I don't know if they're just simplifying things or are just clueless, but none of the 13 DNS roots are single servers. Most or all of them aren't even in a single physical site.
There's somewhere around 240 root server sites each consisting of multiple physical servers, just served up on 13 IP's.
Given that many of these sites are colocated at interchanges and with providers with tons of multi gigabit links, they have quite a challenge...
Ripe last year had an incident where they reported a fivefold increase in queries to the K-root without any operational problems, for example. They successfully handled close to 70,000 queries per second at one point.
I'll be surprised if they manage to even have a noticeable effect.
They might be able to attack by doing something that takes more computation on the DNS servers part than a simple query. Still, DNS scales vary well for example Google's DNS servers Average 800,000 queries per second so I would not be surprised if they was ridiculous overkill at the root servers.
PS: I suspect this is most likely just someones random trolling of the internet.
We have no proof that this is even Anonymous. We have nothing that says that the author of this is even a hacker or knows hackers. Any person following the Anonymous attacks and statements could have easily written this file.
Why is this on hacker news? This is not news, this is a poorly (tech wise) written short story.
Anonymous isn't a group, it is a meme, and so it doesn't make sense to say that someone could be impersonating anonymous.
I agree that non-credible claims under the Anonymous meme should be hidden here if they don't have a significant enough following to be newsworthy - the use of a particular meme does not automatically make something newsworthy.
> Q: What if all root name serves would stop answering queries?
> A: Now you are stretching it. How likely is that? The diversity in the system will prevent that from happening. But let's treat it as a hypothetical case: In that hypothetical case the Internet will not suddenly grind to a halt. If absolutely nothing is done to correct the situation every hour about 2% of all queries will not be answered, 2% at the end of the first hour, 4% at the end of the second hour and so forth until 48h after the root name servers stop answering queries no DNS names can be resolved anymore. However it is even more hypothetical to assume that nothing will be done to correct this hypothetical situation.
> Even in the hypothetically hypothetical case that the root name server operators would do nothing to correct the situation, the IANA, TLD operators, ISPs and others would have the motivation and the means to take corrective action.
> Again: this is very hypothetical. DNS failures outside the root name servers are much more likely. Name service for the vast majority of top-level domains is very much less redundant than that of the root name servers. Whole top-level domains and major corporations have been unreachable for significant amounts of time because of DNS failures. Name service for the root zone has always been available.
I think Anonymous doesn't really know how DNS works. The root nameservers don't serve zone data for most sites that people use anyways.
DNS is a distributed hierarchy for serving requests. It's designed to be fault-tolerant because if every name resolution (google.com->8.8.8.8) performed by a browser had to reach 13 servers in the world, we'd still be using gopher and newsgroups instead of the web.
DNS is distributed, hierarchical, redundant, and cached all over the place as much as possible. Even my laptop caches DNS queries until a reboot. Even if a DNS cache misses (which is infrequent), it goes to the nameserver hosting the zone, which isn't a root name server.
Bottom line, it's probably just a joke designed to get some attention and to experiment and see what actually does happen if you hit those servers.
Anycast in a DDoS situation would help, but if you throw enough traffic at it you end up with the original DDoS, plus a second DoS caused by cascade failure of the individual nodes going offline, causing BGP flap dampening.
Not sure if Anonymous has those kinds of resources though.
TFA recommends using VPN (which I assume has fewer restrictions than residential ISPs), or TOR (which has most of its outbound bandwidth on very large pipes which probably aren't filtered much).
TOR (which has most of its outbound bandwidth on very large pipes which probably aren't filtered much).
TOR itself filters it:
Also, remember that many of their more subtle communication mechanisms
(like spoofed UDP packets) can't be used over Tor, because it only transports
correctly-formed TCP connections.
Command and control, of what? The ramp instances? Why would they need that?
And if the actual attack is direct, how will they escape the ISP's filters? According to The Spoofer Project[1], no ISP lets you spoof packets with IPs outside of at least the same /8 subnet. Can you even get a consumer connection with an IP in those subnets?
> Command and control, of what? The ramp instances?
That's what I was thinking. But I'm just guessing without having downloaded the package.
> Why would they need that?
It's hard to know the motivations behind the person who wrote the Pastebin, but if you were to go to all the trouble to amass an army of bots with the capability of sending arbitrary packets with forged source IPs, wouldn't you want to retain some degree of control over it?
> And if the actual attack is direct, how will they escape the ISP's filters? According to The Spoofer Project[1], no ISP lets you spoof packets with IPs outside of at least the same /8 subnet. Can you even get a consumer connection with an IP in those subnets?
(Thank you for that fascinating link BTW.)
I dunno, the same thought occurred to me too.
Note that they encourage the use of "VPNs", though they don't specify to where. Maybe "VPN" to their audience is expected to represent some sort of anonymizing service (e.g. for illicit filesharing) that typically terminates at a backend datacenter which might not have effective egress filtering.
Isn't their example of google that won't be affected? I was under the impression that very few DNS queries actually go to the root nameservers as ISP's and so on have it all cached. And since I highly doubt there is any ISP that has not had a user visit google.com in the last 48 hours, Google will still function for people?
In fact, the only people I can see this affecting (in the unlikely event it does happen) are people setting up new sites.
The pastebin post says that 'While some ISPs uses DNS caching, most are configured to use a low expire time for the cache.'
(Just re-iterating the post for Macha... I don't personally believe that the expire-times for ISP DNS cache is as short as Anonymous is making it seem -- but I don't have any numbers off-hand)
There are more polite and productive ways of asking for proof of the phenomenon. Or, better yet, use Google the way it was meant to be used, and find out for yourself (just search for stories about DNS migration/propagation issues). People have documented visits to their old IP addresses for a very long time (much longer than the TTL) after updating their DNS with new IP addresses.
I don't see how you could construe my comment as being in anyway impolite.
Google does not turn up any useful results for this subject. The only reference I've seen to resolvers doing something unusual with caching is on the dns-operations mailing list where I ran into a fellow who doesn't cache records with a TTL less than a minute.
Since you claim it is simple to find a resolver that extends the TTL beyond what the authoritative server has specified, can you please point me to such a resolver?
EDIT: Just to be clear, I'm after a server that I can query or something equally authoritative.
EDIT2: My apologies if this is seen as belaboring but please note that nicksuan's comment is not referring to CPE, stub resolvers or client apps.
Your original comment is impolite because it is presented as a demand without any explanation. A demand of proof without explanation can be interpreted as an accusation of lying. Something like, "I haven't seen this phenomenon myself; could you link to some example bad ISPs or articles documenting it?" would be much better.
As for proof, I'm not a professional sysadmin, but based on my reading the most proof you're likely to get is indirect proof in the form of requests to IP addresses long after they've been removed from DNS. If those requests are concentrated in a few ISP subnets, it's reasonable to infer that it's the ISP, not customer equipment, that is caching beyond TTL.
Your interpretation of my original comment seems extremely hypersensitive to me. Perhaps there is cultural difference at play here.
The experience I've had in hosting ten-thousand odd zones suggests that these resolvers do not exist. I've seen a great many claims but am yet to actually see a resolver that extends TTLs in the wild and so I consider them all but myth.
In the past there has been issues at the client - predominately with browsers, MTAs and stub-resolvers - so if I were to observe activity that suggested a stale cache I'd be more likely to attribute it to a bug (be it new or old) if no other data were available.
Most ISP's dns cache servers honor the TTL defined in the
authoritative SOA records, unless is 1 minute or less.
I think the average TTL time for a dns zone would be
measured in minutes. It needs to be that low in order to
do SRV load-balancing, A/B testing, etc.
In any case, in the highly unlikely event that they manage
to overload the 13 servers, there's plenty of time for
every domain to temporarily extend the TTL on March 31.
I think the Anonymous "hackers" are still under the impression that one IP equals one server. Anycast works very well with UDP and they're in for a surprise as their attack is diffused across so many different links.
It's far more likely that a bored teenager somewhere wrote this.
Also, if we were to assume that Anonymous does actually exist in some semblance, they would never ship a notice like this with gramatical errors. They're small, but obvious.
I'll eat my foot if they actually manage to make a noticeable affect on the DNS servers anyway.
I'm pretty sure every hacker group has gotten this idea at one point or another. Has anyone even come close to taking down all the root DNS servers at once?
For anyone to actually notice, you have to take down all 13 for 48 hours, and it will be another 48 hours after that before there is a complete outage for everyone.
With Anycast DNS there's actually more than thirteen servers even if there's only thirteen IPs.
It's going to be almost impossible to flood them all simultaneously. These are machines on multi-gigabit backbone connections, not some crappy back-water FBI or CIA web server.
"To protest SOPA, Wallstreet, our irresponsible leaders and the beloved
bankers who are starving the world for their own selfish needs out of
sheer sadistic fun, On March 31, anonymous will shut the Internet down."
What does taking down the internet have to do with that mission statement?
I, too, find this strange. This does not seem like an event with a specific objective in mind (beyond taking down DNS). It seems like a release of internal psychological tension onto the external world. Smacks of Jung's shadow: http://en.wikipedia.org/wiki/Shadow_(psychology)
Leaving aside the why, I'm highly doubtful they'd be able to pull it off. Back in the Conficker days, it was rumored that it could be used to shut down the Internet with a similar mechanism. Conficker, I can see. Anon? Hell no.
Now, I'm thinking about the order of DNS requests.. Local Hosts -> Router -> ISP/OpenDNS/etc -> On out to the Root Servers. Now wouldn't make DNS caching make this attack only partially effective really...if it even worked?
Although the report states "2.4. There are no known reports of end-user visible error conditions during, and as a result of, this attack.", it's not entirely accurate. I personally experienced issues with name resolution shortly after the attack started, and had no idea what the cause was until afterward. If I recall correctly, my name resolution was handled by Qwest, as they were the T1 transit provider I was using at the time.
The principle is simple; a flaw that uses forged UDP packets is to be
used to trigger a rush of DNS queries all redirected and reflected to
those 13 IPs. The flaw is as follow; since the UDP protocol allows it,
we can change the source IP of the sender to our target, thus spoofing
the source of the DNS query.
The DNS server will then respond to that query by sending the answer to
the spoofed IP. Since the answer is always bigger than the query, the
DNS answers will then flood the target ip. It is called an amplified
because we can use small packets to generate large traffic. It is called
reflective because we will not send the queries to the root name servers,
instead, we will use a list of known vulnerable DNS servers which will
attack the root servers for us.
* Verisign, because they inherited MCI and thus UUNet.
* USC, one of the headquarters of academic network research.
* Cogent (no idea why, but they're a sort-of tier 1 NSP).†
* UMD, another headquarters of academic network research.
* NASA, because space.
* ISC, because they organized the authorship of BIND.
* DISA, because of DARPA.
* Army Research Lab, because of .MIL.
* Whoever owns NORDU.NET, which was is a consortium of Nordic network academics.
* Verisign because they stole it from Thráin II during their final captivity in Dol Guldur.
* RIPE, because they number Europe.
* ICANN, because they ostensibly oversee the whole DNS.
* WIDE because they're like the NORDU or MERIT of Japan.
Most of this, if you can't tell, is an artifact of which organizations built the instance of the Internet that caught on in the '90s (I was going to say "that built the commercial Internet", but they didn't mostly didn't realize that was what they were doing when they did it).
Fun fact: in the early '90s, there were actual Internet netsplits, like you see on IRC, but across the Internet. Ripco, my ISP at the time, lost access to NSFNet and all of .EDU.
No, you can't add your company to this list.
† Aha, it's Cogent because they bought PSI, and it was PSI because they helped build NSFNet and CIX.
Not only are there more than 13 of them, most of the root servers are now being served by anycast, so the same IP address corresponds to many servers around the globe.
Pretty sure sending reply packets to root servers that ever asked for them will simply be ignored. The only impact will be a busy network. As another poster mentioned, anycast will be hard to dos.
Is it just me or does it seem like this attack will be self-defeating? They are relying on DNS servers to serve responses in order to make DNS servers stop serving responses.
No; the root nameservers have fixed IPs. Those IP addresses, and those of the vulnerable DNS servers to be used as reflectors, can be written down beforehand.
The problem is that, in the DNS spoof attack, the DNS reflectors have to have some data to send "back" to the spoofed IP. If the root servers are down, the reflectors won't have any data to send back, so the flood will stop as the reflectors' caches expire.
Possibly. I haven't read the particular technique they're planning to use here, but I recall some old attacks against Bind relied on query reflection, which might work in the absence of cached data.
does this mean, that even if we typed the IP address of a site, we would get an error? i'm not sure how all the protocols work, so any clarification would be great.
ok, thanks for the clarification. what confused me was "thus, disabling the HTTP Internet"
i'm kinda glad they're attempting this, IMO. i'm tired of ignorant people not understanding what the "web" really is, and how important it is to keep it free and open. sure, this might make "hackers" look bad, but honestly, if we sit back and do nothing, then we cannot complain when laws are passed, etc..
if they pull this off, it will be a historic day, no?
no. are you really trying to start an argument? clearly, you knew what i meant.
there is a difference between a web developer who did not understand some specifics regarding a protocol and a "average joe" user who does not even know what a protocol is.
Try not to take this personally, but in this context there's apparently not as much difference as you seem to think. Neither of you (as evidenced by your question) knew enough about DNS to fully understand the implications of what the article was saying. At best you knew enough to know what question to ask.
My point is actually that there's no reason average users need to know this stuff. Any more than there's a need for them to know what a CV boot is on their car. They know if the car makes a weird noise going around corners, call a mechanic. They know if they get errors on "teh Googlez", to call their ISP.
You might want to look into getting a DNS caching service which has other benefits besides being a guard against your main DNS going down. I'm not sure what options are available for Windows, but on Mac and Linux Dnsmasq fits that role just fine (and there are others).
Well that all depends. First most requests don't go to the root servers -- they are far too important, second there is caching on the isps servers. To have any effect other than to make sys admins dehydrate anon have to keep the attack up long enough to have the caches empty (if they are indeed configured to flush even if they cannot connect to the root. They may not) and there are several layer deep caching (your isp is but one. Your local computer may also have one).
But assuming they can keep it running long enough for the DNS service to die(and they may very well, that flaw is pretty smart though they have to use the actual ip of the vulnerable DNS servers, which means that it can be filtered if the admins are smart enough)? Well goodbye internet -- you would just get an error, no matter which website you would try to access. A pretty grim situation, but not likely.
The bottom line is simple: they can't do it, they won't be able to do it, and it makes the issue moot. Someone is desperate for attention.
You would need to have complete control over the infrastructure of something equivalent to an Amazon, Microsoft, or Google to take down the whole DNS system - and it would require a permanently sustained and constantly evolving attack.
I'm always amazed at the vast under-estimation of what would be faced in a real attempt of that sort. First, let's assume they made some progress and actually started harming the stability of the global Internet. 1) the number of interested parties (from hackers to corporations) that would immediately respond to the counter, in numerous ways, would resolve the issue in an extraordinarily short amount of time and 2) watch you don't have the US special forces black bagging you within 24 hours if you're involved, no matter where you're at on earth. The corporate money interest in the Internet being up is at least a hundred billion dollars per day. They will kill you over that, or at the least put you in an off grid terrorist prison.
Soooooo ... why are they telling everyone? Forewarned = forearmed and all, yo. Won't work. Unless they have something totally different planned and this is a simple misdirection.
You'd have to be more clear on who "they" are. Some of them are no doubt 'digital terrorists', many are not. The they isn't the same they from campaign to campaign.
While the DOS discussed in that link is quite obviously misguided, counterproductive, juvenile and likely criminal, 'terrorism' seems like a pretty strong word.
So if a bunch of hospital workers were protesting their pay and formed a picket line around a hospital, their purpose would be to 'instill terror?' Somehow this comes across as adding to the dilution of the word 'terrorism.'
Do you really think that picketing a hospital is comparable to using guerilla tactics against a civilian population?
I'm not agreeing that people should be allowed to prevent access to a hospital, but the idea that 'terrorism' is the best label for this sort of action seems ill-advised. Maybe I'm being naive, but I don't think that anyone would have called such actions 'terrorism' back in the 90's, why is it all of the sudden terrorism now?
Seems like any deliberate action by a small group of people against a larger group of people that will have any sort of adverse affect on the larger group is being crammed into the 'terrorism' bucket these days...
if you're in the ambulance, or think you might be, and are refused access to life-saving medicine, you will be terrified.
Terrorism is using force or the threat of force against a population to achieve political or economic goals. That is chapter and verse what Anon is doing with these threats.
There are (obviously) degrees of terrorism. Hitting buildings with planes isn't the same as sending a few letters with anthrax in them. But both are terrorism.
okay, lets see..... so your kid is in the mbulNce on his way to the hospital. a bunch of people, by way of their sheer numbers, purposefully prevent your kid from receiving the medical attention he needs. kid dies.
i agree terrorism is a strertch, to be sure.... . but lets not mix words. a picket line is one thing, they generally wont physically stop you from passing.
there are plenty of countries in the workd, quite nice places otherwise, where such proteststurn into full blockades of highways, and they will not let an ambulance or anyone else past. the first time i saw this i wondered why they were not all arrested for blocking a critical transit route ( And this was no exaggeration or trumped up thing....f they blocked the highway for days. a few people died for kack of medical care)
oh to be an agent provocateur these days! post on pastebin and be home in time for dinner. tomorrow, enjoy the "news" articles calling for a more "secure" internet ...
There's somewhere around 240 root server sites each consisting of multiple physical servers, just served up on 13 IP's.
Given that many of these sites are colocated at interchanges and with providers with tons of multi gigabit links, they have quite a challenge...
Ripe last year had an incident where they reported a fivefold increase in queries to the K-root without any operational problems, for example. They successfully handled close to 70,000 queries per second at one point.
I'll be surprised if they manage to even have a noticeable effect.