Operation Blackout to target DNS root server infrastructure
Operation Blackout to target DNS root server infrastructure

Operation Blackout to target DNS root server infrastructure

Recently, an article was posted on the pastebin site claiming to be from "anonymous", the notorious hacking group, in which they outlined a proposal to attack the DNS root server infrastructure that underpins the Internet. They effectively want to turn the Internet "off" on 31st March 2012 by preventing the ability of the DNS root servers to respond to legitimate queries, thus leading users to experience timeouts when trying to reach their favourite web sites (of course the attack could also impact many other Internet services such as email).

The article proposes to use a "reflective amplification attack" in order to launch a denial of service attack against the 13 root server IP addresses. This type of attack is not particularly clever and is very simple to invoke, provided you have control of enough clients. Anonymous probably do have access to huge botnets which could be used to launch this type of attack. Basically the botnet clients would launch a huge number of small queries for DNS records that invoke a large response packet (for instance, you could look up the DNSSEC records for one of the TLD's or even the root itself - the response that comes back is much larger than the original query, hence the traffic is "amplified"). But in order to direct the amplified traffic back to the root servers, the source IP address of each query is spoofed, so that the response goes to one of the root server IP addresses rather than the botnet client.

The root server infrastructure has been the target of various attacks over the years, but an increasingly resilient infrastructure has been built based upon "anycast" technology. So while there are only 13 public IP addresses used to advertise the root servers, there are in fact 259 physical servers operating behind these IP addresses. It is the Internet's routing protocols that determine which DNS server you actually reach, so trying to target a specific physical server in order to launch a DDoS attack against it would actually be quite difficult.

So if this proposal is genuine, we could see the root server infrastructure come under sustained attack for a period of time, but whether the attack has any serious impact will be down to the distribution of botnet clients and the routing topology between them and the physical root servers. In fact I would imagine that some servers will be impacted, but the root infrastructure as a whole should survive. With the caching mechanism built into recursive DNS servers, end-users may not even notice if some of the root infrastructure is taken down.

It will be very interesting to see how effective the root server anycast deployment is at mitigating this attack.

UPDATE - 22/02/2012

An update from @anonops on twitter claims that this is a fake operation and that there is "No intention of to cut Internet".

Here's the original pastebin article in its entirety (posted on 12/02/2012):

    01001111 01110000 01100101 01110010 01100001 01110100 01101001 01101111
    01101110  01000111 01101100 01101111 01100010 01100001 01101100
    01000010 01101100 01100001 01100011 01101011 01101111 01110101 01110100
      ___                     _   _             ___ _     _          _
     / _ \ _ __  ___ _ _ __ _| |_(_)___ _ _    / __| |___| |__  __ _| |
    | (_) | '_ \/ -_) '_/ _` |  _| / _ \ ' \  | (_ | / _ \ '_ \/ _` | |
     \___/| .__/\___|_| \__,_|\__|_\___/_||_|  \___|_\___/_.__/\__,_|_|
     ___ _         _            _  
    | _ ) |__ _ __| |_____ _  _| |_
    | _ \ / _` / _| / / _ \ || |  _|
    01001111 01110000 01100101 01110010 01100001 01110100 01101001 01101111
    01101110  01000111 01101100 01101111 01100010 01100001 01101100
    01000010 01101100 01100001 01100011 01101011 01101111 01110101 01110100
                    "The greatest enemy of freedom is a happy slave."
    To protest SOPA, Wallstreet, our irresponsible leaders and the beloved
    bankers who are starving the world for their own selfish needs out of
    sheer sadistic fun, On March 31, the Internet will go Black.
    In order to shut the Internet down, one thing is to be done. Down the
    13 root DNS servers of the Internet. Those servers are as follow:
    By cutting these off the Internet, nobody will be able to perform a
    domain name lookup, thus, disabling the HTTP Internet, which is,
    after all, the most widely used function of the Web. Anybody entering
    "http://www.google.com" or ANY other url, will get an error page,
    thus, they will think the Internet is down, which is, close enough.
    Remember, this is a protest, we are not trying to 'kill' the Internet,
    we are only temporarily shutting it down where it hurts the most.
    While some ISPs uses DNS caching, most are configured to use a low
    expire time for the cache, thus not being a valid failover solution
    in the case the root servers are down. It is mostly used for speed,
    not redundancy.
    I have compiled a Reflective DNS Amplification DDoS tool to be used for
    this attack. It is based on AntiSec's DHN, contains a few bugfix, a
    different dns list/target support and is a bit stripped down for speed.
    The principle is simple; a flaw that uses forged UDP packets is to be
    used to trigger a rush of DNS queries all redirected and reflected to
    those 13 IPs. The flaw is as follow; since the UDP protocol allows it,
    we can change the source IP of the sender to our target, thus spoofing
    the source of the DNS query.
    The DNS server will then respond to that query by sending the answer to
    the spoofed IP. Since the answer is always bigger than the query, the
    DNS answers will then flood the target ip. It is called an amplified
    because we can use small packets to generate large traffic. It is called
    reflective because we will not send the queries to the root name servers,
    instead, we will use a list of known vulnerable DNS servers which will
    attack the root servers for us.
    DDoS request --->       [Vulnerable DNS Server  ]        Normal answer        Normal Client request
                                                             | ( Spoofed UDP requests
                                                             |   will redirect the answers
                                                             |   to the root name server )
                                            [       13 root servers         ] * BAM
    Since the attack will be using static IP addresses, it will not rely
    on name server resolution, thus enabling us to keep the attack up even
    while the Internet is down. The very fact that nobody will be able to
    make new requests to use the Internet will slow down those who will try
    to stop the attack.
            "He who sacrifices freedom for security deserves neither."
                                                                    Benjamin Franklin
    We know you wont' listen. We know you won't change. We know it's because
    you don't want to. We know it's because you like it how it is. You bullied
    us into your delusion. We have seen you brutalize harmless old womans who were
    protesting for peace. We do not forget because we know you will only use that
    to start again. We know your true face. We know you will never stop. Neither
    are we. We know.
    We are Anonymous.
    We are Legion.
    We do not Forgive.
    We do not Forget.
    You know who you are, Expect us.