Planned Anonymous Attack on the Internet Likely to Fail

Monday, February 20, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

Elements of the rogue hacktivist movement Anonymous have posted details of an ambitious effort to limit user access to the Internet as part of a protest planned for March 31st.

"To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, anonymous will shut the Internet down," the hacktivists threatened in a Pastebin posting.

The plan, dubbed "Operation Global Blackout", will attempt to interrupt thirteen of the Internet's Domain Name System (DNS) servers with a Reflective DNS Amplification DDoS tool developed by the collective.

While the operation will not actually crash the internet, the intention is to cause users to receive an error when attempting to access a desired URL.

"In order to shut the Internet down, one thing is to be done. Down the 13 root DNS servers of the Internet... Anybody entering 'http://www.google.com' or ANY other url, will get an error page, thus, they will think the Internet is down, which is, close enough. Remember, this is a protest, we are not trying to 'kill' the Internet, we are only temporarily shutting it down where it hurts the most," the Pastebin posting explains.

The detailed posting goes on to explain the fundamentals of the planned attack as such:

"We have compiled a Reflective DNS Amplification DDoS tool to be used for this attack. It is based on AntiSec's DHN, contains a few bugfix, a different dns list/target support and is a bit stripped down for speed."
 
"The principle is simple; a flaw that uses forged UDP packets is to be used to trigger a rush of DNS queries all redirected and reflected to those 13 IPs. The flaw is as follow; since the UDP protocol allows it, we can change the source IP of the sender to our target, thus spoofing the source of the DNS query."
 
"The DNS server will then respond to that query by sending the answer to the spoofed IP. Since the answer is always bigger than the query, the DNS answers will then flood the target ip. It is called an amplified because we can use small packets to generate large traffic. It is called reflective because we will not send the queries to the root name servers, instead, we will use a list of known vulnerable DNS servers which will attack the root servers for us."

"Since the attack will be using static IP addresses, it will not rely on name server resolution, thus enabling us to keep the attack up even while the Internet is down. The very fact that nobody will be able to make new requests to use the Internet will slow down those who will try to stop the attack. It may only lasts one hour, maybe more, maybe even a few days. No matter what, it will be global. It will be known."

Will the attack be effective in causing a denial of service for most Internet users?

Errata Security's

The attack is no longer practical. It's such a common idea that Wikipedia has a page devoted to it. For something so obvious, defenders have spent considerable time devising solutions. There are many reasons why such an attack won't cause a global blackout,"

Typical hacks work because it often takes a day for the victim to notice. Not so with critical Internet resources, like root DNS servers. Within minutes of something twitching, hundreds of Internet experts will converge to solve the problem... The easiest active response is to blackout the sources of the offending traffic. Defenders can quickly figure out where the attacks are coming from, and prevent packets from those sources from reaching the root DNS servers. Thus, people might see disruptions for a few minutes, but not likely any longer."

Graham goes on to list several other factors that make the likelihood of a successful attack against the thirteen DNS servers nearly impossible to carry out, including the diversity of the deployed server hardware, the use of anycasting routing techniques, the way caching responses are handled, and the fact that the Internet backbone is designed to handle millions of simultaneous requests.

Given Graham's analysis, it looks as though the planned Anonymous attack is good for little more than making some headlines and perhaps causing some unfounded concern from Internet users, which is probably why the operation was broadcast so far in advance.

Possibly Related Articles:
15837
Network->General
Denial of Service DNS internet Attacks DDoS Headlines Anonymous Hacktivist internet backbone AntiSec Protest Operation Global Blackout Reflective DNS Amplification DDoS tool
Post Rating I Like this!
C4363f41d25c216c53c8d71a1ac44a90
Matthijs R. Koot Also, it may be an Aprils Fool joke to begin with.
1329811665
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.