Jump to content

How Anonymous plans to use DNS as a weapon


Recommended Posts


Posted Image

After engaging in a recent rash of attacks in retaliation for the takedown of file-sharing site Megaupload, the Anonymous denial of service "cannons" have been firing considerably fewer shells of late.

While Anonymous group members managed to take down Interpol's website on February 28 (largely by using a Web version of their "Low Orbit Ion Cannon" denial of service tool) and have defaced a number of vulnerable sites (including, most recently, sites belonging to Panda Security), threats to take down bigger targets have failed to materialize. What some believed to be the group's boldest plan yet—an effort to bring down the Internet's entire Domain Name System (DNS)—is now being called a "troll" by members of the group.

But this doesn't mean the threat of more targeted denial of service attacks based on DNS attacks have gone away. Disappointed with the current denial of service tools at their disposal, members of Anonymous are working to develop a next-generation attack tool that will, among other options, use DNS itself as a weapon.

An amplifier

The scale and stealthiness of the technique, called DNS amplification, is its main draw for Anonymous. DNS amplification hijacks an integral part of the Internet’s global address book, turning a relatively small stream of requests from attacking machines into a torrent of data sent to the target machines, potentially delivering network traffic of tens or hundreds of gigabytes per second without revealing the source of the attack. It does so by using a vulnerability in the DNS service that's been known since at least 2002.

The DNS system is organized hierarchically. At the top of the hierarchy are the "root" nameservers. These contain information on where to find the nameservers responsible for the next level down in the hierarchy, the nameservers for things like ".com" and ".org" and ".uk." In turn, those nameservers contain information about the next level of the hierarchy, so the ".com" nameserver provides information on where to find the "arstechnica" nameserver. The "arstechnica" nameserver is then able to provide the actual mapping from a descriptive name to a numerical IP address.

Doing a DNS lookup requires accessing all these different levels of the hierarchy. There are two ways that a DNS resolver (the piece of software that looks up DNS entries, which can either be a standalone thing on a client machine, or a part of a DNS server) can work: an iterative mode and a recursive mode. In the iterative mode, the resolver first queries the root nameservers for the top-level domain's nameservers, then queries the top-level domain's nameservers for the second level domain's nameservers, and so on and so forth. The resolver contacts the different nameservers directly, one by one, until it has either found the answer it needs or given up because the answer doesn't exist.

In recursive mode, the resolver's job is much simpler: it asks one DNS server for the whole name, then leaves it to the server to perform all the necessary requests (either recursive or iterative) on its behalf.

Posted Image

How DNS recursion is supposed to work, in three easy steps.

There is also extensive caching by all the servers involved; many requests are serviced by using information stores in the cache rather than having to query other servers each time a machine wants to know how to find "google.com," for instance.

Typically, the DNS resolvers built into client operating systems ask nameservers (usually the ones provided by ISPs) to perform recursive queries on their behalf. The lookups then performed by these servers to fulfill the requests are typically iterative.

Here's where the problem arises. The response to a DNS query can be considerably larger than the query itself. In the best (or worst) case, a query of just a few dozen bytes can ask for every name within a domain and receive hundreds or thousands of bytes in response. Every request sent to a DNS server has a source address—an IP address to which the reply should be sent—but these source addresses can be spoofed. That is, a request can be sent from one IP address but the DNS server will think it was sent by a different address.

Using these two things—recursive lookups that return large amounts of data to small queries, and spoofed source addresses—attacks can be made. The attacker first finds a server that is configured to enable recursive lookups. He then sends a large number of requests to the server, spoofing the source address so that the server thinks that the victim machine is making the request. Each of these requests is chosen so that it generates a large response, much larger than the queries themselves. The server will then send these large responses to the victim machine, inundating it with traffic. The disparity between the request size and the response is why these attacks are known as "amplification" attacks.

While consensus is that publicly accessible DNS servers should have recursion disabled, precisely to avoid this kind of problem, the reality is that not all do. Given enough servers that enable recursion, large quantities of traffic can be produced from relatively modest numbers of queries.

An attacker's benefits

A paper (PDF) presented at the 2006 DefCon security conference by Baylor University's Randal Vaughan and Israeli security consultant Gadi Evron documented a series of DNS amplification attacks in late 2005 and early 2006—including one on Internet service provider Sharktech that achieved volumes of packets "as high as 10Gbps and used as many as 140,000 exploited name servers." Depending on the number and network capacity of servers targeted, it’s reasonable to assume a coordinated attack by Anonymous could generate several times that volume.

As Vaughan and Evron wrote, "A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes, amplifying the response packet by a factor of 60."

In a variant of the attack described by SecureWorks' Don Jackson, the query simply asks the server for a "root hint": the addresses of the name servers for the "." domain, the home of the Internet's root DNS servers. Because there are a large number of root name servers, and because the implementation of DNS-SEC has added certificate data to root server responses, the data returned for each request is about 20 times larger than the query packet.

Posted Image

A comparison of the payloads of a DNS "root hint" query and its response. Not all data shown.

Since it’s possible to hide the source of an attack with UDP through forged headers, and because it requires relatively little bandwidth from the attack side, DNS amplification has some obvious benefits to groups like Anonymous. While attackers can't use the Tor anonymizing network (Tor doesn't transfer UDP traffic), they can use various VPNs to add another layer of security.

Aside from the mass of data a DNS amplification attack can create, an attacker gets other benefits from the technique. DNS amplification relies on UDP, a "connectionless" protocol under which packets get sent to a destination without any sort of "handshake" or even a guarantee it will be received. Because there's no sort of negotiation (and because DNS data isn't something usually filtered by application firewalls or other systems), this isn't a simple attack to prevent.

Can anything be done?

Reloading the Smurf

In some ways, DNS amplification attacks resemble the "smurf" denial-of-service attacks more common in the 1990s. "Smurf" attacks used packets with forged addresses—carrying Internet Control Message Protocol (ICMP) broadcast ping requests. But "smurf" attacks can be stopped by configuring routers and computer systems. Simply set them to not respond to broadcast or ping requests, and not to pass these along to other systems, and you're set.

But DNS amplification is trickier. In an e-mail interview with Ars, Vaughan said forged headers are going to remain a problem for the foreseeable future. The Internet Engineering Task Force has proposed an approach to "ingress filtering" of packets, called BCP 38, that would block forged traffic like DNS amplification attacks. But the proposal hasn't moved very far forward since it was first submitted in 2000.

"Implementing BCP 38 will happen any decade now," Vaughan said. "Unless other pressures cause an emergency mandate to do so."

The best countermeasures for DNS amplification really need to be taken on the DNS server side.—but that's usually outside of the target's control. DNS servers can be set not to return replies to "." queries or to return shorter responses, both of which can reduce or eliminate the amplification issue. Administrators of DNS servers can also try to limit DNS requests to authorized clients, or limit how many requests they accept via UDP. But there are trade-offs in performance, and doing these things requires extra work on the part of the administrator of the name server.

Operation Global Troll?

Concerns about DNS amplification resurfaced recently after a document posted to Pastebin by someone claiming to be a member of Anonymous. The doc announced "Operation Global Blackout," an attack on the Internet's root DNS servers. The plan for the attack was to use a flood of DNS queries to a prepared list of recursive DNS servers with "spoofed" IP addresses to make it look like they were sent by the root servers; the attack was said to target the entire DNS infrastructure, bringing the 'Net to its knees.

But network security experts quickly poked holes in the plan's feasibility. Errata Security's Robert Graham hit the biggest issues with the plan in a six-point dissection showing why it wouldn't work—or even if it did, why it wouldn't be noticed. At most, the attack would affect the networks of the DNS servers being used to launch the attack and the networks they reside upon.

One of the reasons for that is "anycasting"—a modification to routing that allows multiple versions of the same DNS server to apparently reside at the same IP address with traffic routed to the closest system. As attacks focus on each root server IP address, they would be routed to the server with the fewest hops from the initiating machine. What's more, the bandwidth available to root DNS servers is huge, reducing the probability that any DoS attack on the root servers would severely impact their operations. And even if it did, the root servers would have to be offline for several days before the outage affected the downstream DNS servers belonging to ISPs.

Shortly after the attack document was posted, members of Anonymous denied it was a bona fide Anon operation. Some called it a "troll," saying the tool posted to conduct the hack wasn't real, or that it was intended to collect identifying information from people who used it (much like last year's corruption of Anonymous' DHN attack tool by the hacker TheJester). In late February, a group of Anonymous IRC administrators entered the #opglobalblackout chat room and shut it down, redirecting it to a room called #opglobalnig---out).

Under construction

Still, this doesn't mean that Anonymous isn't interested in using DNS amplification. While the group is pushing a 30-day boycott of copyrighted content as part of what members call Operation Black March, there's also a desire to hit content providers' services hard. But pulling off this type of attack requires a level of sophistication beyond the average member of Anonymous' "activist" force, who generally depends on being able to download something relatively simple to do the hacking for them.

For these attacks to be effective, Anonymous needs a large number of participants. Getting the uninitiated to install virtual machine software and copies of penetration toolkits such as Backtrack Linux requires a level of technical support even the most patient expert volunteers can't provide. Windows' own network drivers don't allow spoofed packets to be sent, so doing any sort of forged-header attack like DNS amplification requires a driver custom-made for manipulating network traffic (such as the WinPcap packet capture library). And the software typically used for this sort of attack, such as the Hping packet analysis tool, tends to be command-line oriented.

That’s asking a lot. Consider that many users of Anonymous’s current DDoS tool of choice often deny service to themselves more often than they do to their target. "(Cries inside) People seem unable to understand anything," one Anon told Ars in an IRC conversation, about group members trying to use the High Orbit Ion Cannon over the TOR network and then complaining about how slow it was.

Some Anons are planning a new tool that is "extremely easy to use (due to the nature of some of our users)," one member told Ars. The idea is to make something like the group's LOIC tool—but without LOIC's total lack of anonymity. The new tool will (if successful) combine the WinPcap library and "hive mind" remote control (a system for Anon collective leaders to pass configuration information to the client and coordinate attacks) with a set of attacks that include DNS amplification, an IP flood attack using spoofed addresses, and a "slow POST" attack like that used in Slowloris.

For now, this tool remains just a concept. As of mid-February, members of Anonymous hadn't begun to actually write code for it. And it isn't certain that that code will ever be written now, as one of the developers working on the project was the hacker Avunit, a former LulzSec member who recently told Ars he was leaving Anonymous. In the meantime, more sophisticated attacks by Anonymous will likely be limited to what the more technically savvy members can handle while the masses let loose with easy-to-execute HOIC attacks.

Posted Image View: Original Article

Link to comment
Share on other sites

  • Replies 2
  • Views 1.3k
  • Created
  • Last Reply

Never publish OR tell anyone just how you plan on attacking them unless you wish for your ttack to be countered. And also, Never interrupt your enemy when he is making a mistake.

Anonymous would do well to read "The Art of War" by Sun Tzu. Although the book is very old (in origin) it lays out battle plans that are still being used today. This includes pretty much any form of battle and we can adapt those plans accordingly to modern conditions as well. This can indeed be inducted into cyber warfar too.

Link to comment
Share on other sites

back to the dark ages! there`s no police in this world and no ways to stop the pirates or the hackers ever!!!

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...