By Steve Elwart
In the era of modern cyberwarfare, even some seemingly fantastic claims are being taken seriously. There is a new threat on the horizon that sounds unreal but is given serious attention by cyber specialists.
But is it really more than an electronic April’s Fools Day joke?
“Operation Global Blackout” is a movement by a group of cyber hackers to shut down the Internet by launching an attack on Root Name Servers, the machines that control the Internet.
The hackers, claiming to be the infamous hacktivist network Anonymous, said that they are going to shut down the Internet to protest “SOPA (Stop Online Piracy Act), Wallstreet (sic), our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs.”
The group claims its intent is not to destroy the Internet but to disable it to draw attention to their demands.
The threat of an attack is reminiscent of the Jan. 18 protest in which Wikipedia took its website dark to protest the SOPA and PIPA (Protect IP Act) bills in Congress that were meant to stop the illegal sharing of movies and music on the Internet.
Every website has an associated numeric IP, or Internet Protocol, address. The root name servers are a critical part of the Internet because they are the first step in translating website names into IP addresses that are used to access websites.
WND has a domain name, WND.com, and a corresponding IP address. Rather than try to remember the IP address, a person can type in the name of the website, and the Internet root name servers act like a phone book, finding the proper IP address and directing the request to the correct website.
Currently there are 13 name servers that are used to direct all Internet traffic worldwide. The servers are key components of the Internet, mapping domain names to IP addresses. Attacks on these servers could disrupt the operation of the Web.
These servers, however, are highly resilient and distributed, with backup systems if a server were to fail. Any attack on the servers would have to be coordinated in nature and attack all the servers at once.
While the root servers are designed to withstand such an attack, hackers believe they have found a vulnerability that will allow them to attack using other servers to do the work for them. In using what is called a Distributed Denial of Service Attack, DDoS, on the servers.
Operation Global Blackout calls for supporters to download a DDoS tool, called Ramp, which would flood the root name servers with more requests for IP addresses than they can possibly process. If the servers cannot be accessed to get the required IP address, anyone entering the name of a website would get an error page saying that the page could not be accessed.
Anonymous said the global shutdown “may only lasts [sic] one hour, maybe more, maybe even a few days. … Remember, this is a protest, we are not trying to ‘kill’ the internet, we are only temporarily shutting it down where it hurts the most. … No matter what, it will be global. It will be known.”
However, shutting down the servers may not be as simple as Anonymous believes. Kim Davies from the Internet Corporation for Assigned Names and Numbers, ICANN, said, “There are not 13 root servers. There are many hundreds of root servers at over 130 physical locations in many different countries.”
Also protecting the servers is a strategy called “anycasting.” Using anycasting, the name servers are actually dozens of servers spread across the world acting as a single machine, each with a backup.
Robert Graham of Errata Security wrote, “The Anonymous hackers can certain[ly] cause local pockets of disruption, but these disruptions are going to be localized to networks where their attack machines are located. They might affect a few of the root DNS servers, but it’s unlikely they could take all of them down, at least for any period of time. On the day of their planned Global Blackout, it’s doubtful many people would notice.”
Other researchers also believe this may be a big April Fool’s joke. Some believe it is an example of what the cyberworld calls “trolling,” posting false, inflammatory messages to the Internet merely to provoke a response.
Those in the hacking world aren’t so confident. The Anonymous members plan to use a relatively little-known technique called DNS amplification, which utilizes a flaw in the server programming, called an “exploit,” to send out streams of useless data that in turn cause other name servers on the Internet to add to the turmoil by producing even more useless data that overwhelms the server’s ability to handle the data.
While some analysts do not think this current threat is real, previous attacks on the name servers have been taken very seriously.
March 8 was the original date for the FBI to black out part of the Internet for millions of users to stop the spread of a piece of computer malware called DNSChanger Trojan. This is a hacking program that has infected millions of computers all over the world in more than 100 countries. (The date has now been postponed to July 9). The program was designed to join together computers, called bots, in huge networks called botnets that would point users to malicious name servers in Estonia, New York and Chicago.
The DNS servers would then display fake search answers, and promote fraudulent and dangerous products. Because every Web search starts with the name servers, the botnet would show users false version of the Internet.
The FBI took over the botnet’s “command and control” servers in November as part of Operation Ghost Click. One reason the FBI didn’t implement Operation Ghost Click now is that it would leave almost half a million computers still connected to the Internet with this malware still installed, waiting to be used by a hacking group for a different purpose, such as a DDoS attack. (The DNSChanger Working Group has information on its website on how to test for and clean a machine of the malware.)
Given the constant attacks on the Internet and the world’s critical infrastructures, the long term prognosis for defeating cyberattacks is grim. Cyberwarfare is a form of asymmetric warfare in which it is far cheaper in terms of money and manpower to launch an attack than guard against one.
Hackers repeatedly have shown great ingenuity in breaking down protective firewalls and defeating defenses and have stolen vast amount of data, bringing computer systems to their knees.
Gen. Keith Alexander, head of the U.S. National Security Agency, testified in Congress that computer hackers could have the ability to take down the entire U.S. electrical grid within the next two years.
In previous testimony, Alexander warned that hacking groups such as Anonymous are moving in a more disruptive direction by attempting to do physical damage to critical infrastructures.
The final outcome of the battle remains very much in doubt.
Steve Elwart, P.E. is the Senior Research Analyst with the Koinonia Institute and a Subject Matter Expert for the Department of Homeland Security. He can be contacted at firstname.lastname@example.org.