Viewpoint: How hackers could decapitate the internet
A
recent threat, purportedly from the hacker group Anonymous, stated
boldly that its members would stop the internet on 31 March.
The term "Operation Blackout" was coined and it caused much discussion in all the usual forums.
Those issuing the threat even stated how they would do it. They claimed they could disable the Domain Name Service (known by engineers as the DNS) and that would stop the internet. How so?
The
Domain Name Service is what converts the web addresses you type into
your browser (such as www.bbc.co.uk) into what the internet actually
uses: IP addresses (something like 212.58.244.66).
It
is essentially the phone book for the internet. If you could prevent
access to the phone book then you would effectively render the web
useless.
The
theory behind the proposed attack is based on the fact that the Domain
Name Service is a tree structure: it starts with 13 servers at the top
level and each of those talks to the next level down, which then pass it
on to a further level down, and so on.
When
a change is made at the top level it is copied out across the net so
that when you look up what is effectively your local copy of the phone
book, it takes you to the correct place.
If
somehow one could prevent some or all of the 13 top level members of
the DNS from working, specifically from communicating with others, then
this would disrupt the remainder of the tree, and very quickly no-one
would be able to use the addresses that we all typically know.
Overwhelmed
When
the threat was made, it did cause some concern as the would-be hackers
correctly identified the locations of the top level systems.
But, that information was relatively easy to come by from the internet itself.
The
suggestion was made that the hackers could mount what is known as a
distributed denial of service (DDOS) attack on the top level of the DNS.
A
DDOS attack is one where you simply flood a webserver with so many
requests that it can no longer respond to legitimate requests.
Graham
Cluley, senior technology consultant at the computer security firm
Sophos, likens it to "15 fat men trying to fit through a revolving door
all at once - nothing moves".
One way the hackers might generate enough traffic is by hijacking others' computers to send the requests.
They could use a virus to turn the machines into "bots" to do their bidding. The innocent owners need never be aware.
This
technique was used to prevent access to Interpol's website on 28
February 2012. Hackers identifying themselves with the Anonymous
movement committed the act - apparently as retaliation against recent
arrests.
It is just one of many organisations to have fallen victim to the manoeuvre over the years.
"If
the attacker has enough bandwidth, almost anything can be taken down,"
Mikko Hypponen, chief research officer at the anti-malware firm F-Secure
told me.
"In 2004, the massive botnet created by the Mydoom worm briefly shut down Google.com."
Amplified assault
So the big question is whether it is possible to use a similar process to generate enough traffic to stop the whole internet.
As
ever, the answer is "that depends". Not surprisingly the authorities
know which are the particularly critical elements of the DNS and they
have plans to protect them.
The
13 top-level systems are actually in different countries, are looked
after by different organisations and run on different technologies.
We can be as sure as one can ever be when dealing with the internet, that the top level of DNS can be kept secure.
But there is a potential problem if hackers subvert the way the DNS has been set up to make it part of the attack.
This could be done by a process dubbed "amplification" which exploits two facts:
- A DNS query returns far more information than was in the request itself.
- It is relatively easy to falsify the address from which a query was sent.
To
carry out the assault the hacker would first identify a target system
and then create an army of bots spoofing its IP address.
This
botnet would then send a large number of requests to the DNS which
would reply, resulting in a much larger amount of data being fired at
the target, causing it to be swamped.
Create
several such botnets and select several targets and you can cause the
DNS to flood the very network it is supposed to be serving.
BH Consulting's information security expert Brian Honan agrees there is a real-world risk.
"It
should be noted though that this disruption, if successful, would be
localised to segments of the internet vulnerable to these attacks," he
told me.
"Unfortunately
despite this vulnerability being widely known about for many years a
large proportion of DNS servers are still not configured correctly to
prevent this type of attack."
Nightmare scenario
Recently
one network provider suffered what appeared to be just such an attack
that employed 140,000 machines from the Domain Name Service.
The attack was able to generate such an avalanche of data that it completely overwhelmed the network.
There
are relatively simple ways of reconfiguring the machines within the
Domain Name Service so that they conduct their searches in an
alternative way that doesn't allow this "amplification". But few
machines do this.
New
technologies are being developed to help make the domain name service
more secure. The best known is domain name system security extensions
(DNSSEC), which was designed to address threats such as DNS spoofing.
Others will doubtless emerge to help with amplification attacks. But,
only a fortnight ago a study showed that 40% of the US federal agencies
had not yet deployed DNSSEC, despite it being US government policy to do
so, which serves as a reminder that even when there are technologies
that can address known security issues they are of little help if not
widely implemented.
And,
consider for a moment what would happen if the DNS network was used to
attack itself using such an amplification technique? The resulting
torrent of data could render significant portions of the web unusable,
preventing all of us from accessing the systems we have come to rely
upon in our daily lives.
So to those who say our Domain Name Service is secure and can never be used to disable to internet, I say, never say never.
Alan
Woodward is a visiting professor at the University of Surrey's
department of computing. He has worked for the UK government and still
provides advice on issues including cybersecurity, covert communications
and forensic computing.
No comments:
Post a Comment