A few weeks ago, the press announced a possible threat against the Internet's DNS infrastructure by the hacking group Anonymous. Anonymous allegedly planned to mount a DDoS attack against the root name servers to "shut the Internet down," in order "to protest SOPA, Wallstreet [sic], our irresponsible leaders and the beloved bankers who are starving the world."
While many people in the DNS community are skeptical of the validity of the threat - scheduled (coincidentally?) for March 31, the day before April Fools' Day - it's still interesting to consider whether such an attack could succeed.
At first glance, the root name servers appear to be an easy target: There are only 13 of them, and their IP addresses are widely known. How hard could it be to take down 13 name servers simultaneously?
In this case, though, looks are deceiving. Those 13 IP addresses represent, at last count, 283 individual name servers. How does that work? Each IP address is actually a virtual address, shared among many root instances distributed across the globe. In the case of l.root-servers.net, the current record-holder, a single IP address, 199.7.83.42, represents 79 replicas, ranging from Cape Town to Perth to Kathmandu.
These replicas use a technique called anycast to share that single IP address. Each name server is configured with the IP address, and each advertises a route to that IP address to its neighbor routers. Those routers tell their neighbors, and so on, across the Internet. So when you or I send a query to 199.7.83.42, the Internet's routing infrastructure works out which replica of l.root-servers.net is closest to us and routes the query there. That's exactly the behavior you'd want: since all of the roots are functionally equivalent (that is, they all give out the same answer to the same question), you just want to query the closest one.
Which brings us to the first two reasons a DDoS attack against the roots is harder than it looks: First, there are many more of them than there initially appear to be (283 versus 13). Second, from any given point on the Internet, you can only communicate with 13 of them at a time.
That second point bears emphasizing: If I were a Bad Guy (but I assure you that I'm not) and wanted to attack the root name servers, I could only directly attack the replica of l.root-servers.net in San Jose, California, easily (that is, from my home). I'd have no way to attack the roots in Warsaw or Wellington directly. If I had control of a botnet that happened to have members in Poland or New Zealand, I might be able to do some damage, but of course botnets aren't evenly distributed around the world.
There's yet another reason that an attack against the roots might not succeed: Even if attackers managed to mount an attack against all 283 of the root name servers, and saturate them with so much traffic that queries and responses couldn't get through, they'd need to sustain that attack for quite a while before most people noticed. Here's why:
$ dig @l.root-servers.net. www.infoblox.com. +norec ; <<>> DiG 9.8.1 <<>> @l.root-servers.net. www.infoblox.com. +norec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39789 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; QUESTION SECTION: ;www.infoblox.com.INA ;; AUTHORITY SECTION: com.172800INNSa.gtld-servers.net. com.172800INNSb.gtld-servers.net. com.172800INNSc.gtld-servers.net. com.172800INNSd.gtld-servers.net. com.172800INNSe.gtld-servers.net. com.172800INNSf.gtld-servers.net. com.172800INNSg.gtld-servers.net. com.172800INNSh.gtld-servers.net. com.172800INNSi.gtld-servers.net. com.172800INNSj.gtld-servers.net. com.172800INNSk.gtld-servers.net. com.172800INNSl.gtld-servers.net. com.172800INNSm.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net.172800INA192.5.6.30 b.gtld-servers.net.172800INA192.33.14.30 c.gtld-servers.net.172800INA192.26.92.30 d.gtld-servers.net.172800INA192.31.80.30 e.gtld-servers.net.172800INA192.12.94.30 f.gtld-servers.net.172800INA192.35.51.30 g.gtld-servers.net.172800INA192.42.93.30 h.gtld-servers.net.172800INA192.54.112.30 i.gtld-servers.net.172800INA192.43.172.30 j.gtld-servers.net.172800INA192.48.79.30 k.gtld-servers.net.172800INA192.52.178.30 l.gtld-servers.net.172800INA192.41.162.30 m.gtld-servers.net.172800INA192.55.83.30 a.gtld-servers.net.172800INAAAA2001:503:a83e::2:30 ;; Query time: 42 msec ;; SERVER: 2001:500:3::42#53(2001:500:3::42) ;; WHEN: Tue Mar 13 13:28:05 2012 ;; MSG SIZE rcvd: 494
That's the kind of response a root name server sends out all day long: "I don't know the address of www.infoblox.com, but I can tell you the names and addresses of the com name servers." Note the TTL (time to live) on the records that give us those names and addresses: 172800 seconds, or two days. Any name server on the Internet can cache that information for up to two days and reuse it. Which in turn means that, in order to be absolutely they've "shut the Internet down," attackers would need to keep up their DDoS attack for 48 hours, to make sure that recursive name servers around the Internet would actually need to query a root name server again. Not an easy task.
The truth of the matter is that, thanks to anycast and caching, the root name servers are among the hardest targets you could choose on the Internet.
Comments
http://en.wikipedia.org/wiki/Betteridge's_Law_of_Headlines
Also, fix your URL parser in the comment adding code.http://tinyurl.com/betteridge
Agreed that the root servers are a pretty tough target, but two points that make the threat more significant.1) Sure, you can only attack the thirteen servers nearest you. But unless I misunderstand this, legit users also can only access the nearest thirteen. If there's an attacker near you, you won't be able to access the root servers.2) Caching isn't the perfect solution. Sure, you might have a cached record for 'com', but what about when you want to resolve pike.ida.liu.se and you haven't been to any other Swedish web sites recently? Unless you have some other caching resolver to query, you're going to need to reach the root servers.You can't "shut the internet down". But you can (sometimes) make a mess of it for everyone who's near your nodes.
Chris, your understanding is correct. But a good anycast implementation will also remove a root instance that's overwhelmed by incoming traffic from the anycast group, which will shunt traffic to the next-closest instance. So attackers close to me in San Jose might take out the San Jose instance of l.root-servers.net for a while, but then anycast will route them to the next-closest instance (maybe Burbank, Los Angeles or Santa Ana). Meanwhile, the San Jose instance will recover. It's like playing Whac-A-Mole.I don't dispute that a coordinated attack against the roots could cause some damage, but I think the difficulty of "shutting down the Internet" has been underestimated.
Christopher, that's true, but after BGP shunts traffic away from the closest instance, the closest instance should recover. As I said, from any given point on the Internet, you can only communicate with (and hence attack) 13 of the roots at a time. But which 13 roots you can communicate with can change from time to time.
Volume attacks not the only option to deny the services provided by the root-servers. Might also be vulnerable to lack of security within BGP?
Adeei, that would require man-in-the-middle status, instead of simply commanding a botnet to swamp the root servers. But that IS a real threat, and that's why we have such things as DNSSEC.
I think there needs to be some understanding of the term "take out".If by "take out" you, and they, mean destruction then I agree that is almost an impossible task.If they mean to "render ineffective" then it could conceivably be done.The way to reduce the effectiveness is to have your (you being the bad guy for a moment) impersonate the root servers and provide the anticipated responses that map back to you "AH HA... Gotcha" site instead of Blahblah.com.This could effectively remove the real root servers from the picture for all but those closest to the real root. If the attack can be sustained beyond the 2 day TTL expiry then greater impact would be felt by the internet travelling public.Comments?
Cricket, These two statements of yours(one from the story and one from the comments) seem to be mutually exclusive:"from any given point on the Internet, you can only communicate with 13 of them at a time." seems to be in conflict with:"But a good anycast implementation will also remove a root instance that's overwhelmed by incoming traffic from the anycast group"If an attacker overwhelms one instance, would they not be routed to another until (given sufficient resources) all were overwhelmed?I don't disagree that without exploitation of a previously unknown protocol flaw it would take a massive, sustained effort. However your second statement does seem to invalidate the first, unless there is more to the story.