The question is what if someone was gunning for your fiber. To date cuts have been unintentional. Obviously the risk level is much higher doing a phyisical attack, but the bad guys in this scenario are not teenage hackers in the parents basement. There is a good foundation of knowledge on the implications of cyber attacks, but the what-if of an intentional physical attack is an important question I believe. The context in this discussion has been very valuable and many thanks to everyone that has offered opinions. ----- Original Message ----- From: Dave Israel <davei@algx.net> Date: Thursday, September 5, 2002 3:50 pm Subject: Re: Vulnerbilities of Interconnection
The thing is, the major cuts are not "attacks;" the backhoe operators aren't gunning for our fiber (no matter how much it seems like they are). If I wanted to disrupt traffic, intentionally and maliciously, I would not derail a train into a fiber path. Doing so would be very difficult, and the legal ramifications (murder, destruction of property, etc, etc) are quite clear and severe. However, if I ping-bomb you from a thousand "0wn3d" PCs on cable modems, I never
had
to leave my parents' basement, I'm harder to trace by normal police methods, and the question of which laws that can be applied to me is less clear.
-Dave
On 9/5/2002 at 15:38:56 -0400, sgorman1@gmu.edu said:
"Again, it seems more likely and more technically effective to
internally than physically. Focus again here on the cost/benefit analysis from both the provider and disrupter perspective and you will see what I mean."
Is there a general consensus that cyber/internal attacks are more effective/dangerous than physical attacks. Anecdotally it seems
largest Internet downages have been from physical cuts or failures.
2001 Baltimore train tunnel vs. code red worm (see keynote report) 1999 Mclean fiber cut - cement truck AT&T cascading switch failure Utah fiber cut (date??) Not sure where the MAI mess up at MAE east falls Utah fiber cut (date??)
Then again this is the biased perspetive of the facet I'm researching> Secondly it seems that problems arise from physical cuts not because of a lack of redundant paths but a bottlneck in peering and
resulting in ripple effects seen with the Baltimore incident.
----- Original Message ----- From: "William B. Norton" <wbn@equinix.com> Date: Thursday, September 5, 2002 3:04 pm Subject: Re: Vulnerbilities of Interconnection
At 02:45 PM 9/5/2002 -0400, alex@yuriev.com wrote:
This obviously would be a thesis of Equinix and other collo
space
providers,>since this is exactly the service that they
won't, hower, be a
thesis of any major network that either already has a lot of infrastructure>in place or has to be a network that is supposed to survive a physical attack.
Actually, the underlying assumption of this paper is that major networks already have a large global backbone that need to interconnect in n-regions. The choice between Direct Circuits and Colo-based cross connects is discussed and documented with costs and tradeoffs. Surviving a major attack was not the focus of the paper...but...
When I did this research I asked ISPs how many Exchange Points they felt were needed in a region. Many said one was sufficient, that
were resilient across multiple exchange points and transit relationships, and preferred to engineer their own diversity separate from regional exchanges. A bunch said that two was the right number, each with different operating procedures, geographic locations, providers of fiber, etc. , as different as possible. Folks seemed unanimous about there not being more than two IXes in a region, that to do so would splinter the peering population.
Bill Woodcock was the exception to this last claim, positing (paraphrasing) that peering is an local routing optimization and that many inexpensive (relatively insecured) IXes are acceptable. The loss of any one simply removes the local routing optimization and that transit is always an alternative for that traffic.
A couple physical security considerations came out of that
research:> > 1) Consider that man holes are not always secured, providing access to
metro fiber runs, while there is generally greater security within colocation environments
This is all great, except that the same metro fiber runs are used to get carriers into the super-secure facility, and, since neither
who
originate information, nor those who ultimately consume the information are located completely within facility, you still have the same problem. If we add to it that the diverse fibers tend to aggregate in the basement of the building that houses the facility, multiple carriers use the same manholes>for their diverse fiber and so on.
Fine - we both agree that no transport provider is entirely protected from physical tampering if its fiber travels through insecure passageways. Note that some transport capacity into an IX doesn't necessarily
along the same path as the metro providers, particularly those IXes located outside a metro region. There are also a multitude of paths, proportional to the # of providers still around in the metro area, that
attack the transit - provide. It they those travel provide
alternative paths into the IX. Within an IX therefore is a concentration of alternative providers, and these alternative providers can be used as needed in the event of a path cut.
2) It is faster to repair physical disruptions at fewer points, leveraging cutovers to alternative providers present in the
collocation > > IX model, as > > > > opposed to the Direct Circuit model where provisioning additional> > > > capacities to many end points may take days or months.> > > > > >This again is great in theory, unless you are talking about > > someone who > > >is planning on taking out the IX not accidently, but > > deliberately. To > > >illustrate this, one just needs to recall the infamous fiber cut > > in McLean > > >in 1999 when a backhoe not just cut Worldcom and Level(3) > > circuits, but > > >somehow let a cement truck to pour cement into Verizon's manhole > > that was > > >used by Level(3) and Worldcom. > > > > Terrorists in cement trucks? > > > > Again, it seems more likely and more technically effective to > > attack > > internally than physically. Focus again here on the cost/benefit > > analysis > > from both the provider and disrupter perspective and you will see > > what I mean. > > > > > > >Alex > > > > > > >
-- Dave Israel Senior Manager, DNE SE