Coordinated infrastructure attacks are scary for that reason. They are scary. :) Netcraft will provide you the information on every web server/server OS just for the asking -- you don't need an OC3 or even nmap. Historically, wide spreading worms have had a flaw in the program that prevented how much damage they could cause. (i.e., either too virulent or too patient). I suspect even in your dd solution, the attacker would leave a delay to allow some additional CPU power devoted to attacking other destinations. If the timeout is too short and interesting machines go down fast, the spread takes longer. If its too long, it can be stopped before it gets as far. The nastier you make it, the less far it spreads. In some paranoid networks, within 20 minutes of the content disappearing they would probably pull all or many of their most significant machines off line while they are figuring out what attack is occuring. The least responsive networks are going to be the most vulnerable to a scenario like this. Rate limiting ICMP (or your favorite attack packet) isn't as difficult as it used to be (even at the border), and since most large networks use automatic configuration generators -- no matter how cumbersome -- it is concievable that the brute force attack could be killed on the largest networks at a mean of 10-12 hrs. Server damage would take longer depending on how available/recent backups are. The best part of multilevel NOCs (level 1-2 open tickets 3+ solve problems) is that under large, cascading attacks of this sort, those who actually solve the problem are not as bogged down by frantic customers calling. ---- Risers (inside) a building aren't even that big a deal. Most manholes around these carrier hotels are not welded shut, and most of the POEs (no matter how many there are) have a man hole or two on the street for splicing purposes. A few bad guys could drop a <explosive, incendiary, acid, etc> in each of these around each major carrier hotel and disable the hotel in about 20 minutes from start-to-finish. (4 men teams at each major infrastructure location in the U.S. -- say 10?) could disable everything in less than 5 minutes from start to finish and be making a quick exit before the first fiber goes down. If you simultaneously melt/explode/destroy every POE to every major cable landing/telecom hotel in the U.S., you will have problems (sky links MIGHT be excepted if you are especially clever). And >24 hr repair times, assuming you can get the repair call out in the first place. Lets not forget that manholes are almost always in public right of way, or similarly accessible. Opening them quickly/publicly won't even freak out too many people. Worst case 2-3 blocks away you triple the number of manholes to open/disable, and have no tech-savvy types or building-security types have the chance to even see it go down -- better, no welded manholes to worry about whatsoever. --- Its almost ridiculous to worry about protecting carrier-buildings from deliberate mischief because they are far more vulnerable outside than inside. Security guards inside are (IMO) to keep large pieces of equipment from walking out without getting a good look at the guy(s) doing it. Even then, most misunderstand their role and rely on the basic honesty of the visitors to maintain anything... I could just be grumpy though. Deepak Jain AiNET
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Phil Rosenthal Sent: Thursday, July 04, 2002 2:17 PM To: jlewis@packetnexus.com; nanog@merit.edu Subject: RE: Internet vulnerabilities
Thinking about a physical threat... If you go to 111 8th ave, NYC. They have added security since 9-11-01 which now requires either building ID, or showing a driver's license before entering building (because terrorists don't have driver's licenses).
On some floors (eg the 7th). The building risers and conduits are completely exposed. I can't help but wonder how much damage a terrorist attack to that would do.
Also, say someone from a moderately fast internet connection (OC-3) ran nmap across the entire internet on ports like 21,22,53,80,443,3306. In one day, they can probably have a list of every server answering those ports, and the versions of the daemons on them.
Next, just wait for an wide enough exploit to come out, and then write a Trojan that has a list of every other server vulnerable, and on every hack, it splits the list in 2, and roots another box and gives it the 2nd half of the list.
I estimate that with a wide enough exploit (eg apache or openssh), you could probably compromise 20% of the servers on the net within 1 hour, and then have them all begin a ping flood of something "far away" network wise (meaning a box in NYC would flood a box in SJC, a box in SJC would flood a box in Japan, etc... Trying to have as much bit distance as possible).
Damn scary, but I believe if someone was determined enough, they could take down the whole 'net within one hour of pressing "enter".
I suppose there really isn't anything that can be done at this point to make that scenario impossible.
--Phil
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jason Lewis Sent: Thursday, July 04, 2002 1:57 PM To: nanog@merit.edu Subject: Internet vulnerabilities
There is a lot of news lately about terrorist groups doing recon on potential targets. The stories got me thinking.
What are the real threats to the global Internet?
I am looking for anything that might be a potential attack point. I don't want to start a flame war, but any interesting or even way out there idea is welcome.
Is it feasible that a coordinated attack could shutdown the entire net? I am not talking DDoS. What if someone actually had the skills to disrupt BGP on a widescale?
jas