Operation Blackout: Can Anonymous Succeed on March 31st?

Much has been written about Operation Blackout: the threat of Anonymous to take out the world's thirteen root Internet servers. This operation has been launched in response to perceived attacks on free speech and thoughts.

Forget for the moment the annoying little fact that it is a myth that there are 13 root servers and let's focus on much of the response to this threat.

A New Internet "Underworld"

Thus far, I have been surprised to find that much of my brethren in the security world have put forth well heeled articles which have contributed nicely to the "Common Body of Knowledge" on the topic, however most, if not all, don't take the threat seriously. Most, like the fantastic blog at Errata Security focused on the previous failed attempts to take down these servers and how things have improved and fundamentally changed since then. There seems to be an agreement that conducting such an attack would be nearly impossible to do.

As it so happens, as with most events like these, the contrarian viewpoint is something which I really enjoy entertaining and I believe there are more than a couple of causes for concerns from which we should all take notice.

Operation Blackout Has a Son: Operation Darknet

First, Operation Blackout seems to be well organized; in fact, it has even provided a nice venue to launch Operation Darknet Operation Darknet is really a different effort for Anonymous because it is not focused on attacks, but rather instead to build something new. This new 'product' is meant to design 'a new, underworld Internet' – one based on the principle of non-repudiation which, of course, provides anonymity.

Advantages of Anonymous

Both of the Operations discussed lean heavily on the historical advantages in which Anonymous has leveraged. They are as follows:

• Advantage #1: Passion- - The will to fight. As we all know, a key ingredient in all successful battles.
• Advantage #2: Keen Knowledge / Intelligence - - Anonymous 'members' are contributing from all vantage points, and NO DOUBT have inside architectural knowledge of how worldwide DNS root servers are technically run, designed, protected and the assumptions which go into that model.
• Advantage #3: Endless resources – Anonymous' resources limits are matched with the passion around the topic in which they engage. All indications are that many believe this effort to be among the Holy Grail of new would-be "Anon General-Wanna-Bes." Just the thought of earning bona fides in demonstrating at once a technical prowess and an ideology compliant to the Anon masses is emotionally intoxicating for many. Like they say, "Idle Hands = Devil's Workshop"

Is the DNS Infrastructure Vulnerable?

So, if you are like me and have read all of the industry GURUs and seem to understand that logic states that the "DNS House" should not fall, then why do I feel uneasy at night?

History being the judge, I will always place safe bets with the passionate fighters for a cause over the comfortable defenders of a fortress.

Possible Vulnerabilities

Like the famous attacks of Attila-the-Hun's simple log-battering ram taking down Roman fortresses or the world renowned Trojan horse scenarios, I suspect that our DNS infrastructure have more than one vulnerability which has either been overlooked or assumed inconsequential.

Now, far be it for me to design out a detailed target list for Anon group members, however the following is a simple list of vulnerability categories, which I would fret if I owned security at any of these environments:

• Major Vulnerability #1: DNS IPv6 Vulnerabilities. Much has been written about IPv6 vulnerabilities, however Networkworld.com has done a great job cataloging the most egregious, of which, many are of a DNS persuasion. Here are my top three IPv6 areas for concern;
• From the Networkworld.com article (linked above) one can clearly see the production of numerous zero-day attacks including the lurking "DNS Quad-A attack" scenarios
• IPv6 is the common WAN routing for DNS infrastructure today and the protocol is 'heavy' - - meaning the header requires 4x the amount of processing then the IPv4 routing parity for processing. This 'stack processing burden' makes the successful launch of DDoS floods very feasible as this unique situation whereby processing requirements have gone up, however underlying processing speed and memory has not dramatically increased.
• IPv4 and IPv6 can be encapsulated within each other and there really are so many ways to do this that boggles the mind and makes for a Pandora's box of new exploit transportation opportunities (btw - - there are few detection mechanisms in place for this scenario today).

• Major Vulnerability # 2: A vulnerability was discovered in common DNS (BIND, DJBDNS, MS, OpenDNS) servers, which allows for a cached domain record to remain active after being deleted. This is not considered a bug rather a flaw in the design of DNS; there is no ETA on a fix from any vendor. This has potential to discredit/bypass url based remediation efforts by vendors such as RSA. This could also expose our relatively short expiration of url from the RSA feed signatures. The extent of the exposure for users of BIND or other affected software is this: every resource record in the Domain Name System hierarchy has a time-to-live (TTL) value associated with it, intended to control how long the information in the resource record can be kept in cache by a non-authoritative server. Dr. Haixin Duan, from Tsinghua University, discloses a method whereby information can be prolonged in the cache beyond the period supposedly allowed by the TTL value, causing affected resolvers to potentially return incorrect answers. It does not allow arbitrary insertion, removal, or alteration of resource record data.

  Should you be interested in following up with the industry common vulnerability exploit (CVE) / and National Vulnerability Database (NVD) comments they can be read here and here.

• Major Vulnerability #3: Insider Threat. For some reason the world has yet to take notice that the way to fight Ideological based DDoS attacks is totally different than fighting financial loss or compliance regulations. Ideological based attacks solicit sympathizers who may be lured at any moment for pleasure or personal gain and may be willing to release or act in conspiracy with a cause. What if Operation Blackout literally had resources from inside the DNS core infrastructure today? Sound crazy? Not so fast! Over the past 18 months has been a disturbing trend of either current or former information security professionals who have joined the cause (at least for a time) in pursuit of 'justice' or some 'payback' while others are real ideological conscripts.

• Major Vulnerability #4: Social Engineering. Who needs conscription and conspiracy when I can have unsuspecting collaborators instead? Nearly every major damaging hack/attack over the past 24 months, which was NOT ideological, has a common first entry tactic which was focused on social engineering vulnerabilities. From RSA and a phished email to the Nuclear Reactors in Iran who were 'given' infected USB thumb drives, social engineering tactics are formidable and real. Since the root DNS servers are physically distributed around the world and technically mirrored as nearly one collective, it's not hard to conceptualize a socially engineered entry point, which leverages the resiliency of the DNS system to spread an 'internal' attack and hollow out the system from within. While everyone is expecting a massive noisy attack, the system may degrade from inside.