Operation Ghost Click and the value of DNSSEC

November 14, 2011 ,

As Congress considers adopting a scorched earth policy towards Internet piracy via legislation known as the Stopping Online Piracy Act (SOPA) and the PROTECT IP Act, recent events have highlighted the gravity of the trade-off that is being contemplated.  Last week the Federal Bureau of Investigations (FBI) unveiled Operation Ghost Click, a multi-year operation that dismantled an international cyber ring that hacked into four million computers worldwide (500,000 of these computers were in U.S. homes, businesses, and government agencies).  This entire cyber criminal operation was run by a grand total of six people (that is one person for every 666,667 computers) who successfully stole $14 million by manipulating Internet advertising revenue.  They were able to pull off this heist by utilizing well documented vulnerabilities in the Internet’s Domain Name System (DNS), which is the part of the Internet’s architecture that connects Internet Protocol (IP) addresses to domain names (for example, Public Knowledge’s website is but can be found at

For years Internet security experts have been fixing this vulnerability through an initiative known as DNS Security Extensions (DNSSEC), which is an effort to secure DNS traffic by making the system resistant to tampering.  But just as the system is being deployed globally after many years of hard work, Congress is considering to instead utilize the DNS to (unsuccessfully) combat Internet piracy.  In the recently introduced Stopping Online Piracy Act (SOPA) and the PROTECT IP Act lies a provision that would allow the government to issue court orders that would mandate domestic DNS providers to not connect IP addresses to domain names of websites alleged to contain copyright infringing material.  Experts have explained in a technical white paper that such a use of the DNS would be flatly incompatible with DNSSEC.  In other words, such a blocking order would do very little to curtail Internet piracy while simultaneously empowering cyber criminals much like the ones caught in Operation Ghost Click by impeding DNSSEC.  

According to the experts, the main two issues with mandating a DNS block is it would be “technically infeasible” with DNSSEC and that the user workaround will result in collateral damage.  On the technical infeasibility issue, DNSSEC would make safe data uniquely identifiable so that anything that is not deemed safe can be assumed to be an attack and subsequently blocked.  The problem with SOPA/PROTECT IP is that the government would mandate Internet Service Providers to give wrong answers that would look just like a cyber attack.  The second issue of user workaround is fairly straight forward if you consider the scale of Operate Ghost Click.  If four million computers can change their settings to use less secure DNS servers overseas without the user ever knowing, then purposefully making that change to circumvent a government mandated block is a trivial task at best.

If DNSSEC was fully implemented today, the need for something like Operation Ghost Click would be significantly reduced.  Once a computer is able to identify the right answers (safe data) from the wrong answers (cyber attacks) in DNS traffic, it can take corrective action and protect users from malicious actors.  However, if Congress passes SOPA or PROTECT IP without deleting the DNS filter provision, then experts argue that the potential for having a secure DNS will have been forfeited and cyber security problems will get worse.  If six people can cause $14 million in damage and take control of millions of computers, then the amount of damage cyber criminals can cause if mandatory DNS filtering became law is incalculable.  

Think about how all of our computers at work and at home are networked at some level with other computers.  While you may not engage in circumventing a government issued DNS block, are you confident that your neighbor, friend, or family member will do the same?  Only one computer needs to be compromised in order for malicious actors to enter and cause damage to a computer network.  Once users are given an incentive to change their DNS settings to work around a government DNS block, they make all of us more vulnerable to attacks by cyber criminals.  Hopefully, Operation Ghost Click will show Congress that DNSSEC has extraordinary value to the public and should not be sacrificed for minimal gains against Internet piracy.