Friday, 17 February 2012 11:22

Anonymous Threatens to Shut Off the Internet on March 31st, But How?

Written by

Reading time is around minutes.

anonAnonymous is preparing to “shut off the internet” on March 31st. The move is in protest to things like SOPA, ACTA, and according to their statement; “irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun”. Now while Anonymous typically goes after targets with something along the lines of a DDoS (Distributed Denial of Service) attack they are looking to do something different here. Anonymous plans to take all 13 Root DNS servers offline in a single day. Is this possible? Well let’s take a look at some of the facts behind how DNS works and some evidence that Anonymous might already have broken into the system.

First things first; for those of you that do not know DNS stands for Domain Name System (or Domain Naming System) it is a system (put very simply) that translates a site common name (i.e. to an Internet Protocol (IP) Address. This address is represented by a number Google, for example, commonly resolves to However as Google operates a server farm for their services (and website) there are secondary IPs registered to These are and 100.

Every computer (and many other devices) on the internet or on a network have an IP address, but in addition to that IP address they also have other properties that tell them who they are, where they are and how to find other computers and systems in the network (and internet).

  The first is the IP address; as we mentioned before that is the numeric “name” of the computer.

  Second is the Subnet Mask; this number identifies the network that a system is on; it helps a computer to send traffic to the proper place.

  Third is the Default Gateway; this is the IP address of the router or hardware device that separates one network from another. In a home network this is your firewall/router or cable/DSL modem. When a system looks something up and the return IP is not on the same network then this is where that traffic will go by default (to find the proper network).

  Last on this list are the DNS servers. There are usually two for every IP entry. These are the numeric entries that tell the computer where to go to translate a system name to an IP address.

This very simple explanation (not intended to be thorough or completely detailed) will help as we explain what we feel are the details of the attack and how it could possibly be carried out.

The DNS system has a certain procedure called a lookup that ties that domain name to the IP. Here is a very simple explanation of how it works (for our purposes here we will cover internet DNS only and assume the name is correct);

   A user types in a website name like in a web browser

   The computer then checks to see what DNS servers it should us (every system has this as part of its IP address assignment for traffic to flow)

   The request is sent to that server for resolution;

   The server will see if it has an entry cached for that name (we will cover name caching or recursive lookups in a minute) if it does it will return the proper IP for connection to the site.

   If not then it has to go through a few more steps.

   The first step is to identify the root or top level domain these are the final extension like .com, .gov, .mil etc.  So for Google we need to find a root server that covers .com. Once the local DNS server finds the root server it will either transfer the request to that server or pull the information down.

   The root server will then identify the second level domain name and find the server that is responsible for that name. For example the name servers for are,,, and So now your request has moved from your local DNS server to the root server to one of Google’s name servers.

To check this you can look up any domain name on the internet and find out their name servers, these are the servers responsible for the actual site named domain and in many cases the sub-domains.

With our example here your request for is over and you should have an IP address returned back that allows your computer to connect to Google’s search page. All of this happens behind the scenes and is transparent to the end user it is also (so far) very reliable so most people do not even think about it.

Mixed in with this are other servers on the internet that are mirrors and also cache information to help speed up this process they keep information stored for a period of time (called a Time to Live or TTL) to keep update traffic low and but not too long to cause errors in resolution. The typical time for a DNS cache entry to live is between 4 to 24 hours depending on the server and the bandwidth available.

Now back to Anonymous’ proposal to bring down the root servers to disrupt HTTP resolution and traffic. To make this successful they will need to ensure that the 13 root servers are offline for more than 24 hours in many cases , to somehow force a global DNS refresh, or and this is the most devious plan to simply replace the IP addresses of the authoritative name servers with un resolvable IP addresses.

If you remember the CIA website attack that happened a few days ago we saw something odd when we tried to trace the route to the CIA’s site. The IP appeared to be wrong and even showed as registered to the wrong country. At the time we thought that some DNS tinkering was going on and speculated that perhaps a new type of attack was being tested out. It is possible (although this is just a guess) that Anonymous may have found a way to re-route DNS requests and send back the wrong IPs for a site. If that happens then all they have to do is allow the root servers to send the wrong IPs for the authoritative name servers and that will be that, the name resolution will fail as you will be going to the wrong place to get your IP for the site you want.

This last type of attack, although the most complex, is the easiest to achieve the goal of bringing the HTTP internet down. However, we do not know what methods Anonymous would use to put this in place (with the exception of compromising all the data on the 13 root servers or simply replacing them with their own servers).  It gets around the problem of cached information and just gives you back the wrong information altogether when you look for the authoritative name server responsible for the domain you are looking for. After all if the attack is only taking the root servers offline, ISPs and others could increase the TTL to more than 24 hours while they deal with the attack and let their customers know that changes on the days in question will not be put into place until 48 hours later.

March 31st will be interesting to say the least, we will try to keep you up to date on this and let you know if we find out anything else about the propose attack for now you can read Anonymous’ pastebin post for the whole announcement/warning.

Discuss this in our Forum

Read 7812 times Last modified on Friday, 17 February 2012 12:31

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.