Anonymous Vs. DNS System: Lessons For Enterprise IT

A rumored attack on the world's DNS servers by Anonymous failed to materialize. But the many enterprises still ignoring persistent weaknesses could learn from the defensive strategy.
The Internet didn't go dark on Sunday.

A threat, first made in mid-February, had warned that the chaos-loving hacktivist collective Anonymous would take down the Internet for April Fool's Day under the banner of "Operation Blackout." The stated plan was to overwhelm the world's 13 domain name system (DNS) root servers with junk traffic, preventing Web users from reaching most websites. As recently as Thursday, a new Pastebin post suggested that a Trojan application would handle the junk traffic, which would attempt to take down the DNS servers down for at least two minutes. "[ 13 root servers ] * BOOYAH," it promised.

The story here, however, isn't the failure of any supposed Anonymous campaign, but rather the virtue of being proactive.

Namely, the organizations that keep the DNS running paid attention to the Operation Blackout threat, and began pouring millions of dollars into improving the system. That involved bringing online several massive, 40-gigabit routers, as well as hundreds of servers--around the world--which enabled the DNS root servers to handle more requests. That added capacity also made it harder for anyone to overwhelm the system with junk traffic or fake requests.

"Whether or not Anonymous carries out this particular attack, there are larger attacks that do happen," Bill Woodcock of Packet Clearing House' (PCH)--which helps maintain the Domain Name System--told the New York Times. "A forewarning of this attack allowed everyone to act proactively for a change. We can get out in front of the bigger attacks."

In the case of a potential Anonymous DNS onslaught, the obvious attack vector, based on past campaigns, was a distributed denial-of-service (DDoS) attack. "DDoS is very much a numbers game," said Woodcock. "If the target has more than the sum of the attackers' capability and normal day-to-day traffic, then it is fine."

As April Fool's Day drew near, meanwhile, the supposed attack against the DNS infrastructure looked like it might simply be another spoof, perpetrated by Anonymous or done in its name. "For the billionth time: #Anonymous will not shut down the Internet on 31 March," read a Thursday tweet from YourAnonNews. "#OpGlobalBlackout is just another #OpFacebookfailop. #yawn." (Operation Facebook was another Anonymous attack that wasn't, as was a rumored takedown of the national grid.)

On Sunday, of course, the April Fool's Day DDoS onslaught thankfully failed to materialize. "Operation Blackout appeared to be more of a ruse for your 'attack du jour' than a dedicated effort against DNS root servers. Moreover, the apparent attack sophistication and volume levels of those attacks which were directed at DNS servers were not notable or effective over the weekend," said Carl Herberger, a senior VP at Radware, in a blog post. On the other hand, he said, the weekend did see DDoS attacks against at least four international telecommunications companies, a major trading exchange, a bank, and a financial transaction provider.

In light of the non-attack, was the DNS rapid-improvement plan--and millions of related dollars in investment--wasted effort? Not at all. Paul Vixie of the Internet Systems Consortium emphasized that the improvements weren't simply "panic engineering" in the face of the threat, but part of a carefully considered security-improvement plan. "We are using the threatened attack to go kick the tires on everything, make sure there's no loose dangly parts," he told the New York Times last week.

The proactive strategy employed by the DNS keepers is notable, because so few businesses emulate it.

The FBI's top cyber cop, executive assistant director Shawn Henry, who's set to retire after 20 years with the bureau, warned businesses last week that when it comes to stopping hackers, "We're not winning." Furthermore, businesses largely have themselves to blame, because they've failed to properly understand the legal and financial risks they've created by neglecting to protect their networks.

The result, of course, has enabled the rise of hacktivist groups such as Anonymous and LulzSec. These groups don't steal data through mind-blowing Mission Impossible-style heists, but by trawling for banal, easy-to-exploit vulnerabilities in databases, such as SQL injection flaws. When it comes to coding errors, the bugs don't get much more mundane. The potential damage the attackers can inflict, however, is a different story.

The result, in a worst-case scenario, is a situation such as Nortel's, where attackers breached the company's network, then enjoyed access for another decade before being discovered and blocked. By then, of course, the damage was done.

Helpfully, hacktivists often tweet about what they've done, or are about to do. In many ways, that makes their attacks easier to defend against--or at least enables a prepared response.

But how thoroughly have you prepared for the attackers who may break in, without bothering to publicly broadcast their intentions?

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)