Gumming up the internet: When DNS servers attack..


The much discussed threat to stop the internet, termed “Operation Blackout”, purportedly made by Anonymous, did not transpire this weekend.

Post on PasteBin about Operation Blackout

What caused so much attention was not just that it was from someone claiming to be Anonymous, who have shown themselves to be very effective at conducting internet attacks in the past.

The threat gave some quite specific details about how the attack would be done, and what would be attacked. The type was a Distributed Denial Of Service (DDoS) attack and the target was the Domain Name Service (DNS).

Web browserThere were many reasons why the attack, as originally described, would not have succeeded.

At a basic level, announcements were issued by others also claiming to be Anonymous, saying they were not responsible for the threatened action.

However, it is perhaps complacent to ignore the threat that was made, as DDoS attacks are becoming very widespread and the DNS is critical to the functioning of the web.

So, what are DDoS attacks, why is the DNS so important, and could a DDoS attack really decapitate the internet by attacking the DNS?

Denial Of Service Attacks are known by a number of names: smurf attacks, pings of death, teardrop attacks are just some of them. These are all just variants of the same fundamental attack, which the CERT Coordination Centre at Carnegie Mellon University characterizes as an explicit attempt by attackers to prevent legitimate users of a service from using that service.

CERT gives a number of examples of how this might be achieved:

  1. “flood” a network, thereby preventing legitimate network traffic. In practice, it is this technique which is used by the likes of Anonymous
  2. disrupt connections between two machines, thereby preventing access to a service
  3. prevent a particular individual from accessing a service
  4. disrupt service to a specific system or person.

Malicious attackers most often create the avalanche of data required by using many computers spread across the internet, all flooding a single victim in a coordinated attack.

Hence, it becomes a Distributed Denial Of Service attack. Sometimes this coordination is voluntary, with hacking groups all using similar tools to fire data at a victim.

Groups such as Anonymous have developed their own tools to help their supporters do this.


First they began with the rather grandly named Low Earth Orbit Ion Canon (LOIC), after which they progressed to the similar High Earth Orbit Ion Canon (HOIC). These tools make it horribly easy for a user, including a non-technical participant, to attack (or “lazer”) a victim.

Although these attack were outlawed in the UK in the Police and Justice Act 2006, carrying a sentence of up to 10 years in prison, often the coordination is involuntary and those participating in the attack may not even know they are contributing to the data tsunami hitting a victim’s system.

This is achieved by infecting machines with a piece of malware that can be controlled by the hackers remotely, to generate the data and send it to specific targets. One of the best known examples of this was the MyDoom worm.

DDOS attack

Not only do those contributing not necessarily know they are part of the attack, but if the attack is launched from one country on another, the jurisdictional issue become a nightmare.

A good example was the attack launched on Interpol on 28th February 2012, which when analyzed, appears to have been a HOIC attack but with sources from across the globe.

It is easy to see that with enough computers engaging, either voluntarily or involuntarily, in an attack against a target, the victim can be overwhelmed. Whilst there are defenses against these attacks, DDoS remains one of the most problematical, yet easy to mount, attacks on the internet.

Which brings us to the DNS. This is one of the elements that turns the internet into the World Wide Web. It is essentially the phone book for the web.

We are all used to typing in names such as into our browser, but the Internet actually knows this website as an IP address:

The DNS is what your computer refers to in order to convert one to the other. The DNS is a tree structure that spreads across the internet and it begins at the top with 13 top level “domains” which pass data to the lower levels.


Worms such as MyDoom have us taught very important lessons and so, for example, the 13 top level domains are distributed across many physical systems, sometimes in different countries. An up to date view of what lies where and who is running it can be seen at

So, is this all a non-issue? Well, not quite.

Lower level DNS elements can be targeted by DDoS attacks and by doing enough of these, even with the redundancy in the DNS, you can start to cause some disruption.

It is highly unlikely you would decapitate the internet, but you could certainly gum up the works on a local basis.

However, there is a little talked about a aspect of DNS systems that can actually result in them becoming part of the attack rather than the victim. This “amplification attack”, which was reported in a paper in 2006 [PDF], relies upon two facts:

  1. The response to a DNS lookup request returns far more data than is in the original request (up to 60 times).
  2. A request can spoof the address from which it comes, such that the answer is sent to a target machine.

Digital attack. Image from ShutterstockYou can see how if you have enough machines sending requests to a DNS server, all pretending to be a single machine, that the DNS can actually be obliged to help swamp a target with data.

If you usurp many DNS servers in this way, then you can produce an enormous amount of data, enough to flood whole networks.

There are ways to configure these DNS systems so that they cannot be used for such an attack, but this is not done as a matter of routine.

And, with ten million DNS servers now within the DNS structure on the internet you don’t need much imagination to see how a large scale attack could be mounted.

So, with DDoS attacks being such a problem, and the DNS a possible source of such attacks, we need to think of the DNS not just as a vulnerable part of the internet infrastructure, but as something that could possibly be turned against the internet it is intended to serve.

Image sources: Wikipedia, PasteBin
Digital attack image and web browser image from ShutterStock