Thursday, February 23, 2012

Anonymous Hacker Group Announces Plan to Shut Down the Internet on March 31, but Can They?

You may have heard of a group of hackers who hit the seen back in 2003 calling themselves Anonymous. Although much of their time was spent in secret, in 2008 they starting creating a fuss by using distributed denial of service (DDOS) attacks to take down major corporate websites. Since then, they have begun a campaign that targets major corporations in a fight against piracy and governments who align themselves with these corporations. On January 19, 2012, one day after the major internet blackout against SOPA, the Justice Department and FBI raided the offices of MegaUpload and shut them down. Anonymous retaliated by taking down the websites of the Justice Department, the Federal Bureau of Investigation (FBI), the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), Universal Music Group and Broadcast Music, Inc. Very quickly these sites were brought down with a relentless assault of packets, an attack that lasted days.

February 12th, 2012 someone representing themselves as a member of the Anonymous group posted some content on the pastebin website. In the message the hacker said some interesting things like:

To protest SOPA, Wallstreet, our irresponsible leaders and the beloved

bankers who are starving the world for their own selfish needs out of
sheer sadistic fun, On March 31, anonymous will shut the Internet down.

He continues on with plans of how the attack will take place, including a list of the 13 rootserver addresses, the internet uses to resolve names to ip addresses. The servers below are the 13 primary DNS root server addresses that propagate resolution requests to the authoritative servers. 

  1. A
  2. B
  3. C
  4. D
  5. E
  6. F
  7. G
  8. H
  9. I
  10. J
  11. K
  12. L
  13. M

By cutting these off the Internet, nobody will be able to perform a domain name lookup, thus disabling the HTTP Internet, which is, after all, the most widely used function of the Web. Anybody entering "" or ANY other url, will get an error page, thus, they will think the Internet is down, which is, close enough. Remember, this is a protest, we are not trying to 'kill' the Internet, we are only temporarily shutting it down where it hurts the most.

I won't copy everything that is in the document, but he goes onto explain in a little detail a type of attack referred to as packet spoofing or IP spoofing. The plan is to take down the rootservers with an incidental attack, not directed at the rootservers themselves but rather compromised nameservers. The nameservers will be given the task of sending queries to the rootservers except the packets sent will have a spoofed source ip that matches the rootserver causing the packet to die on itself. They will then flood all 13 servers taking down the Internet's resolution system, after all if users can't get to Facebook, the Internet must be dead.

There is only one problem with this. It won't work. Yes, there are technically 13 ip addresses, but way more than 13 servers. Through the use of a technology called anycasting, data can be sent to a single ip address, however the closest and quickest server attached to that address actually receives it. Those 13 ip addresses are actually attached to hundreds of servers. Thus any kind of attack that flooded one of these ip addresses with data would find it likely spread over many servers, reducing its effectiveness significantly. It is very unlikely that an attack could generate enough packets to take down one of these, let alone all 13.

So now that I've settled that, let's discuss how they could actually do some harm. Well if they really have a huge botnet, which they have used before to take out major websites, they could still attack the DNS system by choosing a more appropriate target. Look any attack against the rootservers, while unlikely to actual do anything, it will set off red flags and you can bet the top security guys will be on it in no time. However, an attack at say these five particular servers might yield a promising result:

You see these are the five nameservers that are used to resolve FACEBOOK.COM. Facebook has thousands of redundant servers all setup to prevent the site from failing but an attack at its name resolution might prove to be a very effective attack vector, since there are clearly less targets and although the servers will physically be available, without name resolution, to 99% of the Internet they will be down. You see you don't have to think big in order to be effective, taking down the entire Internet is ridiculous, its very design was to be redundant so that no one server could take it down. This isn't a set of Christmas lights, its a computer network with powerful hardware and huge backbones. It's unlikely that any one attacker or even a group of attackers would have much luck in taking down more than a few servers at a time.

I just want to be clear, I'm not suggesting anyone try to take down Facebook, I was merely using them as an example and one that Anonymous has previously stated as a target as part of a global attack initiative. Now I don't agree with their methods, using denial of service attacks against anyone is a very childish act that doesn't actually accomplish anything. It only helps to solidify the position of your enemy, because if you are that rattled you need to attack their website they will assume they are getting to you. I see these kinds of attacks as ones done mostly by radicals. You know them, the ones who strap bombs to their chests and blow themselves up taking as many people with them as they can. You see they only do this because they have no other effective means of attacking their enemies. It's what happens when two parts of human evolution collide. There was once a moment in human evolution when our brains experienced a new thought, a realization that a rock could be used to sharpen the end of a stick making a spear with which to hunt. But it was on the hunt of a great animal that another quirk of evolution emerged called the Fight-or-Flight response. Even today thousands of years later while the tools of the trade have changed, the instinct to attack or flee in a scary situation has not changed. So we are left with people who are backed into a corner and left with two choices, to fight or to run, often times choosing to fight. And like thousands of years ago we use what tools we have available to us and evolve a strategy around them. The members of Anonymous are no different, they consider themselves to be under assault and when backed into a corner they must make a choice.

"The direct use of force is such a poor solution to any problem, it is generally employed only by small children and large nations." - David Friedman

Pages - Menu