OpGlobalBlackout succeeded without happening

An energetic threat can spread as much fear and chaos as the risk of a real attack

On Saturday, March 31, someone claiming to speak for the hacktivist collective Anonymous threatened to take down the Internet temporarily to get the attention of the world and demonstrate their power over cyberspace.

It was not surprising to most security experts that March 31 came and went with no sign of such an attack.

The threat included some detail on how "Anonymous" planned to attack the 13 top-level DNS servers, bring them down and thereby bring the Internet to a halt.

Most experts said the technique was technically possible, but very, very unlikely.

Various unnamed spokesbeings for Anonymous said the attack was complete BS, for reasons ranging from the possibility someone was trying to make Anonymous look bad to the chance a fringe clique of the group wanted to make its own mark with rogue attacks the rest of the organization opposed.

It's not clear which was more true, only that there was no attack and, apparently, no serious attempt to even launch one.

That doesn't mean the DNS servers OpGlobalBlackout threatened to attack are not vulnerable, only that it would take a far more sophisticated attack than the one threatened for Saturday to bring down top-level DNS servers.

A post on the blog NakedSecurity from security vendor Sophos, Ltd. goes in to far more detail about the self-defending nature of the DNS network than I did in either of my posts passing along Anonymous denials that OpGlobalBlackout was real.

DNS servers in general are genuinely vulnerable to attacks with some similarities to the one threatened for March 31, however, according to blog author Alan Woodward, a computer science professor at the University of Surrey in the U.K.

It may be difficult to overwhelm top-level DNS servers because they're so widely distributed (on purpose) that they share no single points of failure. Lower-level servers could certainly be overwhelmed by a big enough DDOS attack, cutting of a local segment of the Internet rather than taking down the whole thing, Woodward wrote.

DNS servers could be a bigger threat than a target

More seriously – or at least more threateningly – DNS servers can actually be co-opted into becoming super-contributors to other DDOS attacks, Woodward wrote.

The technique, discussed as early as 2002, is called an "amplification attack" or "recursive name server reflection attack" in a 2006 research paper describing the vulnerability (PDF). Its authors are Ranal Vaughan and Gadi Evron of Baylor University.

A normal request from a PC to a DNS server can prompt a response with 60 times as much data as the request.

Requests that spoof the address of a DDOS victim rather than the botnet-enslaved PC that actually sent the request prompt DNS servers to reply to the victim's machine, not the one that sent the request.

DDOSing a DNS server using requests with spoofed origin addresses can therefore force the DNS server to carry out the DDOS attack itself, with a volume of data traffic as much as 60 times as high as the botnet can deliver.

Aiming the spoofed messages at more than one DNS server keeps the attack from having only one source for the packet flood, increases the potential volume of the attack and interrupts service on other segments of the web by clogging their pipes as well, according to the paper and Woodward's summary of it.

Some media outlets predicted OpGlobalBlackout would actually use an amplification attack, though that conclusion was based on the same unreliable info as the original threat.

Amplification attacks happen occasionally, though they're not common and can potentially be shut down more quickly than typical botnet-launched DDOS attacks because DNS servers are under much closer watch and are much better managed than run-of-the-mill Internet client machines.

OpGlobalBlackout was a success

The OpGlobalBlackout attack wasn't an attempt to take down DNS servers, however. It wasn't a DDOS attack, a penetration attempt or a serious effort to shut down a big chunk of the Internet.

It was an exploit taking advantage of the fear of Internet users (and media covering that fear) to create the same effect an attack would have created: people talked about the attack, who was launching it and whether or how to counter the threat.

Terrorists don't blow up school busses because they want to kill children. They do it to create terror – fear of an imminent attack, chaos making it difficult for authorities to keep order and long-term anxiety among civilians designed to gradually erode their resistance by forcing the enemy to a state of defensive alert so high the enemy's government ends up punishing its own citizens in the effort to prevent another random catastrophe.

In that sense, OpGlobalBlackout worked perfectly. It generated a lot of fear, a lot of coverage and a lot of even denser ignorance about the methods and intentions of the real Anonymous.

That the "attackers" were able to create that impact without having to launch any real attack at all just makes the whole project that much more attractive to others who want to use fear of an attack rather than real attacks as a way to get the attention they want.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies