There has been much talk about the ability of a group such as Anonymous to render the Internet unusable by an attack.
The attack most often talked about in 2012 has been the disabling of the Domain Name Service (DNS), possibly using what is known as Denial Of Service (DOS) attacks.
Attack against the Domain Name System (DNS) is possible and would mean that the names you type into the address bar of your browser (URLs) like http://www.profwoodward.org/ which are all converted into the addresses that the Internet actually uses (IP addresses) by the DNS servers, would fail.
And unless you know the IP address the Internet would, for all intents and purposes, stop.
Opinions range from the panic stricken to complete incredulity that such a thing is possible. As ever the truth lies somewhere in between the two. So, I wanted to make a few points that will hopefully clarify the debate.
For those, unfamiliar with DOS attacks you might like to start by reading up here. The concept isn't complex. You simply flood a webserver with some many requests that it can no longer respond to the legitimate requests.
One of the ways the hackers generate this volume of requests is by co-opting otter machines to collaborate by simultaneous sending many requests.
Using malware to turn your machine into a "bots" (short or "robots") that can do the hackers' bidding, the user often doesn't know that their machine is participating in such an attack.
Such an attack was used to prevent visitors reaching the Interpol site on 28th February 2012: a retaliatory act for recent arrests. This was done using a tool developed by the group Anonymous, which they called their "High Orbit Ion Cannon" (HOIC).
A rather grand name for something that essentially sends up to 256 HTTP POST and GET requests, ramps up to about 2MB/s, and is written in BASIC. But, get enough of these or similar tools firing away at the same target and you'll stop others using it.
(click image to enlarge)
The obvious question is why one can't simply block the traffic from an address that is firing too many requests at your site. I won't try to answer that here but suggest you go read my article on the BBC site at: http://www.bbc.co.uk/news/technology-17302656 Suffice to say, you can obscure where the attack is coming from. Not to mention that if it is a bot-based attack then the attackers are actually innocent parties.
So, what has this got to do with making the whole Internet unavailable? It's inconvenient for the individual sites attacked but no one could generate enough traffic to stop the whole Internet. Could they? As ever, the answer is "that depends".
The classic attack until recently against the DNS has been to hijack the DNS a reroute requests for a site to an IP address under the control of the hackers. A large part of East Africa suffered this recently with sites from Google to Microsoft being diverted to a site that talked about rights in a northern African country.
You know it's happened and you can fix it quite quickly if you can get control of the DNS back. However, if these DNS servers were unavailable en mass then typing the URLs into your browser would result in nothing as the translation to an IP address would never happen it would time out. But the DNS servers are all around the world so how could they hit all of these servers simultaneously?
(click image to enlarge)
The reason this attack is theoretically possible is that the DNS is a hierarchy. At the top level are 13 servers.
Disrupt these 13 servers and you could disrupt the entire DNS network. Not surprisingly the authorities know this and they put a lot of effort into ensuring that the DNS network can cope with a DOS attack.
And, if it were only the standard DOS we were concerned with, we might be able to sit back and feel comfortable, or at least as comfortable as anyone can these days on the Internet.
However, there is a particular form of DOS that is not so much on the DNS but subverts the DNS to undertake the attack. This attack could potentially be many times more voluminous than "traditional" DDOS attacks might suggest is possible.
It relies upon what is known as "DNS Amplification". The attack was detailed in a paper as far back as 2006 (here) and has been discussed amongst the cyber security community since 2002. In essence, the attack relies upon exploiting "DNS recursion". What's that? Well, a DNS resolver can work in either iterative mode and a recursive mode.
In the iterative mode, the resolver first asks the root nameservers for the top-level domain's nameservers, then queries the top-level domain's nameservers for the second level domain's nameservers, and so on. The resolver contacts the different nameservers directly, one by one, each time reverting the top-level server until it has either found the answer it needs or given up because the answer doesn't exist.
In recursive mode, the resolver's job is much simpler as it asks one DNS server for the whole name, then leaves it to the server to perform all the necessary requests (either recursive or iterative) on its behalf.
So what's the problem? Well, the response to a DNS query can be considerably larger than the query itself, and the IP address from which the request was sent can be spoofed causing the response to be sent to another machine. An attacker finds a machine that does recursive look ups, he sends a large number of requests and spoofs the IP address so that the responses are sent to a victim machine.
A relatively small amount of data then results in a large amount of data being fired at the victim machine. As the size of the responses is so much larger than the requests used to trigger the high volumes of traffic it has become known as an "amplification attack".
Do this with enough DNS machines and you can have the DNS network flooding the very network it is supposed to be serving.
Now best practice does say that recursive querying should be disabled but few are. So, find yourself a large number of DNS servers and fire off enough of these requests and you could certainly flood entire segments of the Internet with so much traffic that it became unusable.
Such an attack has already happened. One ISP suffered an attack that employed 140,000 DNS servers and was able to generate over 10GB/s of data to flood the ISP network.
So, whilst a group of hackers might not be able to disable the Internet using DNS servers in the way originally talked about, there are other possibilities. And, consider for a moment what would happen if the DNS network were used to attack itself using such an amplification technique.
To those who say our DNS infrastructure can never be used to disable to Internet I say, never say never.
Cross-posted from Alan Woodward