It's widely known by now, that the Internet group called "Anonymous" is targeting an amplification attack against the DNS Root Servers. Much has been said about it and different people have different opinions.
To get to my point of view, I would like to present some background information.
The DNS name structure is shaped somewhat like a pyramid; The DNS architecture is based on a top down implementation,where the following can be considered members
This concept of a hierarchical authority is easier to understand if we examine a sample DNS name space and discuss the issues involved in assigning names within it. Naturally, we will want to start at the top of the name hierarchy, with the root domain. To start off the name space we must create top-level domains (TLDs) within the root. Now, each of these must be unique, so one authority must manage the creation of all TLDs. This in turn means that the authority that controls the root domain controls the entire name space.
On this way, the DNS structure is based on:
- Root: This is the conceptual top of the DNS name structure. The root domain in DNS contains the entire structure or references to the Top Level Domain (TLD) referred by a query.
- TLD Root: This is the root server for any specific TLD (.com, .br, .fr, etc)
- Domain Authoritative: A server responsible to map any ip address into a known "human format" names for any specific object in a domain. It consists of a domain and all the domains and objects within it. All authoritatives must connect together to the root (at some level).
The figure below, explains it:
Knowing it, it's easier to figure out why Anonymous is targeting the top level Root DNS Servers. By succeeding on taking down the top of DNS pyramid, they can prevent any DNS queries that needs to be forward to the DNS Root infrastructure to be timed-out and them the Internet will be unavailable.
But how they're planning to do it?
DNS Amplification Attacks
As we know, the DNS uses a tree-like system of delegations. Recursion is the process of following the chain of delegations, starting at the Root zone, and ending up at the domain name requested by a user. A recursive name server may need to contact multiple authoritative name servers to resolve given name on behalf of the requester. Recursive name servers are similar to SMTP relays and web proxies. They all accept messages (including requests and queries) from clients, which are then forwarded to other servers as necessary.
Ideally, a recursive name server should only accept queries from a local, or authorized clients, but unfortunately, many recursive name servers accept DNS queries from any source. Furthermore, many DNS implementations enable recursion by default, even when the name server is intended to only serve authoritative data.Recursive name servers can be induced to participate in DDoS attacks in a number of ways.
A network of computers distributed on the Internet in a construct such as a Botnet, can send spoofed address queries to an Resolver (or resolvers) causing it to send responses to the spoofed-address target. Thereby, the resolver unwittingly participates in an attack on spoofed addresses. For example,high volumes DNS SERVFAIL (RCode 2) responses to a spoofed IP address can equal the damages of a large volume spoofed queries without revealing the identity of the attacker. Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address.The amplification effect in a recursive DNS attack is based on the fact that small queries can generate larger UDP packets in response. In the initial DNS specification, UDP packets were limited to 512 bytes. At most, a 60 byte query could generate a 512 byte response for an amplification factor of 8.5.This amplification effect has been used in DNS based attacks for some time.
A visual explanation of an DNS Amplification attacks is in the picture below:
So, we can assume it's easy to shut down the DNS System?
The DNS Root Sever Infrastructure is deployed globally and is divided into 13 zones (A-M) each zone has a unique IPV4 and possibly also a IPV6 (not all zones). The total number of servers of all zones is around 256 servers.
Each zone is independent from the others, so we can assume that each one implements it's own defense mechanisms, but we can also assume that probably they all have:
- DDOS Detector and Mitigator;
- Firewalls (traditional)
- DNS Application Firewalls (layer 7 firewall)
- Intrusion Prevention Systems (IPS)
- Load Balancers
- DNS Servers
(I'm assuming this configuration because this is a common DNS Farm topology deployed at Tier1 Telcos).
Also, for high availability, all root servers sites makes use of anycast as their routing mechanism.
Anycast is a network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address.
Anycast is usually implemented by using BGP to simultaneously announce the same destination IP address range from many different places on the Internet. This results in packets addressed to destination addresses in this range being routed to the "nearest" point on the net announcing the given destination IP address. For this reason, anycast is generally used as a way to provide high availability and load balancing for stateless services such as access to replicated data; for example, DNS service is a distributed service over multiple geographically dispersed servers.
So, multiple sites running multiple servers under the same zone share a unique IP Address using a smart routing protocol that provides resilience and high-availability, correct?
So, how Anonymous claims that they'll be able to shutdown the root servers?
Let's take a look at some architectural gaps and possible attack vectors.
Attack Scenarios and effects
Anycast is a stateless methodology to route packets around the Internet, of course it allows a fast way to route packets but also it doesn't track failures. As stated earlier, anycast offers the nearest path for datagrams to reach an IP address geographically dispersed. On the DNS case, all servers in the same zone.
We can now, dig into some scenarios:
Let's imagine that a given DNS site in a given DNS zone is successfully shutdown by Anonymous (only the DNS Service) but the network path is still available. In this case, the route will not be removed from the BGP routing advertisement database and users under certain locations will not be able to reach that specifically root server IP address even if other sites in the some zone are online.
This is a much better situation than shutting down a whole DNS zone (that could prevent entire world regions from reach their designated root servers) but is still a problem.
We can also imagine that not all the root servers are online at all times. This could reduce the response capabilities of the DNS root servers and make the infrastructure more susceptible to DDOS attacks.
And, DNS is all about latency, so a root server site operating at critical performance levels could drop queries and create a "domino effect" where people will start having a lot of "timeout" messages when trying to use Internet Services.
It is it? If one fails, some people will be completely out of the Internet?
More or less.
Reducing Attack Effects
There's a lot of possibilities that can reduce or even mitigate the chanche of people being unable to access the Internet, even in a very unlikely scenario of a DNS root server zone shutdown.
- Time To Live - DNS domains (like youtube.com, google.com and all others) have ttl (time-to-live) parameters that dictates how much time a zone record can kept in a dns server cache, so it can reply directly it's users before going out to the Internet to get answers every time. This feature, of course can help people to continue accessing the Internet for a period (depending on each domain configuration) before the ttl expires, in a situation where the root server isn't available (and this gives some time for the admins to solve a shutdown situation.
- DNS Cache - DNS Cache maintains large online (in-memory) database of dns information, this is used to avoid the DNS Resolver to going to the internet every time to get the same information over and over. Some DNS Caches allow the administrators to setup their own TTL's for existing stored domains continuously answering queries without touching a root server. Again, this is helpful in a root server failure situation.
- A lot of backbone - The root servers are deployed on strategic places and have a lot of available bandwidth to use. Hard to shut them down just by bandwidth saturation.
- Anycast - It provides resilience for the DNS root server zones.
And there's nothing we can do about the attack?
Sure, there's some techniques that can be deployed to prevent this to happen.
For Root servers administrators (They already know it):
- Deploy Access Rules in a peering router/firewall to prevent DNS traffic where the root server ip is the source address.
- Deploy Application Aware Firewalls for the DNS protocol. Those firewalls can track and block invalid RR's, same source-destination ip address and several other DNS anomalies.
- Deploy denial of service detection/mitigation tools.
- Apply anti-spoofing techniques.
For DNS Administrators (Many already know it):
- To implement full source address validation on their networks. If no network could spoof the root server IP source addresses on queries, then reflection attacks upon the root server infrastructure could not work.
- To verify of their DNS resolvers are configured in a "Open Resolver" way and change it in case of a yes answer. What this means is that a "Open Resolver" will answer any query from any server, even if it's not an original dns client.
- To deploy DNS Application Firewalls;
For Users (some might know it):
- Look for possible infections (running an AntiVirus and anti-malware engines) to try to detect and clean possible malicious software that can be used to launch attacks;
- Deploy a personal firewall that can block non solicited incoming sessions;
- If you volunteered to have your PC used in the attack, you still have time to rethink it.
Ok, and there's something else?
Yes, here's my two final cents.
- Anonymous is known to not advertise their targets earlier, so this is a quite unique situation where they declared their targets with weeks in advance. Curious, isn't it?
- Also, there's a lot of techniques that prevents Amplification/Spoofed Attacks to be sucessful, so why to insist on it?
- It's certain that Anonymous is developing a new DDOS Tool (new Low Orbit Ion Cannon?). And if it is, how it works?
- Could all this advertisiment around the Amplification Attack just a decoy for something different? An DNS exploit, per example? Time will tell.
- Even if a DDOS attack against the root servers come to be well suceeded, Anonymous shall keep it for days to really affect the Internet.
- I don't see how an attack against the root servers will be sucessful. Let me just say that "there are better targets" if you're trying to shut down the Internet.
And let's wait for March'31.
Anycast - http://en.wikipedia.org/wiki/Anycast
How Anonymous plans to use DNS as a wepon - http://arstechnica.com/business/news/2012/03/how-anonymous-plans-to-use-dns-as-a-weapon.ars/2
Strategies for fight DDOS attacks - http://www.cyberwarzone.com/cyberwarfare/10-strategies-fight-anonymous-ddos-attacks
Root Severs Info - http://www.root-servers.org/