I don't know if they're just simplifying things or are just clueless, but none of the 13 DNS roots are single servers. Most or all of them aren't even in a single physical site.<p>There's somewhere around 240 root server <i>sites</i> each consisting of multiple physical servers, just served up on 13 IP's.<p>Given that many of these sites are colocated at interchanges and with providers with tons of multi gigabit links, they have quite a challenge...<p>Ripe last year had an incident where they reported a fivefold increase in queries to the K-root without any operational problems, for example. They successfully handled close to 70,000 queries per second at one point.<p>I'll be surprised if they manage to even have a noticeable effect.
> Q: What if all root name serves would stop answering queries?<p>> A: Now you are stretching it. How likely is that? The diversity in the system will prevent that from happening. But let's treat it as a hypothetical case: In that hypothetical case the Internet will not suddenly grind to a halt. If absolutely nothing is done to correct the situation every hour about 2% of all queries will not be answered, 2% at the end of the first hour, 4% at the end of the second hour and so forth until 48h after the root name servers stop answering queries no DNS names can be resolved anymore. However it is even more hypothetical to assume that nothing will be done to correct this hypothetical situation.<p>> Even in the hypothetically hypothetical case that the root name server operators would do nothing to correct the situation, the IANA, TLD operators, ISPs and others would have the motivation and the means to take corrective action.<p>> Again: this is very hypothetical. DNS failures outside the root name servers are much more likely. Name service for the vast majority of top-level domains is very much less redundant than that of the root name servers. Whole top-level domains and major corporations have been unreachable for significant amounts of time because of DNS failures. Name service for the root zone has always been available.<p><a href="http://www.isoc.org/briefings/020/" rel="nofollow">http://www.isoc.org/briefings/020/</a>
I think Anonymous doesn't really know how DNS works. The root nameservers don't serve zone data for most sites that people use anyways.<p>DNS is a distributed hierarchy for serving requests. It's designed to be fault-tolerant because if every name resolution (google.com->8.8.8.8) performed by a browser had to reach 13 servers in the world, we'd still be using gopher and newsgroups instead of the web.<p>DNS is distributed, hierarchical, redundant, and cached all over the place as much as possible. Even my laptop caches DNS queries until a reboot. Even if a DNS cache misses (which is infrequent), it goes to the nameserver hosting the zone, which isn't a root name server.<p>Bottom line, it's probably just a joke designed to get some attention and to experiment and see what actually does happen if you hit those servers.
And they are going to get around anycast redundancy how? [0] Also, what consumer level ISP allows egress of packets with a spoofed source IP?<p>[0] <a href="http://www.icann.org/en/announcements/factsheet-dns-attack-08mar07_v1.1.pdf" rel="nofollow">http://www.icann.org/en/announcements/factsheet-dns-attack-0...</a>
Isn't their example of google that won't be affected? I was under the impression that very few DNS queries actually go to the root nameservers as ISP's and so on have it all cached. And since I highly doubt there is any ISP that has not had a user visit google.com in the last 48 hours, Google will still function for people?<p>In fact, the only people I can see this affecting (in the unlikely event it does happen) are people setting up new sites.
Why do people always take these so seriously?<p>It's far more likely that a bored teenager somewhere wrote this.<p>Also, if we were to assume that Anonymous does actually exist in some semblance, they would never ship a notice like this with gramatical errors. They're small, but obvious.<p>I'll eat my foot if they actually manage to make a noticeable affect on the DNS servers anyway.
I'm pretty sure every hacker group has gotten this idea at one point or another. Has anyone even come close to taking down all the root DNS servers at once?
"To protest SOPA, Wallstreet, our irresponsible leaders and the beloved
bankers who are starving the world for their own selfish needs out of
sheer sadistic fun, On March 31, anonymous will shut the Internet down."<p>What does taking down the internet have to do with that mission statement?
Leaving aside the <i>why</i>, I'm highly doubtful they'd be able to pull it off. Back in the Conficker days, it was rumored that it could be used to shut down the Internet with a similar mechanism. <i>Conficker</i>, I can see. Anon? Hell no.
Now, I'm thinking about the order of DNS requests.. Local Hosts -> Router -> ISP/OpenDNS/etc -> On out to the Root Servers. Now wouldn't make DNS caching make this attack only partially effective really...if it even worked?
9 of the 13 root servers were taken down via a DDoS back in 2002.<p><a href="http://c.root-servers.org/october21.txt" rel="nofollow">http://c.root-servers.org/october21.txt</a><p>Although the report states "2.4. There are no known reports of end-user visible error conditions during, and as a result of, this attack.", it's not entirely accurate. I personally experienced issues with name resolution shortly after the attack started, and had no idea what the cause was until afterward. If I recall correctly, my name resolution was handled by Qwest, as they were the T1 transit provider I was using at the time.
Most interesting bit :<p><i>The principle is simple; a flaw that uses forged UDP packets is to be
used to trigger a rush of DNS queries all redirected and reflected to
those 13 IPs. The flaw is as follow; since the UDP protocol allows it,
we can change the source IP of the sender to our target, thus spoofing
the source of the DNS query.<p>The DNS server will then respond to that query by sending the answer to
the spoofed IP. Since the answer is always bigger than the query, the
DNS answers will then flood the target ip. It is called an amplified
because we can use small packets to generate large traffic. It is called
reflective because we will not send the queries to the root name servers,
instead, we will use a list of known vulnerable DNS servers which will
attack the root servers for us.</i>
Surely this give you the impression about how powerful this team is.
I don't know if this is too much borderline not to cause big consequences.<p>Also if I don't if this is the best ways to protest, I support the cause.
Pretty sure sending reply packets to root servers that ever asked for them will simply be ignored. The only impact will be a busy network. As another poster mentioned, anycast will be hard to dos.
Is it just me or does it seem like this attack will be self-defeating? They are relying on DNS servers to serve responses in order to make DNS servers stop serving responses.
does this mean, that even if we typed the IP address of a site, we would get an error? i'm not sure how all the protocols work, so any clarification would be great.
The bottom line is simple: they can't do it, they won't be able to do it, and it makes the issue moot. Someone is desperate for attention.<p>You would need to have complete control over the infrastructure of something equivalent to an Amazon, Microsoft, or Google to take down the whole DNS system - and it would require a permanently sustained and constantly evolving attack.<p>I'm always amazed at the vast under-estimation of what would be faced in a real attempt of that sort. First, let's assume they made some progress and actually started harming the stability of the global Internet. 1) the number of interested parties (from hackers to corporations) that would immediately respond to the counter, in numerous ways, would resolve the issue in an extraordinarily short amount of time and 2) watch you don't have the US special forces black bagging you within 24 hours if you're involved, no matter where you're at on earth. The corporate money interest in the Internet being up is at least a hundred billion dollars per day. They will kill you over that, or at the least put you in an off grid terrorist prison.
Soooooo ... why are they telling everyone? Forewarned = forearmed and all, yo. Won't work. Unless they have something totally different planned and this is a simple misdirection.
Guys, someone is pulling Internet's leg and right now I assure you that the pastebin post author is laughing his head off that its on HN<p>Can we kind of bury this