A few weeks ago, the press announced a possible threat against the Internet's DNS infrastructure by the hacking group Anonymous. Anonymous allegedly planned to mount a DDoS attack against the root name servers to "shut the Internet down," in order "to protest SOPA, Wallstreet [sic], our irresponsible leaders and the beloved bankers who are starving the world."
While many people in the DNS community are skeptical of the validity of the threat - scheduled (coincidentally?) for March 31, the day before April Fools' Day - it's still interesting to consider whether such an attack could succeed.
At first glance, the root name servers appear to be an easy target: There are only 13 of them, and their IP addresses are widely known. How hard could it be to take down 13 name servers simultaneously?
In this case, though, looks are deceiving. Those 13 IP addresses represent, at last count, 283 individual name servers. How does that work? Each IP address is actually a virtual address, shared among many root instances distributed across the globe. In the case of l.root-servers.net, the current record-holder, a single IP address, 22.214.171.124, represents 79 replicas, ranging from Cape Town to Perth to Kathmandu.
These replicas use a technique called anycast to share that single IP address. Each name server is configured with the IP address, and each advertises a route to that IP address to its neighbor routers. Those routers tell their neighbors, and so on, across the Internet. So when you or I send a query to 126.96.36.199, the Internet's routing infrastructure works out which replica of l.root-servers.net is closest to us and routes the query there. That's exactly the behavior you'd want: since all of the roots are functionally equivalent (that is, they all give out the same answer to the same question), you just want to query the closest one.
Which brings us to the first two reasons a DDoS attack against the roots is harder than it looks: First, there are many more of them than there initially appear to be (283 versus 13). Second, from any given point on the Internet, you can only communicate with 13 of them at a time.
That second point bears emphasizing: If I were a Bad Guy (but I assure you that I'm not) and wanted to attack the root name servers, I could only directly attack the replica of l.root-servers.net in San Jose, California, easily (that is, from my home). I'd have no way to attack the roots in Warsaw or Wellington directly. If I had control of a botnet that happened to have members in Poland or New Zealand, I might be able to do some damage, but of course botnets aren't evenly distributed around the world.
There's yet another reason that an attack against the roots might not succeed: Even if attackers managed to mount an attack against all 283 of the root name servers, and saturate them with so much traffic that queries and responses couldn't get through, they'd need to sustain that attack for quite a while before most people noticed. Here's why:
$ dig @l.root-servers.net. www.infoblox.com. +norec ; <<>> DiG 9.8.1 <<>> @l.root-servers.net. www.infoblox.com. +norec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39789 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; QUESTION SECTION: ;www.infoblox.com.INA ;; AUTHORITY SECTION: com.172800INNSa.gtld-servers.net. com.172800INNSb.gtld-servers.net. com.172800INNSc.gtld-servers.net. com.172800INNSd.gtld-servers.net. com.172800INNSe.gtld-servers.net. com.172800INNSf.gtld-servers.net. com.172800INNSg.gtld-servers.net. com.172800INNSh.gtld-servers.net. com.172800INNSi.gtld-servers.net. com.172800INNSj.gtld-servers.net. com.172800INNSk.gtld-servers.net. com.172800INNSl.gtld-servers.net. com.172800INNSm.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net.172800INA188.8.131.52 b.gtld-servers.net.172800INA184.108.40.206 c.gtld-servers.net.172800INA220.127.116.11 d.gtld-servers.net.172800INA18.104.22.168 e.gtld-servers.net.172800INA22.214.171.124 f.gtld-servers.net.172800INA126.96.36.199 g.gtld-servers.net.172800INA188.8.131.52 h.gtld-servers.net.172800INA184.108.40.206 i.gtld-servers.net.172800INA220.127.116.11 j.gtld-servers.net.172800INA18.104.22.168 k.gtld-servers.net.172800INA22.214.171.124 l.gtld-servers.net.172800INA126.96.36.199 m.gtld-servers.net.172800INA188.8.131.52 a.gtld-servers.net.172800INAAAA2001:503:a83e::2:30 ;; Query time: 42 msec ;; SERVER: 2001:500:3::42#53(2001:500:3::42) ;; WHEN: Tue Mar 13 13:28:05 2012 ;; MSG SIZE rcvd: 494
That's the kind of response a root name server sends out all day long: "I don't know the address of www.infoblox.com, but I can tell you the names and addresses of the com name servers." Note the TTL (time to live) on the records that give us those names and addresses: 172800 seconds, or two days. Any name server on the Internet can cache that information for up to two days and reuse it. Which in turn means that, in order to be absolutely they've "shut the Internet down," attackers would need to keep up their DDoS attack for 48 hours, to make sure that recursive name servers around the Internet would actually need to query a root name server again. Not an easy task.
The truth of the matter is that, thanks to anycast and caching, the root name servers are among the hardest targets you could choose on the Internet.