Viewpoint: How hackers could decapitate the internet


Related Stories

A recent threat, purportedly from the hacker group Anonymous, stated boldly that its members would stop the internet on 31 March.

The term "Operation Blackout" was coined and it caused much discussion in all the usual forums.

Those issuing the threat even stated how they would do it. They claimed they could disable the Domain Name Service (known by engineers as the DNS) and that would stop the internet. How so?

The Domain Name Service is what converts the web addresses you type into your browser (such as into what the internet actually uses: IP addresses (something like

It is essentially the phone book for the internet. If you could prevent access to the phone book then you would effectively render the web useless.

Internet browser address bar The DNS ensures that you are sent to the correct site when you enter a web address

The theory behind the proposed attack is based on the fact that the Domain Name Service is a tree structure: it starts with 13 servers at the top level and each of those talks to the next level down, which then pass it on to a further level down, and so on.

When a change is made at the top level it is copied out across the net so that when you look up what is effectively your local copy of the phone book, it takes you to the correct place.

If somehow one could prevent some or all of the 13 top level members of the DNS from working, specifically from communicating with others, then this would disrupt the remainder of the tree, and very quickly no-one would be able to use the addresses that we all typically know.


When the threat was made, it did cause some concern as the would-be hackers correctly identified the locations of the top level systems.

But, that information was relatively easy to come by from the internet itself.

The suggestion was made that the hackers could mount what is known as a distributed denial of service (DDOS) attack on the top level of the DNS.

A DDOS attack is one where you simply flood a webserver with so many requests that it can no longer respond to legitimate requests.

Graham Cluley, senior technology consultant at the computer security firm Sophos, likens it to "15 fat men trying to fit through a revolving door all at once - nothing moves".

One way the hackers might generate enough traffic is by hijacking others' computers to send the requests.

They could use a virus to turn the machines into "bots" to do their bidding. The innocent owners need never be aware.

Illuminated keyboard A DNS attack caused and other well-known web addresses to divert traffic elsewhere

This technique was used to prevent access to Interpol's website on 28 February 2012. Hackers identifying themselves with the Anonymous movement committed the act - apparently as retaliation against recent arrests.

It is just one of many organisations to have fallen victim to the manoeuvre over the years.

"If the attacker has enough bandwidth, almost anything can be taken down," Mikko Hypponen, chief research officer at the anti-malware firm F-Secure told me.

"In 2004, the massive botnet created by the Mydoom worm briefly shut down"

Amplified assault

So the big question is whether it is possible to use a similar process to generate enough traffic to stop the whole internet.

Start Quote

The torrent of data could render significant portions of the web unusable, preventing all of us from accessing the systems we have come to rely upon”

End Quote Prof Alan Woodward University of Surrey

As ever, the answer is "that depends". Not surprisingly the authorities know which are the particularly critical elements of the DNS and they have plans to protect them.

The 13 top-level systems are actually in different countries, are looked after by different organisations and run on different technologies.

We can be as sure as one can ever be when dealing with the internet, that the top level of DNS can be kept secure.

But there is a potential problem if hackers subvert the way the DNS has been set up to make it part of the attack.

This could be done by a process dubbed "amplification" which exploits two facts:

  • A DNS query returns far more information than was in the request itself.
  • It is relatively easy to falsify the address from which a query was sent.

To carry out the assault the hacker would first identify a target system and then create an army of bots spoofing its IP address.

This botnet would then send a large number of requests to the DNS which would reply, resulting in a much larger amount of data being fired at the target, causing it to be swamped.

Create several such botnets and select several targets and you can cause the DNS to flood the very network it is supposed to be serving.

BH Consulting's information security expert Brian Honan agrees there is a real-world risk.

"It should be noted though that this disruption, if successful, would be localised to segments of the internet vulnerable to these attacks," he told me.

"Unfortunately despite this vulnerability being widely known about for many years a large proportion of DNS servers are still not configured correctly to prevent this type of attack."

Nightmare scenario

Recently one network provider suffered what appeared to be just such an attack that employed 140,000 machines from the Domain Name Service.

Other DNS servers' ability to churn out huge amounts of data can be exploited to bring down large parts of the internet

The attack was able to generate such an avalanche of data that it completely overwhelmed the network.

There are relatively simple ways of reconfiguring the machines within the Domain Name Service so that they conduct their searches in an alternative way that doesn't allow this "amplification". But few machines do this.

New technologies are being developed to help make the domain name service more secure. The best known is domain name system security extensions (DNSSEC), which was designed to address threats such as DNS spoofing. Others will doubtless emerge to help with amplification attacks. But, only a fortnight ago a study showed that 40% of the US federal agencies had not yet deployed DNSSEC, despite it being US government policy to do so, which serves as a reminder that even when there are technologies that can address known security issues they are of little help if not widely implemented.

And, consider for a moment what would happen if the DNS network was used to attack itself using such an amplification technique? The resulting torrent of data could render significant portions of the web unusable, preventing all of us from accessing the systems we have come to rely upon in our daily lives.

So to those who say our Domain Name Service is secure and can never be used to disable to internet, I say, never say never.

Alan Woodward is a visiting professor at the University of Surrey's department of computing. He has worked for the UK government and still provides advice on issues including cybersecurity, covert communications and forensic computing.


More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 17.

    The reason they want to do this is simple - they wish to highlight the centralized nature of the Domain Name System. The same system that the US government sought to control for the benefit of corporate interests with SOPA. By exposing it's vulnerability they hope to provoke the creation of a new system that follows the ideals of the internet - no centralized control and damage resistance.

  • rate this

    Comment number 16.

    The media is hyping this up in support of government's attempts to enforce a greater control over the free internet. Sure, we don't need this kind of disruption, but it would not surprise me if "Anonymous" was not in fact a front for a government-sponsored misinformation campaign to soften us all up for a greater "need" to control and monitor the web.

  • rate this

    Comment number 15.

    Hackers seem to be fairly pro-internet, don't see them taking it down, where would they hack things from after that?

  • rate this

    Comment number 14.

    'Hackers' as you media types are so fond of calling them, are more likely to build an alternative internet when governments and big businesses have crippled the existing one trying to legislate to protect their interests at the expense of our freedoms. If anything's a threat to the internet, it's not Anonymous it's ACTA.

  • rate this

    Comment number 13.

    From your description, if the top 13 are stopped that only effects changes surely. A request for say the BBC which hasn't changed ip will simply respond. So worst that would happen is only any new changes wouldn't be seen. Or did I miss something

  • rate this

    Comment number 12.

    As is often the case, those who are deriding an article don't seem to have read it all the way through. It's neither doom-mongering nor complacent; in fact it doesn't make any specific predictions, it simply runs through a series of technical possibilities. But we live in the era of, 'Experts - what do they know?'

  • rate this

    Comment number 11.

    Seems to me that throughout everything, you can't have a positive without there being a negative to balance things out or attempt to destroy the positive.
    Regarding the BRILLIANT internet (one of the most positive things to happen since penicilin) there are total idiots who try to destroy or otherwise contaminate it thus destroying the freedoms that the internet can, if used sensibly, offer.

  • rate this

    Comment number 10.

    Anonymous really seem to be staying under the radar.

  • rate this

    Comment number 9.

    I doubt this will happen.

    Even they do decide to attack the very freedom they attempt to preserve (personally I think it's all a big joke), your internet service providers and local computers usually cache DNS records and store them locally.

    Even if it was successful it would only prevent you from visiting a site you, or your ISP has never heard of before.

  • rate this

    Comment number 8.

    Hackers have proven that they can hacked into any country's defense and national security systems and they routinely hack into banks and businesses stealing their customers personal information and funds. It is not if they can bring down the internet, it is what would the world do when hackers bring down the internet?
    A very scary thought!

  • rate this

    Comment number 7.

    It'll be interesting to see what happens. The main proponents of Anonymous and Antisec certainly know what they're doing (in terms of DDoS/cracking) but they have a lot of followers who are actively willing to become part of their botnet by using the LOIC software.

    My personal feeling is that *if* anything happens, it'll be very localised and not the widespread damage that they're hoping for.

  • rate this

    Comment number 6.

    I don't see what they gain by doing this. While they could take the internet down all they are going to do is push people away from them. I dont even get what the group stand for in the first place. As far as i am concerned they are just a bunch of hackers who need to get out more

  • rate this

    Comment number 5.

    This sounds like an alarmist headline to me. Come on BBC, I expect better journalistic standards from you. Leave the alarmist stuff to Sky News, yeah ?

  • rate this

    Comment number 4.

    Anonymous protect the freedom of the internet from greed such as that of the US government. Taking down the internet would not be protecting it. I can assure you that anonymous would never take down the internet, because they would not have the support of its members

  • rate this

    Comment number 3.

    while the IT engineers get to do their bit - maybe the rest of us can enjoy a bit of sunshine, quality time outside, socialise in the real world - could be fun for some, but for those who depend on the latest breaking information - they may get stressed out a little - but they'll live :)

  • rate this

    Comment number 2.

    This is a saturday and so disruption to business will be minimised.

    The attack also means that the internet will continue to function, but that browsing the internet (typing an address into a browser like Firefox, Safari or Internet Explorer) may fail. Email may also fail during the attack - this would normally just delay emails.

    If the attack happens, just go internet free for a day. Relax...

  • rate this

    Comment number 1.

    Anonymous' OpGlobalBlackout was clearly an April Fools joke. The internet will not disappear on April 1st. Surprised you've fallen for it. The methods they discussed to bring down the DNS Root servers would not have worked anyway.


Page 5 of 5


More Technology stories



BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.