Home / Blogs

End of the World/Internet on 31-March-2012?

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Chris Buijs

Well… Maybe not the world, but the Internet it seems.

According to a Pastebin letter, Anonymous announced they will black-out Internet on 31st of March.

See the announcement here: Announcement

They even explained how to do it by attacking the DNS Root Servers on Internet using a reflected amplification attack.

If this is successful, the root DNS servers will become unresponsive and cannot handle any other requests, making DNS resolution as we know it break and render many internet-applications like browsers, mail, VoIP and instant-messaging useless or unavailable.

I am bit 50/50 on this. First of all, would Anonymous be capable? Probably they are if we look at their track-record in the last months/years (with a bit of a difference that the magnitude of the attack is much bigger than before). Previous targets where mostly companies/governments that where directly attacked, this is a world-network and will affect most of us as well.

What if this is just fake? Still it scares me somehow. I have wondered about the root DNS servers for some time now and in the past there were some semi-successful attacks already utilising vulnerabilities in DNS software or by just overload/DDOS.

I guess it's possible but I can not compute what is needed to do so. Lots and lots of DNS servers I'm guesstimating.

It may be a domino effect when they start and probably the attacking DNS servers used will be locked out of the Internet. But if these are legitimate DNS servers that are mis-used, it shuts out users of the DNS server as well and so the problem becomes larger.

Then there is caching, the announcement states that many providers use low TTL's anyway, making their attack more successful. This implies that they "override" the TTL ignoring the TTL's that are accompanied with the root DNS server records. Which is plausible, but still it takes time to bleed dry. And of course this is against the DNS "law" :-).

So DNS admins, please don't override the TTL's, and change them now to honour them as intended, you still have 6 weeks to go! :-).

Even then… There is some consensus that it will take roughly 5 to 7 days of continuos attack before "Internet" will be unusable. It will break bit by bit during that time of course.

Then the attack itself is described as a reflective amplification attack. Reflective because the "attacker" is not attacking the root DNS servers directly, but uses other DNS servers, spoofing itself as the root DNS server. And amplification, as the response/answer to the (attack) query is larger than the query itself.

Makes sense, but relies on vulnerabilities of the DNS software, and DNS servers free to use without any security measures… And that scares me because there are many DNS servers out there, and many of them are vulnerable. Studies last year even tells us that the number of these (vulnerable) servers increase, not decrease.

How about the public DNS services like Google Public DNS and OpenDNS? Well, they probably will not be "used" in the attack, but they use the DNS root servers as well for DNS resolution. So they will be affected. I guess they counter-measure things by easing the pain — like statically cache all the TLDs.

Still trying to figure out the impact of this, depending how hard the root DNS servers will be hit. If hit at all of course, the effect could be noticeable to complete unavailability of the prime services and applications we use daily/hourly.

I think we should worry and rethink this whole root DNS server thing anyway, as besides the Anonymous announcement, they are becoming increasingly attractive to attack.

It's all an "if" story but we will be on our toes…

By Chris Buijs, Head of Delivery. More blog posts from Chris Buijs can also be read here.

Related topics: Cyberattack, DDoS, DNS, Security



Timing? Garth Bruen  –  Feb 17, 2012 7:29 AM PDT

Why March 31st? May 1st would be more symbolic, or Guy Fawkes Day - November 5th. Is there a significance behind the date?

Not sure why 31st of March has Chris Buijs  –  Feb 17, 2012 9:41 AM PDT

Not sure why 31st of March has been chosen…

The 1st of April would be much more appropriate I guess :-).

I guess other groups will give it a try before now and claim victory (or not)…

Or maybe it's just a fake date and the attack will or will not happen at an off-guard moment…

Well… We are talking about it, so maybe that's the only reason, fear, uncertainty and doubt… :-)

Why announce it anyway?

Duh... Garth Bruen  –  Feb 17, 2012 10:01 AM PDT

Right, the night before April Fools Day

Google DNS and OpenDNS do not use the root name servers in real time Paul Vixie  –  Feb 21, 2012 11:31 AM PDT

I asked. They said they use the root zone in "transfer mode". So the two largest public recursive DNS services, Google and OpenDNS, never send any queries to the name servers that the threat signed by Anonymous claims to plan to target.

"Transfer mode" access is a mixed blessing and it's not for everybody. But it's free and it's available and I encourage expert DNS operators to consider using this the same way that Google and OpenDNS do.

The Internet has the response JFC Morfin  –  Feb 28, 2012 6:10 PM PDT

The internet has the response:

1. it may use 65.635 different root files.
2. it does not need real time root servers.

However, this is true: the ICANN/NTIA class "IN" is vulnerable to this kind of DoS attack the way it is being used. This is why we need to get rid of the ICANN maintained single point of failure and contention in the whole digital ecosystem (WDE) and keep the Internet fool/merchant proof, the way it is designed.

For those interested in exploring, documenting and deploying a more robust and smarter Internet: http://www.ietf.org/internet-drafts/draft-iucg-iutf-tasks-00.txt and http://www.ietf.org/internet-drafts/draft-iucg-internet-plus-08.txt. There are opportunities and work ahead.

We really need to be protected from the Icannonymous!


We are still here... Chris Buijs  –  Mar 31, 2012 1:55 PM PDT

Seems it was a fake as expected! Glad to see Internet is still here ;-).

The stophaus reflective attack ... Chris Buijs  –  Mar 29, 2013 1:00 AM PDT

So, with the stophaus attack going on last week, it seems that this now is feasible material and potential real threat I would say.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year