Wednesday, February 15, 2012

No, #Anonymous can't DDoS the root DNS servers

This is what you'd see if the DNS blackout were successful
#Anonymous hackers have announced "Operation Global Blackout", promising to cause an Internet-wide blackout by disabling the core DNS servers. DNS is the phonebook of the Internet that translates machine names (like "www.facebook.com") to network addresses (like "66.220.158.25"). If hackers can disable the global DNS name system, then typing in your favorite website into your browser will produce an error.

But the attack is no longer practical. It's such a common idea that Wikipedia has a page devoted to it. For something so obvious, defenders have spent considerable time devising solutions. There are many reasons why such an attack won't cause a global blackout.

Reason #1: active response

Typical hacks work because it often takes a day for the victim to notice. Not so with critical Internet resources, like root DNS servers. Withing minutes of something twitching, hundreds of Internet experts will convene in to solve the problem.

We've seen this response in action after major Internet worms (Morris Worm, Slammer, Blaster) or undersea cable breaks destabilized the Internet. Despite devastating effects on the Internet, defenders were able to react quickly and mitigate the problems, such that most people never noticed a problem.

The easiest active response is to blackout the sources of the offending traffic. Defenders can quickly figure out where the attacks are coming from, and prevent packets from those sources from reaching the root DNS servers. Thus, people might see disruptions for a few minutes, but not likely any longer.

Reason #2: diversity

There are 13 root domain servers (labeled A through M), managed by different organizations, using different hardware, software, and policies. A technique that might take out 1 of them likely won't affect the other 12. To have a serious shot at taking out all 13, a hacker would have to test out attacks on each one. But, the owners of the systems would notice the effectiveness of the attacks, and start mitigating them before the coordinate attack against all 13 could be launched.

Reason #3: anycasting

Anycasting is a tweek to the Internet routing table so that traffic destined for an IP address is redirected to a different local server. Thus, it may appear that the "K" root DNS server has only a single IP address "193.0.14.129", in fact there are 20 machines with that address spread throughout the world. When I trace the route to the "K" server from Comcast in Atlanta, it goes to a server located at an exchange point in Virginia. If you do your own traceroute, you are likely to find a different location for the server.


Physical location of the IP address 192.0.14.129



Route from Comcast in Atlanta to 192.0.14.129

(Notice how while the map indicates the only U.S. "K" server is in Florida, but my traceroute appears to go to Virginia; the map is probably out of date).

Reason #4: fat pipes

The root servers are located on the edges of the Internet, but are instead located at nexus points on the Internet backbone where many links come together. Even using the "network amplification" technique described by #Anonymous, it won't overload the network connections leading to the root servers.


Such attacks might overwhelm the servers themselves, but here amplification is much less of a threat. Whereas the raw "bits-per-second" is the primary limiting factor for Internet links, "packets-per-second" is the primary limiting factor for servers. The amplification technique results is bigger packers, but not more of them, so is less of a threat.

Reason #5: gTLD servers

All a root server does is resolve the last part of the name, like ".com" or ".jp". It then passes the result to the "gtld-servers". That means while the servers are designed for millions of requests per second, they practically only server a few thousand.

Indeed, the best way to cause a "global blackout" wouldn't be to attack the root servers themselves, but the servers the "gtld-servers" the next level down, or even the individual domain-specific servers (like those for Google or Facebook) at the next level. If people can't get to their Google, Twitter, and Facebook, the Internet is down as far as they are concerned.


All root server does is resolve the ".com" portion of "www.facebook.com"

Consequence

The #Anonymous hackers can certain cause local pockets of disruption, but these disruptions are going to be localized to networks where their attack machines are located, or where their "reflectors" are located. They might affect a few of the root DNS servers, but it's unlikely they could take all of them down, at least for any period of time. On the day of their planned Global Blackout, it's doubtful many people would notice.

Note: just because I say #Anonymous can't do it doesn't it mean it can't be done. I think I might be able to do it, given 6 months. There are several others who I know who might be able to do it. And, if we got into a room and brainstormed, I'm certain we could do it.

SOURCE: Errata Security. Errata Security is a high-end cyber security consulting company.

No comments:

Post a Comment