Anonymous is not taking down the Internet

Summary:Despite popular reports, the hacktivist group Anonymous is not hacking, killing, or taking down the Internet today via DDoS attacks on root DNS servers. The Internet will remain completely functional.

Although this has already been debunked last month when the news first broke, many are still asking whether Anonymous will launch a distributed denial of service attack (DDoS) on the Internet today by taking down root Domain Name Servers (DNS) servers, using a Reflective DNS Amplification DDoS tool. The people want to know if "Operation Global Blackout" is going to stop them from running their business, checking their e-mail, playing video games, browsing porn, and so on. As many have already said before, if something does happen today (and it's extremely unlikely that it will), the hacktivist group Anonymous will not be to blame.

DNS translates domain names like google.com and facebook.com (which are meaningful to humans) into IP addresses (which are meaningful to computers) for the purpose of locating devices on a private network or the Internet as a whole. The theoretical plan is to overload the Internet's root nameservers, impacting the operation of the entire global DNS, which would affect all Internet services that use it, rather than just specific websites. The World Wide Web as we know it would still be there, but you would only be able to access websites if you know their IP address.

This is not a new idea and those claiming to be part of Anonymous have suggested it before (see the YouTube video titled "NEW!! Anonymous Update On Operation Global Blackout"). Today's episode, however, starts after the level of hysteria hit a new high on February 12, 2012, when someone posted the following message on Pastebin titled "< March 31, 2012 - Operation: BLACKOUT >":

----------------------------------------------------------------------- 01001111 01110000 01100101 01110010 01100001 01110100 01101001 01101111 01101110 01000111 01101100 01101111 01100010 01100001 01101100 01000010 01101100 01100001 01100011 01101011 01101111 01110101 01110100 ----------------------------------------------------------------------- ___ _ _ ___ _ _ _ / _ \ _ __ ___ _ _ __ _| |_(_)___ _ _ / __| |___| |__ __ _| | | (_) | '_ \/ -_) '_/ _` | _| / _ \ ' \ | (_ | / _ \ '_ \/ _` | | \___/| .__/\___|_| \__,_|\__|_\___/_||_| \___|_\___/_.__/\__,_|_| |_| ___ _ _ _ | _ ) |__ _ __| |_____ _ _| |_ | _ \ / _` / _| / / _ \ || | _| |___/_\__,_\__|_\_\___/\_,_|\__|

----------------------------------------------------------------------- 01001111 01110000 01100101 01110010 01100001 01110100 01101001 01101111 01101110 01000111 01101100 01101111 01100010 01100001 01101100 01000010 01101100 01100001 01100011 01101011 01101111 01110101 01110100 ----------------------------------------------------------------------- "The greatest enemy of freedom is a happy slave."

To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, anonymous will shut the Internet down.

-----------------------------------------------------------------------

In order to shut the Internet down, one thing is to be done. Down the 13 root DNS servers of the Internet. Those servers are as follow:

A 198.41.0.4 B 192.228.79.201 C 192.33.4.12 D 128.8.10.90 E 192.203.230.10 F 192.5.5.241 G 192.112.36.4 H 128.63.2.53 I 192.36.148.17 J 192.58.128.30 K 193.0.14.129 L 199.7.83.42 M 202.12.27.33

By cutting these off the Internet, nobody will be able to perform a domain name lookup, thus, disabling the HTTP Internet, which is, after all, the most widely used function of the Web. Anybody entering "http://www.google.com" or ANY other url, will get an error page, thus, they will think the Internet is down, which is, close enough. Remember, this is a protest, we are not trying to 'kill' the Internet, we are only temporarily shutting it down where it hurts the most.

While some ISPs uses DNS caching, most are configured to use a low expire time for the cache, thus not being a valid failover solution in the case the root servers are down. It is mostly used for speed, not redundancy.

We have compiled a Reflective DNS Amplification DDoS tool to be used for this attack. It is based on AntiSec's DHN, contains a few bugfix, a different dns list/target support and is a bit stripped down for speed.

The principle is simple; a flaw that uses forged UDP packets is to be used to trigger a rush of DNS queries all redirected and reflected to those 13 IPs. The flaw is as follow; since the UDP protocol allows it, we can change the source IP of the sender to our target, thus spoofing the source of the DNS query.

The DNS server will then respond to that query by sending the answer to the spoofed IP. Since the answer is always bigger than the query, the DNS answers will then flood the target ip. It is called an amplified because we can use small packets to generate large traffic. It is called reflective because we will not send the queries to the root name servers, instead, we will use a list of known vulnerable DNS servers which will attack the root servers for us.

DDoS request ---> [Vulnerable DNS Server ] <---> Normal client requests \ | ( Spoofed UDP requests | will redirect the answers | to the root name server ) | [ 13 root servers ] * BAM

Since the attack will be using static IP addresses, it will not rely on name server resolution, thus enabling us to keep the attack up even while the Internet is down. The very fact that nobody will be able to make new requests to use the Internet will slow down those who will try to stop the attack. It may only lasts one hour, maybe more, maybe even a few days. No matter what, it will be global. It will be known.

-----------------------------------------------------------------------

download link in #opGlobalBlackout

-----------------------------------------------------------------------

The tool is named "ramp" and stands for Reflective Amplification. It is located in the \ramp\ folder.

----------> Windows users

In order to run "ramp", you will need to download and install these two applications;

WINPCAP DRIVER - http://www.winpcap.org/install/default.htm TOR - http://www.torproject.org/dist/vidalia-bundles/

The Winpcap driver is a standard library and the TOR client is used as a proxy client for using the TOR network.

It is also recommended to use a VPN, feel free to choose your own flavor of this.

To launch the tool, just execute "\ramp\launch.bat" and wait. The attack will start by itself.

----------> Linux users

The "ramp" linux client is located under the \ramp\linux\ folder and needs a working installation of python and scapy.

-----------------------------------------------------------------------

"He who sacrifices freedom for security deserves neither." Benjamin Franklin

We know you wont' listen. We know you won't change. We know it's because you don't want to. We know it's because you like it how it is. You bullied us into your delusion. We have seen you brutalize harmless old womans who were protesting for peace. We do not forget because we know you will only use that to start again. We know your true face. We know you will never stop. Neither are we. We know.

We are Anonymous. We are Legion. We do not Forgive. We do not Forget. You know who you are, Expect us.

Some realized immediately that this is not something the hacktivist group would do. In fact, soon after reports came out about it, Anonymous explicitly said it was all nonsense. Just like with the multiple claims of on attack on Facebook (1, 2, 3, 4), it turns out only a small number of Anonymous members, or rather individuals claiming they are Anonymous members, want to do this. This is why Anonymous didn't announce such an operation via its usual channels of communication and why the aforementioned video was not of the usual Anonymous computerized voice and visual production quality.

Despite all this, speculation reached an all-time high this week. The March 31 date was coming up and the media was reminding the world what Anonymous was supposedly planning to do. Thankfully, two Twitter accounts that have given accurate information regarding the organization and its actions in the past, spoke up to once again kill the rumors.

Here's what the Twitter account YourAnonNews, which has 562,000 followers, had to say this week:

What is this #OperationGlobalBlackout nonsense? I thought we settled this back in February? It won't happen. Stop asking us about it! >.< For the billionth time: #Anonymous will not shut down the Internet on 31 March. #OpGlobalBlackout is just another #OpFacebook failop. #yawn Think for a moment: Why would #Anonymous shut down our playground, the Internet? Really, how would that help ANY of us? #NextQuestion Let's play Finish the Sentence --> #Anonymous shutting down the Internet is like _____.

Here's what the Twitter account AnonymousIRC, which has 280,000 followers, had to say this week:

Prediction: The Internet will not be shut down by #Anonymous. Reason: Crystal Ball. Sorry, but what kind of moronic imbeciles would think about an operation that "shuts down the internet" anyway? Oh, Backtrace? Oh wait... ;) Dear Netizens, Internet will remain online. And to the death we will defend it. Always. Sail strong and do not get distracted by trolls.

It's of course still possible that some hackers will attempt to take down the Internet today. They will fail. Furthermore, they won't be supported by Anonymous. I can't emphasize this enough: do not believe reports saying Anonymous is attacking the Internet. Some may be trying, but the larger group has made it clear many times it loves the Internet and would never even attempt to take it down.

To summarize, I would be very surprised if the Internet stopped functioning even for just a few minutes today, and even more shocked if Anonymous claimed responsibility. For more information about DDoS attacks on root nameservers, and previous attempts to do so, check Wikipedia.

See also:

Topics: Networking, Browser, Security, Servers

About

Emil is a freelance journalist writing for CNET and ZDNet. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.