Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Tomorrow, the world will end - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Tomorrow, the world will end

No, this isn't about the Mayan calendar, and that particular instance of "End of the World" is anyway not scheduled to happen until December 21st.

This is about March 31st, and the announcement by "Anonymous", or those who claim to be "Anonymous", to wipe out the DNS root servers with a Distributed Denial of Service (DDoS) attack on March 31. Cricket Liu, the author of most of the O'Reilly DNS books and an authority on the subject, has posted a good blog entry at, explaining in-depth that while such an attack is theoretically feasible, it is unlikely to succeed at a large scale.

We'll have to see. If DNS stops working tomorrow, we at least only have to live without it until December 21st, when the world will end for good anyway :).


385 Posts
ISC Handler
Mar 30th 2012
In other words, it would be a good idea to ping your favorite websites today and record IP Addresses ;)

11 Posts
Meh, if they succeed, I have an excuse to take a day off. Got a few movies here on DVD, a bowl of popcorn, a disc and a fetchaholic dog. Plus it's the start of gardening season and I've got a greenhouse to stock...

Prolly should start on the greenhouse first...

If the world ends, let me know.
57 Posts
It's all good, its already tomorrow here Downunder and the Googles still works far!
2 Posts
Wouldn't it take 48 hours before we noticed this due to the TTL? I guess dig +trace might show it, or non-cached records would.
1 Posts
Re. Graham's comment. The UK's BBC broadcast a radio show yesterday that discussed the concept of when when is. I'm not sure if its available outside the UK, but the url to listen to the show is (and very interesting it was)

Anyway, during the show, one of the speakers said that George Bush Snr announced that the war on Iraq would start at 5pm. In response world's press said “5pm, but 5pm where?"
1 Posts
The original threat to take down the Internet DNS-system was posted here:

In the above pastebin-post, the following is stated:

"download link in #opGlobalBlackout"

If you entered the Anonymous IRC-network at the time this was posted, the topic of channel opGlobalBlackout was: Official Press Release:

As you can see, the "Press Release" tells potential Anonymous-members to stop waging war, that peace is the way to go, to stop DDoS-attacks. This is another words an "anti-op" designed to get potential anonymous-recruits to think about what they are doing.

There never was an operation. There was only an anti-operation, designed to get people to think.
1 Posts
If the method of DDOS was to be as described in those postings to PasteBin, it probably would have failed:
* spoofed UDP-packets with identical "source" and "target" IP-addresses (namely of the targeted DNS-server) would probably be blocked by anti-spoofing rules on the Access Control List of the router between the DNS-server and the rest of the Internet.
* the programming of the DNS-server software would drop any outgoing UDP-packets with a "target" IP-address of itself.

Think "defensive" programming for any DNS-server that is "robust" enough to make the "Top 13" trusted servers, and sleep well at night.


Sign Up for Free or Log In to start participating in the conversation!