
Anonymous plans to take down the 13 root DNS servers that power the Internet? - fady
http://pastebin.com/NKbnh8q8
======
vidarh
I don't know if they're just simplifying things or are just clueless, but none
of the 13 DNS roots are single servers. Most or all of them aren't even in a
single physical site.

There's somewhere around 240 root server _sites_ each consisting of multiple
physical servers, just served up on 13 IP's.

Given that many of these sites are colocated at interchanges and with
providers with tons of multi gigabit links, they have quite a challenge...

Ripe last year had an incident where they reported a fivefold increase in
queries to the K-root without any operational problems, for example. They
successfully handled close to 70,000 queries per second at one point.

I'll be surprised if they manage to even have a noticeable effect.

~~~
brother
How is load balancing accomplished with this?

~~~
icebraining
It uses Anycast: <https://en.wikipedia.org/wiki/Anycast>

------
eli
> Q: What if all root name serves would stop answering queries?

> A: Now you are stretching it. How likely is that? The diversity in the
> system will prevent that from happening. But let's treat it as a
> hypothetical case: In that hypothetical case the Internet will not suddenly
> grind to a halt. If absolutely nothing is done to correct the situation
> every hour about 2% of all queries will not be answered, 2% at the end of
> the first hour, 4% at the end of the second hour and so forth until 48h
> after the root name servers stop answering queries no DNS names can be
> resolved anymore. However it is even more hypothetical to assume that
> nothing will be done to correct this hypothetical situation.

> Even in the hypothetically hypothetical case that the root name server
> operators would do nothing to correct the situation, the IANA, TLD
> operators, ISPs and others would have the motivation and the means to take
> corrective action.

> Again: this is very hypothetical. DNS failures outside the root name servers
> are much more likely. Name service for the vast majority of top-level
> domains is very much less redundant than that of the root name servers.
> Whole top-level domains and major corporations have been unreachable for
> significant amounts of time because of DNS failures. Name service for the
> root zone has always been available.

<http://www.isoc.org/briefings/020/>

------
feric
I think Anonymous doesn't really know how DNS works. The root nameservers
don't serve zone data for most sites that people use anyways.

DNS is a distributed hierarchy for serving requests. It's designed to be
fault-tolerant because if every name resolution (google.com->8.8.8.8)
performed by a browser had to reach 13 servers in the world, we'd still be
using gopher and newsgroups instead of the web.

DNS is distributed, hierarchical, redundant, and cached all over the place as
much as possible. Even my laptop caches DNS queries until a reboot. Even if a
DNS cache misses (which is infrequent), it goes to the nameserver hosting the
zone, which isn't a root name server.

Bottom line, it's probably just a joke designed to get some attention and to
experiment and see what actually does happen if you hit those servers.

------
jevinskie
And they are going to get around anycast redundancy how? [0] Also, what
consumer level ISP allows egress of packets with a spoofed source IP?

[0] [http://www.icann.org/en/announcements/factsheet-dns-
attack-0...](http://www.icann.org/en/announcements/factsheet-dns-
attack-08mar07_v1.1.pdf)

~~~
sp332
TFA recommends using VPN (which I assume has fewer restrictions than
residential ISPs), or TOR (which has most of its outbound bandwidth on very
large pipes which probably aren't filtered much).

~~~
icebraining
_TOR (which has most of its outbound bandwidth on very large pipes which
probably aren't filtered much)._

TOR itself filters it:

    
    
        Also, remember that many of their more subtle communication mechanisms
        (like spoofed UDP packets) can't be used over Tor, because it only transports
        correctly-formed TCP connections. 
    

My guess is that they're just clueless.

~~~
marshray
I suspect they were planning to use Tor for command and control.

Odd that it was only a requirement for the Windows software though. Perhaps
they script its installation on the Linux side.

~~~
icebraining
Command and control, of what? The ramp instances? Why would they need that?

And if the actual attack is direct, how will they escape the ISP's filters?
According to The Spoofer Project[1], no ISP lets you spoof packets with IPs
outside of at least the same /8 subnet. Can you even get a consumer connection
with an IP in those subnets?

[1]: <http://spoofer.csail.mit.edu/summary.php>

~~~
marshray
> Command and control, of what? The ramp instances?

That's what I was thinking. But I'm just guessing without having downloaded
the package.

> Why would they need that?

It's hard to know the motivations behind the person who wrote the Pastebin,
but if you were to go to all the trouble to amass an army of bots with the
capability of sending arbitrary packets with forged source IPs, wouldn't you
want to retain some degree of control over it?

> And if the actual attack is direct, how will they escape the ISP's filters?
> According to The Spoofer Project[1], no ISP lets you spoof packets with IPs
> outside of at least the same /8 subnet. Can you even get a consumer
> connection with an IP in those subnets?

(Thank you for that fascinating link BTW.)

I dunno, the same thought occurred to me too.

Note that they encourage the use of "VPNs", though they don't specify to
where. Maybe "VPN" to their audience is expected to represent some sort of
anonymizing service (e.g. for illicit filesharing) that typically terminates
at a backend datacenter which might not have effective egress filtering.

Again, just speculating.

------
Macha
Isn't their example of google that won't be affected? I was under the
impression that very few DNS queries actually go to the root nameservers as
ISP's and so on have it all cached. And since I highly doubt there is any ISP
that has not had a user visit google.com in the last 48 hours, Google will
still function for people?

In fact, the only people I can see this affecting (in the unlikely event it
does happen) are people setting up new sites.

~~~
amitparikh
The pastebin post says that 'While some ISPs uses DNS caching, most are
configured to use a low expire time for the cache.'

(Just re-iterating the post for Macha... I don't personally believe that the
expire-times for ISP DNS cache is as short as Anonymous is making it seem --
but I don't have any numbers off-hand)

~~~
sespindola
Most ISP's dns cache servers honor the TTL defined in the authoritative SOA
records, unless is 1 minute or less.

I think the average TTL time for a dns zone would be measured in minutes. It
needs to be that low in order to do SRV load-balancing, A/B testing, etc.

In any case, in the highly unlikely event that they manage to overload the 13
servers, there's plenty of time for every domain to temporarily extend the TTL
on March 31.

~~~
feric
Most TTLs for nameservers are on the order of days.

------
mfincham
Most of the "root servers" are big anycast clusters. L root has at least 50
locations worldwide...

~~~
astrodust
I think the Anonymous "hackers" are still under the impression that one IP
equals one server. Anycast works very well with UDP and they're in for a
surprise as their attack is diffused across so many different links.

------
jeggers5
Why do people always take these so seriously?

It's far more likely that a bored teenager somewhere wrote this.

Also, if we were to assume that Anonymous does actually exist in some
semblance, they would never ship a notice like this with gramatical errors.
They're small, but obvious.

I'll eat my foot if they actually manage to make a noticeable affect on the
DNS servers anyway.

------
Hominem
I'm pretty sure every hacker group has gotten this idea at one point or
another. Has anyone even come close to taking down all the root DNS servers at
once?

~~~
astrodust
With Anycast DNS there's actually more than thirteen servers even if there's
only thirteen IPs.

It's going to be almost impossible to flood them all simultaneously. These are
machines on multi-gigabit backbone connections, not some crappy back-water FBI
or CIA web server.

~~~
necenzurat
FBI and CIA have posters not websites

------
hybrid11
"To protest SOPA, Wallstreet, our irresponsible leaders and the beloved
bankers who are starving the world for their own selfish needs out of sheer
sadistic fun, On March 31, anonymous will shut the Internet down."

What does taking down the internet have to do with that mission statement?

~~~
techiferous
I, too, find this strange. This does not seem like an event with a specific
objective in mind (beyond taking down DNS). It seems like a release of
internal psychological tension onto the external world. Smacks of Jung's
shadow: <http://en.wikipedia.org/wiki/Shadow_(psychology)>

------
krelian
When is it Anonymous and when is it some random guy that decides that now he
will become Anonymous?

~~~
phzbOx
Yes, that's the essence of anonymous.

------
redthrowaway
Leaving aside the _why_ , I'm highly doubtful they'd be able to pull it off.
Back in the Conficker days, it was rumored that it could be used to shut down
the Internet with a similar mechanism. _Conficker_ , I can see. Anon? Hell no.

------
Deamos
Now, I'm thinking about the order of DNS requests.. Local Hosts -> Router ->
ISP/OpenDNS/etc -> On out to the Root Servers. Now wouldn't make DNS caching
make this attack only partially effective really...if it even worked?

~~~
sp332
The point is to be heard, not to destroy anything in particular. They're just
trying to get attention.

------
jsz0
Weren't they going to take down the New York Stock Exchange a couple months
ago too?

------
chris
9 of the 13 root servers were taken down via a DDoS back in 2002.

<http://c.root-servers.org/october21.txt>

Although the report states "2.4. There are no known reports of end-user
visible error conditions during, and as a result of, this attack.", it's not
entirely accurate. I personally experienced issues with name resolution
shortly after the attack started, and had no idea what the cause was until
afterward. If I recall correctly, my name resolution was handled by Qwest, as
they were the T1 transit provider I was using at the time.

------
sylvinus
Most interesting bit :

 _The principle is simple; a flaw that uses forged UDP packets is to be used
to trigger a rush of DNS queries all redirected and reflected to those 13 IPs.
The flaw is as follow; since the UDP protocol allows it, we can change the
source IP of the sender to our target, thus spoofing the source of the DNS
query.

The DNS server will then respond to that query by sending the answer to the
spoofed IP. Since the answer is always bigger than the query, the DNS answers
will then flood the target ip. It is called an amplified because we can use
small packets to generate large traffic. It is called reflective because we
will not send the queries to the root name servers, instead, we will use a
list of known vulnerable DNS servers which will attack the root servers for
us._

~~~
gabaix
Where could we find more information about those 13 servers? Why are there
only 13 of them?

~~~
sespindola
Here.[1] Most of them are not single-box servers, but cluster with multisite
redundancy. That's why all attacks were unsuccessful in the past.

1\. <http://en.wikipedia.org/wiki/Root_name_server>

~~~
jason_slack
So could organizations build their own Root NS cluster and be added to the 13
that already exist?

Do I misunderstand something as to why there are only 13, who controls them,
etc?

~~~
tptacek
* Verisign, because they inherited MCI and thus UUNet.

* USC, one of the headquarters of academic network research.

* Cogent (no idea why, but they're a sort-of tier 1 NSP).†

* UMD, another headquarters of academic network research.

* NASA, because space.

* ISC, because they organized the authorship of BIND.

* DISA, because of DARPA.

* Army Research Lab, because of .MIL.

* Whoever owns NORDU.NET, which was is a consortium of Nordic network academics.

* Verisign because they stole it from Thráin II during their final captivity in Dol Guldur.

* RIPE, because they number Europe.

* ICANN, because they ostensibly oversee the whole DNS.

* WIDE because they're like the NORDU or MERIT of Japan.

Most of this, if you can't tell, is an artifact of which organizations built
the instance of the Internet that caught on in the '90s (I was going to say
"that built the commercial Internet", but they didn't mostly didn't realize
that was what they were doing when they did it).

Fun fact: in the early '90s, there were _actual Internet netsplits_ , like you
see on IRC, but across the Internet. Ripco, my ISP at the time, lost access to
NSFNet and all of .EDU.

No, you can't add your company to this list.

† _Aha, it's Cogent because they bought PSI, and it was PSI because they
helped build NSFNet and CIX._

~~~
gabaix
wow thanks for the list. So mostly US organizations.

Could the design be better if we had to rewrite it today? Any plans to include
other countries (China etc.)?

------
ccarnino
Surely this give you the impression about how powerful this team is. I don't
know if this is too much borderline not to cause big consequences.

Also if I don't if this is the best ways to protest, I support the cause.

------
mmaunder
Pretty sure sending reply packets to root servers that ever asked for them
will simply be ignored. The only impact will be a busy network. As another
poster mentioned, anycast will be hard to dos.

------
amatus
Is it just me or does it seem like this attack will be self-defeating? They
are relying on DNS servers to serve responses in order to make DNS servers
stop serving responses.

~~~
aphyr
No; the root nameservers have fixed IPs. Those IP addresses, and those of the
vulnerable DNS servers to be used as reflectors, can be written down
beforehand.

~~~
sp332
The problem is that, in the DNS spoof attack, the DNS reflectors have to have
some data to send "back" to the spoofed IP. If the root servers are down, the
reflectors won't have any data to send back, so the flood will stop as the
reflectors' caches expire.

~~~
aphyr
Possibly. I haven't read the particular technique they're planning to use
here, but I recall some old attacks against Bind relied on query reflection,
which might work in the absence of cached data.

------
fady
does this mean, that even if we typed the IP address of a site, we would get
an error? i'm not sure how all the protocols work, so any clarification would
be great.

~~~
kruhft
No, you could still get to the site with just an IP address, if you have it.

~~~
fady
ok, thanks for the clarification. what confused me was "thus, disabling the
HTTP Internet"

i'm kinda glad they're attempting this, IMO. i'm tired of ignorant people not
understanding what the "web" really is, and how important it is to keep it
free and open. sure, this might make "hackers" look bad, but honestly, if we
sit back and do nothing, then we cannot complain when laws are passed, etc..

if they pull this off, it will be a historic day, no?

~~~
devnul3
Did you seriously just ask how the web works, then complain about ignorant
people who don't know how the web works...?

What does hackers using DDoS to knock a service offline have to do with it
being free/open? Everything isn't about SOPA/ACTA/et al...

~~~
fady
no. are you really trying to start an argument? clearly, you knew what i
meant.

there is a difference between a web developer who did not understand some
specifics regarding a protocol and a "average joe" user who does not even know
what a protocol is.

~~~
devnul3
Try not to take this personally, but in this context there's apparently not as
much difference as you seem to think. Neither of you (as evidenced by your
question) knew enough about DNS to fully understand the implications of what
the article was saying. At best you knew enough to know what question to ask.

My point is actually that there's no reason average users need to know this
stuff. Any more than there's a need for them to know what a CV boot is on
their car. They know if the car makes a weird noise going around corners, call
a mechanic. They know if they get errors on "teh Googlez", to call their ISP.

------
chewxy
Just curious if these root DNSes have low TTLs. What about servers that use
squid-like caching tools for DNS records?

------
mcritz
Let's assume they succeed. They take down the Internet at noon EDT (9AM PDT).
What's the worst that could happen?

~~~
tomjen3
Well that all depends. First most requests don't go to the root servers --
they are far too important, second there is caching on the isps servers. To
have any effect other than to make sys admins dehydrate anon have to keep the
attack up long enough to have the caches empty (if they are indeed configured
to flush even if they cannot connect to the root. They may not) and there are
several layer deep caching (your isp is but one. Your local computer may also
have one).

But assuming they can keep it running long enough for the DNS service to
die(and they may very well, that flaw is pretty smart though they have to use
the actual ip of the vulnerable DNS servers, which means that it can be
filtered if the admins are smart enough)? Well goodbye internet -- you would
just get an error, no matter which website you would try to access. A pretty
grim situation, but not likely.

~~~
icebraining
Bittorrent will still work, though ;) Well, at least if using DHT. The
trackers use a domain, of course.

------
tapsboy
The bankers will pack up for the day and play golf; no real impact.

------
alFReD-NSH
I got a feeling this news will break pastebin and not DNS :P

------
meow
Talk about cutting off the branch you are sitting on...

------
josscrowcroft
Anyone consider this might be a fake? Any verification?

------
worthlessgenius
They should say the word "thus" more often...

------
shingen
The bottom line is simple: they can't do it, they won't be able to do it, and
it makes the issue moot. Someone is desperate for attention.

You would need to have complete control over the infrastructure of something
equivalent to an Amazon, Microsoft, or Google to take down the whole DNS
system - and it would require a permanently sustained and constantly evolving
attack.

I'm always amazed at the vast under-estimation of what would be faced in a
real attempt of that sort. First, let's assume they made some progress and
actually started harming the stability of the global Internet. 1) the number
of interested parties (from hackers to corporations) that would immediately
respond to the counter, in numerous ways, would resolve the issue in an
extraordinarily short amount of time and 2) watch you don't have the US
special forces black bagging you within 24 hours if you're involved, no matter
where you're at on earth. The corporate money interest in the Internet being
up is at least a hundred billion dollars per day. They will kill you over
that, or at the least put you in an off grid terrorist prison.

~~~
MPSimmons
Um, BGP?

------
hastur
Good luck, Onanymous.

Big talk, like with Facebook, but nothing will happen.

------
Craiggybear
Soooooo ... why are they telling everyone? Forewarned = forearmed and all, yo.
Won't work. Unless they have something totally different planned and this is a
simple misdirection.

------
shareme
Guys, someone is pulling Internet's leg and right now I assure you that the
pastebin post author is laughing his head off that its on HN

Can we kind of bury this

------
paulhauggis
hmm..and people here on HN say they aren't a digital terrorist group.....

~~~
snsr
While the DOS discussed in that link is quite obviously misguided,
counterproductive, juvenile and likely criminal, 'terrorism' seems like a
pretty strong word.

~~~
paulhauggis
It's not just this. Every single time a new link is posted about Anonymous
it's some form of digital terrorism.

It has barely a purpose and only serves to disrupt the masses. They even have
made threats that they would do X if Y isn't done.

This is terrorism to me.

~~~
marshray
This is a serious question:

Are you actually in a state of terror by this Pastebin entry, or are you just
saying it's rhetorical 'terrorism'?

~~~
mindslight
oh to be an agent provocateur these days! post on pastebin and be home in time
for dinner. tomorrow, enjoy the "news" articles calling for a more "secure"
internet ...

