Anonymous Threatens to DDOS Root Internet Servers

An upcoming campaign announced by the hacking group Anonymous directed against the Internet's core address lookup system is unlikely to cause much damage, according to one security expert.

In a warning on Pastebin, Anonymous said last Thursday it would launch an action on March 31 as part of "Operation Global Blackout" that would target the root Domain Name System (DNS) servers.

Anonymous said the attack has been planned as a protest against "our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun."

The DNS translates a Web site name, such as www.idg.com, into a numerical IP (Internet Protocol) address, which is used by computers to find the Web site.

The 13 authoritative root servers contain the master list of where other nameservers can look up an IP address for a domain name within a certain top-level domain such as ".com."

The group said it had built a "Reflective DNS Amplification DDOS" (distributed denial-of-service) tool, which causes other DNS servers to overwhelm those root servers with lots of traffic, according to the Pastebin post.

But there are several factors working against the Anonymous campaigners, wrote Robert Graham, CEO of Errata Security.

"They might affect a few of the root DNS servers, but it's unlikely they could take all of them down, at least for any period of time," Graham wrote. "On the day of their planned Global Blackout, it's doubtful many people would notice."

Although there are 13 root servers, an attack on one would not affect the other 12, Graham wrote. Additionally, an attack would be less successful due to "anycasting," which allows traffic for a root server to be redirected to another server containing a replica of the same data.

There are hundreds of other servers worldwide that hold the same data as the root servers, which increase the resiliency of DNS.

ISPs also tend to cache DNS data for a while, Graham wrote. ISPs may cache data for a day or two before needing to do a fresh lookup, a time period that can be set on servers known as "time-to-live." It means that even if a root server was down, it would not necessarily immediately affect an ISP's customers.

Lastly, root DNS servers are closely watched. If trouble started, the malicious traffic to the root servers would likely be blocked, with disruptions lasting a few minutes, Graham wrote.

"Within minutes of something twitching, hundreds of Internet experts will converge to solve the problem," he wrote.

Send news tips and comments to jeremy_kirk@idg.com

Subscribe to the Security Watch Newsletter

Comments