text-align:center" cellpadding="0" cellspacing="0" align="center"><tbody>
<tr><td style="text-align:center"><a href="http://1.bp.blogspot.com/-kYVo5PguV7E/Tzy7X1tL5FI/AAAAAAAAAi4/NNQJrCcIACU/s1600/dns-anycast-map.png" style="margin-left:auto;margin-right:auto"><img src="http://1.bp.blogspot.com/-kYVo5PguV7E/Tzy7X1tL5FI/AAAAAAAAAi4/NNQJrCcIACU/s320/dns-anycast-map.png" border="0" height="206" width="320"></a></td>
</tr>
<tr><td class="tr-caption" style="text-align:center">Physical location of the IP address 192.0.14.129</td></tr>
</tbody></table><table class="tr-caption-container" style="margin-left:auto;margin-right:auto;text-align:center" cellpadding="0" cellspacing="0" align="center"><tbody>
<tr><td style="text-align:center"><a href="http://1.bp.blogspot.com/-9vXoqkpknmM/Tzy71b4pkFI/AAAAAAAAAjI/qgFB6XaBUgU/s1600/dns-anycast-traceroute.png" style="margin-left:auto;margin-right:auto"><img src="http://1.bp.blogspot.com/-9vXoqkpknmM/Tzy71b4pkFI/AAAAAAAAAjI/qgFB6XaBUgU/s320/dns-anycast-traceroute.png" border="0" height="108" width="320"></a></td>
</tr>
<tr><td class="tr-caption" style="text-align:center">Route from Comcast in Atlanta to 192.0.14.129</td></tr>
</tbody></table>(Notice how while the map indicates the only U.S. "K"
server is in Florida, but my traceroute appears to go to Virginia; the
map is probably out of date).<br>
<br>
<h2>Reason #4: fat pipes</h2><br>
The root servers are located on the edges of the Internet, but are
instead located at nexus points on the Internet backbone where many
links come together. Even using the "network amplification" technique
described by #Anonymous, it won't overload the network connections
leading to the root servers.<br>
<br>
Such attacks might overwhelm the servers themselves, but here
amplification is much less of a threat. Whereas the raw
"bits-per-second" is the primary limiting factor for Internet links,
"packets-per-second" is the primary limiting factor for servers. The
amplification technique results is bigger packers, but not more of them,
so is less of a threat.<br>
<br>
<h2>Reason #5: gTLD servers</h2><br>
All a root server does is resolve the last part of the name, like ".com"
or ".jp". It then passes the result to the "gtld-servers". That means
while the servers are designed for millions of requests per second, they
practically only server a few thousand.<br>
<br>
Indeed, the best way to cause a "global blackout" wouldn't be to attack
the root servers themselves, but the servers the "gtld-servers" the next
level down, or even the individual domain-specific servers (like those
for Google or Facebook) at the next level. If people can't get to their
Google, Twitter, and Facebook, the Internet is down as far as they are
concerned.<br>
<br>
<table class="tr-caption-container" style="margin-left:auto;margin-right:auto;text-align:center" cellpadding="0" cellspacing="0" align="center"><tbody>
<tr><td style="text-align:center"><a href="http://1.bp.blogspot.com/-8U8eBQK4PVs/Tzy8ceDUnrI/AAAAAAAAAjY/4CXKO8IIpyI/s1600/dns-gtld-lookup.png" style="margin-left:auto;margin-right:auto"><img src="http://1.bp.blogspot.com/-8U8eBQK4PVs/Tzy8ceDUnrI/AAAAAAAAAjY/4CXKO8IIpyI/s320/dns-gtld-lookup.png" border="0" height="298" width="320"></a></td>
</tr>
<tr><td class="tr-caption" style="text-align:center">All root server does is resolve the ".com" portion of "<a href="http://www.facebook.com">www.facebook.com</a>"</td></tr>
</tbody></table><br>
<h2>Consequence</h2><br>
The #Anonymous hackers can certain cause local pockets of disruption,
but these disruptions are going to be localized to networks where their
attack machines are located, or where their "reflectors" are located.
They might affect a few of the root DNS servers, but it's unlikely they
could take all of them down, at least for any period of time. On the day
of their planned Global Blackout, it's doubtful many people would
notice.<br>
<br>
<hr>Note: just because I say #Anonymous can't do it doesn't it mean it
can't be done. I think I might be able to do it, given 6 months. There
are several others who I know who might be able to do it. And, if we got
into a room and brainstormed, I'm <i>certain </i>we could do it.
</div>
<div style="float:right;margin-right:10px;vertical-align:middle">
<span></span>
<span class="db-wrapper db-clear db-medium"><span><span class="db-container db-submit"><span class="db-body db-medium"><span class="db-count">0</span><a class="db-anchor">digg</a></span></span></span></span>
</div>
<span class="post-comment-link">
</span>
<span class="post-icons">
<span class="item-action">
<a href="http://www.blogger.com/email-post.g?blogID=37798047&postID=5683638794905809264" title="Email Post">
<img alt="" class="icon-action" src="http://www.blogger.com/img/icon18_email.gif" height="13" width="18"></a><a href="http://www.blogger.com/email-post.g?blogID=37798047&postID=5683638794905809264" title="Email Post">
</a>
</span></span>