Is Anonymous making empty threats to (briefly) kill the Internet?

OpGlobalBlackout and the on-again/off-again intention to take down DNS and thereby the Internet

Hacktivist collective Anonymous has threatened to "shut the Internet down" on March 31.

In a message on Pastebin that went up four days ago – and was largely ignored by news media – posters claiming to be members of Anonymous announced a plan to stop web traffic in its tracks by taking down the 13 root DNS servers that direct requests for web pages to the correct physical server.

The group posted a video yesterday promising "Operation Blackout" will 404 most or all of the web that is accessible from the United States.

"To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs [and for] sheer sadistic fun, On March 31, anonymous will shut the Internet down." – Pastebin post from presumed members of Anonymous, Feb. 12, 2012

According to the video, OpBlackout will also be a lesson to both the people and government (specifically of the U.S.) in what real Internet censorship means, what citizens lose by going along with efforts to censor the Internet and how powerful the opposition is to continuing efforts to censor the Internet.

"The United States is censoring the Internet. Our response is that we will not sit by while our rights are taken away by the government we trusted to preserve [those rights]," the automated text-to-speech voice said on the video.

Still fighting forces of censorship, SOPA, PIPA, ACTA, FBI, CIA, ETC.

Though the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) were sunk in Congress by overwhelming protests from Internet users, the Anonymous leaders of Operation Blackout connect SOPA, PIPA, the ACTA international copyright-enforcement treaty and the MegaUpload takedown as part of the same Internet-censorship movement.

"ISP blockades, DNS blocking, search engine censorship, web site censorship, and a variety of other methods that directly impose on the values and ideas of Anonymous, as well as the founding fathers of this country, who believed in free speech and [a free] press," according to the video.

The threat is part of a larger Anonymous response to the federal raids that shut down file-storage/file-exchange site MegaUpload in January, after which Anonymous hacked or DDOSed the FBI, Dept. of Homeland Security and a range of other agencies of the federal government.

It also follows on a call for Anonymous members and sympathizers to join in massive DDOS attacks on YouTube Jan. 5 and on Facebook Jan. 28, neither of which took place.

The Facebook attack in particular was derided as a fake by Anon members, though "fake" is relative when it comes to Anonymous. A previous threat to attack Facebook on Guy Fawkes Day was also "fake," because it was sponsored by only a small group of Anonymi, not a plurality of Anon participants or the core leadership groups.

There's no real telling if OpBlackout's targeting of root DNS servers is a similar fake, but it's an ambitious threat, considering the heavy bandwidth-management, security, traffic-filtering, backup, failover and other techniques used by DNS providers to make sure the servers are always available.

SANS Institute warned in 2002 that the root DNS server network was supremely vulnerable, a situation not substantially improved by April, 2011 when attacks on DNS servers affected hundreds of major sites.

Kill the Internet, wound it or just make it worry?

The Feb. 12 announcement described the tool it would use to attack DNS servers as a "Reflective DNS Amplification DDoS tool" based on the DHN tool from the AntiSec movement within Anonymous.

Both tools may be real and formidable; both or either may be fictional, as was the successor to the Low Orbit Ion Cannon (LOIC) Anonymous announced just before the OccupyWallStreet protest began; Occupy was real, the LOIC successor was fiction.

The AntiSec DHN tool is described in some detail here, but might still be wholly or partially fictional.

Here is the DNS vulnerability and exploit the attack will use, as described by Anonymous:

"While some ISPs uses DNS caching, most are configured to use a low expire time for the cache, thus not being a valid failover solution in the case the root servers are down. It is mostly used for speed, not redundancy. We have compiled a Reflective DNS Amplification DDoS tool to be used for this attack. It is based on AntiSec's DHN, contains a few bugfix, a different dns list/target support and is a bit stripped down for speed.

The principle is simple; a flaw that uses forged UDP packets is to be used to trigger a rush of DNS queries all redirected and reflected to those 13 IPs. The flaw is as follow; since the UDP protocol allows it, we can change the source IP of the sender to our target, thus spoofing the source of the DNS query.

The DNS server will then respond to that query by sending the answer to the spoofed IP. Since the answer is always bigger than the query, the DNS answers will then flood the target ip. It is called an amplified because we can use small packets to generate large traffic. It is called reflective because we will not send the queries to the root name servers, instead, we will use a list of known vulnerable DNS servers which will attack the root servers for us."Pastebin post from presumed members of Anonymous, Feb. 12, 2012

Possible or not? Fake or not? No to one, probably yes to the other.

Twitter postings from Anonymous members don't give much indication whether the attack is for real or not. @OpBlackout doesn't mention it. @YourAnonNews retweeted someon else's warning that the whole thing is a fake: "Deception! Bad news for participating anons," the tweet, from @ultramegaman read.

Others flame it as a bad idea or as a "false flag" attack by national governments or security groups trying to make Anonymous look bad.

Security consultancy ErrataSecurity posted an explanation in detail why it believes the attack described either can't happen or wouldn't work. Too quick a response by defenders, too much bandwidth and backup.

An ameliorative video posted Feb. 9 – by someone other than the one who posted the other videos, claimed all the OpBlackout and OpGlobalBlackout threats were attempts to raise awareness "of what we can do, not what we will do."

Shutting down the DNS servers would have so negative an effect on the Internet, its users and the economy (not to mention Anonymous' reputation) that the actual operation would not be launched except when the need was dire, according to the video.

The shorthand for that is probably that Anonymous as a whole, or even a majority of its factions, wouldn't cooperate with the effort, probably for the reasons cited in the video.

If it is a false flag operation launched by intelligence or law-enforcement agencies against Anonymous, it's a good one. It uses a tactic likely to be very effective undermining the credibility of Anonymous and trivializing its genuine capabilities.

Is it still possible Anonymous will attack the root DNS servers March 31 in an effort to shut down the Internet for 72 hours?

Yes.

Is it likely to succeed?

No.

Is it likely to even happen?

No.

Anonymi, some among you are crying Wolf! a little too often. It hurts your credibility and enhances that of the agencies that call you irresponsible, capricious and disorganized.

I realize those are your cardinal virtues and how much you value them.

And I'm not encouraging anyone to attack critical parts of the Internet.

But frequent, empty threats don't do any faction in a dispute any good. They raise tensions and lower the likelihood anyone will believe the things you say you believe or the things you promise you could do.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies