31 March 2012


A group of hackers protesting against SOPA could attack today the DNS, potentially blocking the entire Internet.
The Domain Name System (DNS) is in charge of maintaining the Domain Name space and it provides the services mapping domain names on the correspondent IP addresses. Without this service it would almost be impossible to reach any web site or to access to most internet services. DNS can be considered, at the same time, a service, a protocol, an information infrastructure and an Internet critical infrastructure.

The core of the DNS in constituted by more or less 200 root servers, spread across the world. They are responsible for the resolution of the top level domain addresses. They are those knowing for example the IP address of the server responsible for the .com domain.
The attack described in the Anonymous’ post, is basically a reflective DDOS. By using known vulnerable DNS servers, they will try to overload the  root servers, making them basically blind to the queries of all the rest of the digital world.

GCSEC, the Global Cyber Security Center, is conducting since 2011 a broad study on the security and resilience of the DNS and on the effects of its failures on critical infrastructures. On the light of the experience accumulated in the field, GCSEC claims that the threat presented in the action plan of Anonymous is not negligible. In fact, also if all the ISPs usually adopt cache-resolvers (i.e. they maintain a sort of mirror of the most common DNS entries in their own servers), usually, to guarantee a high level of global coherence, the life-time of the information contained in these cache-resolvers is very short. In other words this information need to be refreshed quite often.

This means that, if the root-servers would be heavily and continuously attacked, Internet will start (at the begin slowly, but then increasingly faster) to collapse.

The success of a similar attack would depend, of course, from the amount of traffic the attackers are able to generate against the root servers. Even if it is true that it is not easy to reach a bandwidth consumption level sufficient to saturate their connections, as usual in the case of DDOS it is not possible to consider as lowly probable a similar event; it is only a matter of resources available on the attacker side.

As showed by GCSEC in its research works, the impact of a similar attack on the critical services of the modern society would be potentially enormous. Many experts are skeptical about the effect of such an attack: standing to the work of GCSEC (MENSA Project), DNS community does not have any shared metric or security control to guarantee the overall security status of the DNS. Can we then be 100 sure that nothing serious will happen?

Which actions would be needed for avoid similar threats? In this specific case, a quick and dirty solution to mitigate in the short term the effects of the attack could be the extension of  the life-time of the information stored into the ISP cache servers, especially regarding the addresses of the top level domain servers. This should cut-out from the resolution process the need for sending requests to the root servers, allowing to directly query the top level domain servers. Of course this solution would augment the risk of introducing incoherencies in the Internet, but, in the short term, it would help in mitigating the effects of the attack on the end-users. Unfortunately, the actual structure of the DNS, completely deregulated, does not allow to quickly adopt countermeasures against similar attacks. DNSSEC in the future will help preventing such attacks, but its adoption is still limited.

We have to realize that the DNS is the core of Internet and for that reason it need to be preserved. In the long term, it is needed to re-think completely its governance structure, instituting a dedicated Emergency Response Team, in charge for coordinating mitigation actions in case of attack and acting as hub for information sharing on vulnerabilities and specific threats. Moreover, the nature of the attack described by hackers (relying on vulnerable DNS servers), should make everybody involved on DNS Operations reflect about the need for an integrated framework allowing to asses the security, stability and resilience of the DNS at global and local level.

HACKERS COULD BLOCK THE INTERNET ATTACKING DNS ultima modifica: 2012-03-31T13:27:12+00:00 da Aramis

31 March 2012