On Mon, 12 Nov 2001, Sean Donelan wrote:
The public discussions I know about have focused on "popular" subjects such as root servers, ddos, viruses. While interesting, and challanging topics, are they really the biggest security problems facing Internet operators? I don't think so. But that's just my opinion.
What are the biggest security risks Internet operaters need to manage?
I'm concerned about route integrity, multi-provider facility risks, and multi-provider restoration deadlock. Why do I worry about them, because they are risks no single provider can manage alone.
These are by no means trivial concerns, but if we want to look at intentional disruption of a large portion of the internet I think we have to look elsewhere. By its nature the internet is very distributed so taking out a single location won't do all that much damage to the whole. Also, if a really big network starts to intentionally disrupt BGP stability, it is only a matter of hours (hopefully) or days (realistically) before this network is isolated and the problem is contained. A physical attack on the root nameservers would probably be very effective for a short time: without root servers pretty much nothing works anymore. But a physical attack on 13 facilities on 4 coasts of 3 continents isn't easy and as long as not all master databases and all recent copies of the tld zone files are destroyed, root service would probably be repaired in no more than a couple of days. I think a physical attack on the major fiber bundles between the US coasts would disrupt both the internet and many other services very effectively. Obviously it won't be possible to take out every single fiber, but experience shows there are places where huge amounts of bandwidth are present in the same ditch and they run through large uninhabited (unsupervised) areas such as mountains and deserts. If the five most important of those paths are out of service, I'm pretty sure the remaining paths can't handle the extra bandwidth. The northern paths are especially vulnerable in the winter because snow and ice make it very hard to repair the fibers. There are also other possibilities to prohibit repair. As for attacks over the network itself: the Nimda worm already had an impact on BGP stability (http://www.renesys.com/projects/bgp_instability/), without even trying. I'm hesitant to discuss particulars here, but try to imagine a worm with some knowledge of routing infrastructure vulnerabilities.