|
The other day on pastebin, snippets of an email conversation were posted with members of the hacking group Anonymous discussing plans to conduct DOS attacks against the Internet’s root name servers:
To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, the Internet will go Black.
In order to shut the Internet down, one thing is to be done. Down the 13 root DNS servers of the Internet. Those servers are as follow:
A 198.41.0.4
B 192.228.79.201
C 192.33.4.12
D 128.8.10.90
E 192.203.230.10
F 192.5.5.241
G 192.112.36.4
H 128.63.2.53
I 192.36.148.17
J 192.58.128.30
K 193.0.14.129
L 199.7.83.42
M 202.12.27.33
By cutting these off the Internet, nobody will be able to perform a domain name lookup, thus, disabling the HTTP Internet, which is, after all, the most widely used function of the Web. Anybody entering “http://www.google.com” or ANY other url, will get an error page,thus, they will think the Internet is down, which is, close enough. Remember, this is a protest, we are not trying to ‘kill’ the Internet, we are only temporarily shutting it down where it hurts the most.
Going after the Internet’s root servers is a very bold move by Anonymous. Whereas before they were “merely” breaking into companies that they believed were acting contra to the hacker ethic, going after the Internet infrastructure is another thing altogether.
Why?
The United States considers its cyber grid a critical component of US infrastructure. In a post entitled “Military asserts right to return cyber attacks”:
WASHINGTON—The U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker’s identity is unknown, the director of the National Security Agency told Congress. Lt. Gen. Keith Alexander, who is the Obama administration’s nominee to take on additional duties as head of the new Cyber Command;
He added that while “this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles ... would be lawful.”
In a follow up articled called “The military and the right to respond with force”:
The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.
In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.
One idea gaining momentum at the Pentagon is the notion of “equivalence.” If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a “use of force” consideration, which could merit retaliation.
In the articles that I quoted, it is ambiguous whether or not the military considers the Internet at the same level as the power grid. But if the power grid was shut down as a result of hacker attack on the Internet, would the military consider this an act-of-war?
This is where it becomes legally murky because hackers that shut down the Internet are not a traditional military force associated with a country. Therefore, who could the military declare war on? But on the other hand, the US military has a “war on terror” where the enemy combatants are not members of another state, but instead are transnational actors acting without the sanction of the countries they are located. This has not stopped the US government from engaging in a battle against these stateless players.
The FBI has stated that its number one priority is stopping terrorism. The military has said that if a cyber attack causes a high level disruption that a traditional military attack would cause, then that could merit retaliation. After the events of September 11, the US mobilized its resources and threw tremendous weight towards apprehending the people behind it.
If Anonymous were to succeed in shutting down the Internet, or even try really hard to do it, they are risking elevating their profile from a playful nuisance to the target of international law enforcement with billions of dollars in resources behind it. The FBI only has so many resources right now to fight cyber crime. They’d see their budgets go up in a hurry if the Internet went down because of a cyber attack.
The US spent 10 years hunting down bin Laden, relentlessly giving chase. The Anonymous hackers would do well not to raise the ire of the American military.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byDNIB.com
This demonstrates, as I’ve pointed out in the past, the benefits of keeping the zone file small (i.e. few new TLDs), in order that the root zone file can be distributed out-of-band if need be.
If the zone file was only 68KB, major ISPs could obtain it via dialup for example. Or it could be distributed via satellite, radio, TV, and then redistributed via bittorrent, etc. A small file that hardly ever changes is inherently beneficial for security.
Even if the root servers went down, most traffic happens on .com and .net. If the nameservers for those TLDs don’t change during the attack, and caching nameservers don’t invalidate stale records that are past their TTL, the actual damage would be minimal.
P.S. OpenDNS offers SmartCache, so those who have that enabled would probably see minimal disruption. I’m not sure if other DNS providers offer it, but it’s the same principle as above (i.e. don’t invalidate stale records past their TTL, in certain situations).
I agree that the US response may be severe, and much larger than Anonymous seems to believe.
However, the TTL on the com, net, org and probably most (all?) of the other tld NS records is 48 hours, so almost everyone will still be able to operate normally for quite a while. Anonymous will need to maintain the full power of this attack for at least 12 hours in the face of increasing counter measures. I doubt they can or will do that.
If anonymous only cuts off ipv4 access to the root servers, dns servers with ipv6 connectivity will be able to use that to receive the proper signed delegations of the .com NS records, and so won’t see any outage at all.
It is not trivial for outsiders to determine the number of different bgp announcements for any particular ip address that is being anycast. If my dns server can reach any one of those root servers thru a path that this attack is not blocking, then the attack fails, my dns server continues to resolve names in .com, and we won’t see any outage.
On the bright side, an effective attack will create a new market for vanity IP addresses. :) e.g. Google Public DNS with their 8.8.8.8 and 8.8.4.4
The DNS root infrastructure uses anycast technology to provide vastly superior resistance to these types of attacks. I think anonymous are underestimating the strength of the root server infrastructure. There may be only 13 IP addresses but there are currently 259 servers sitting behind those IPs and they are spread globally. They will have to take out a large portion of these for the attack to be effective, and that could be difficult as it’s the routing topology that determines where the attacks will end up, hence it’s difficult to target a particular server. See this link for more info: http://www.root-servers.org/
More fear mongering ....
In addition to the simplicity of local copies of the hierarchy at this level, if this threat is real then turning up resource record TTL’s from hours or days to WEEKS would also address the matter. If DNS servers are doing what they are supposed to do, and I increasing see them manipulating records, then such TTL adjustments will overcome such an attack ... Or expose the recent changes that I don’t see being discussed in public ....
That said, a successful attack would validate the foundational flaw of centralizing a system that was designed to be decentralized to insure service. Time to “Split The Root” with multiple competing authorities. Let innovation return to the internet, so competitive forces can can bitch slap “Anonymous” around rather than us constantly running to big brother, errr governments, to “save us from the bad guys” ....
Oh and here is more food for thought:
Who is “Anonymous”?
Could it be folks that are little more than privileged employees that are in a position to packet sniff primary backbones and thus view/intercept password recoveries via email? Watch insecure FTP logins? Have sniffed the true location of the master root server, and have gained access to it? And so on?
I think so.
Pretty brain dead “low tech”.
See Bruce Schneier’s Applied Cryptography discussions, especially the comments regarding NSA never needing to brute force anything. There are always brain dead exploits, and typically ignorant bureaucrats protecting them.
Yet I never see any rush to secure email, or initiatives to end plain text services that tend to expose important logins ..... Hmmm, isn’t that interesting ......
Trust the backbone, there are no bad guys on the inside, all the threats are on the border. Yeah, sure ... BY DEFINTION it is IMPOSSIBLE to protect a system from an ADMINSTRATOR gone bad, period.
“To protest SOPA, Wallstreet, our irresponsible leaders and the beloved
bankers who are starving the world for their own selfish needs out of
sheer sadistic fun, On March 31, the Internet will go Black…”
Does Anonymous have a history of attacking targets that are completely unrelated to the objects of their displeasure? Did “SOPA, Wallstreet, our irresponsible leaders” quietly take over DNS rootops and/or The Internet while nobody was looking? Or is this somebody’s clumsy attempt at Black Lectroids-style strategic fear-mongering? “Stop (somebody) before sunset, or you force us to help you destroy yourselves…”