#Anonymous hackers have announced “Operation Global Blackout“, promising to cause an Internet-wide blackout by disabling the core DNS servers. DNS is the phonebook of the Internet that translates machine names (like “www.facebook.com”) to network addresses (like “220.127.116.11”). If hackers can disable the global DNS name system, then typing in your favorite website into your browser will produce an error.
But the attack is no longer practical. It’s such a common idea that Wikipedia has a page devoted to it. For something so obvious, defenders have spent considerable time devising solutions. There are many reasons why such an attack won’t cause a global blackout.
Reason #1: active response
Typical hacks work because it often takes a day for the victim to notice. Not so with critical Internet resources, like root DNS servers. Within minutes of something twitching, hundreds of Internet experts will converge to solve the problem.
We’ve seen this response in action after major Internet worms (Morris Worm, Slammer, Blaster) or undersea cable breaks destabilized the Internet. Despite devastating temporary effects on the Internet, defenders were able to react quickly and mitigate the problem, so that most people never noticed.
The easiest active response is to blackout the sources of the offending traffic. Defenders can quickly figure out where the attacks are coming from, and prevent packets from those sources from reaching the root DNS servers. Thus, people might see disruptions for a few minutes, but not likely any longer.
Reason #2: diversity
There are 13 root domain servers (labeled A through M), managed by different organizations, using different hardware, software, and policies. A technique that might take out 1 of them likely won’t affect the other 12. To have a serious shot at taking out all 13, a hacker would have to test out attacks on each one. But, the owners of the systems would notice the effectiveness of the attacks, and start mitigating them before the coordinate attack against all 13 could be launched.
Reason #3: anycasting
Anycasting is a tweek to the Internet routing table so that traffic destined for an IP address is redirected to a different local server. Thus, while it may appear that the “K” root DNS server has only a single IP address “18.104.22.168”, in fact there are 20 machines with that address spread throughout the world. When I trace the route to the “K” server from Comcast in Atlanta, it goes to a server located at an exchange point in Virginia. If you do your own traceroute, you are likely to find a different location for the server.
Reason #4: fat pipes
The root servers are not located on the edges of the Internet, but are instead located at nexus points on the Internet backbone where many links come together. Even using the “network amplification” technique described by #Anonymous, it won’t overload the network connections leading to the root servers.
Such attacks might overwhelm the servers themselves, but here amplification is much less of a threat. Whereas the raw “bits-per-second” is the primary limiting factor for Internet links, “packets-per-second” is the primary limiting factor for servers. The amplification technique results is bigger packers, but not more of them, so amplification affects servers less.
Reason #5: gTLD servers
All a root server does is resolve the last part of the name, like “.com” or “.jp”. It then passes the result to the “gtld-servers”. That means while the servers are designed for millions of requests per second, they practically only serve a few thousand per second.
Indeed, the best way to cause a “global blackout” wouldn’t be to attack the root servers themselves, but the “gtld-servers” the next level down, or even the individual domain-specific servers (like those for Google or Facebook) at the next level. If people can’t get to their Google, Twitter, and Facebook, the Internet is down as far as they are concerned.
Just because I say #Anonymous can’t do it doesn’t it mean it can’t be done. Rather than a “brute-force” attack flooding the target, searching for weaknesses is a better approach. I think I might be able to do it, given 6 months. There are others who know DNS better who could find a weakness in less time.