The question is what if someone was gunning for your fiber. To date cuts have been unintentional. Obviously the risk level is much higher doing a phyisical attack, but the bad guys in this scenario are not teenage hackers in the parents basement. There is a good foundation of knowledge on the implications of cyber attacks, but the what-if of an intentional physical attack is an important question I believe. The context in this discussion has been very valuable and many thanks to everyone that has offered opinions. ----- Original Message ----- From: Dave Israel <davei@algx.net> Date: Thursday, September 5, 2002 3:50 pm Subject: Re: Vulnerbilities of Interconnection
The thing is, the major cuts are not "attacks;" the backhoe operators aren't gunning for our fiber (no matter how much it seems like they are). If I wanted to disrupt traffic, intentionally and maliciously, I would not derail a train into a fiber path. Doing so would be very difficult, and the legal ramifications (murder, destruction of property, etc, etc) are quite clear and severe. However, if I ping-bomb you from a thousand "0wn3d" PCs on cable modems, I never
had
to leave my parents' basement, I'm harder to trace by normal police methods, and the question of which laws that can be applied to me is less clear.
-Dave
On 9/5/2002 at 15:38:56 -0400, sgorman1@gmu.edu said:
"Again, it seems more likely and more technically effective to
internally than physically. Focus again here on the cost/benefit analysis from both the provider and disrupter perspective and you will see what I mean."
Is there a general consensus that cyber/internal attacks are more effective/dangerous than physical attacks. Anecdotally it seems
largest Internet downages have been from physical cuts or failures.
2001 Baltimore train tunnel vs. code red worm (see keynote report) 1999 Mclean fiber cut - cement truck AT&T cascading switch failure Utah fiber cut (date??) Not sure where the MAI mess up at MAE east falls Utah fiber cut (date??)
Then again this is the biased perspetive of the facet I'm researching> Secondly it seems that problems arise from physical cuts not because of a lack of redundant paths but a bottlneck in peering and
resulting in ripple effects seen with the Baltimore incident.
----- Original Message ----- From: "William B. Norton" <wbn@equinix.com> Date: Thursday, September 5, 2002 3:04 pm Subject: Re: Vulnerbilities of Interconnection
At 02:45 PM 9/5/2002 -0400, alex@yuriev.com wrote:
This obviously would be a thesis of Equinix and other collo
space
providers,>since this is exactly the service that they
won't, hower, be a
thesis of any major network that either already has a lot of infrastructure>in place or has to be a network that is supposed to survive a physical attack.
Actually, the underlying assumption of this paper is that major networks already have a large global backbone that need to interconnect in n-regions. The choice between Direct Circuits and Colo-based cross connects is discussed and documented with costs and tradeoffs. Surviving a major attack was not the focus of the paper...but...
When I did this research I asked ISPs how many Exchange Points they felt were needed in a region. Many said one was sufficient, that
were resilient across multiple exchange points and transit relationships, and preferred to engineer their own diversity separate from regional exchanges. A bunch said that two was the right number, each with different operating procedures, geographic locations, providers of fiber, etc. , as different as possible. Folks seemed unanimous about there not being more than two IXes in a region, that to do so would splinter the peering population.
Bill Woodcock was the exception to this last claim, positing (paraphrasing) that peering is an local routing optimization and that many inexpensive (relatively insecured) IXes are acceptable. The loss of any one simply removes the local routing optimization and that transit is always an alternative for that traffic.
A couple physical security considerations came out of that
research:> > 1) Consider that man holes are not always secured, providing access to
metro fiber runs, while there is generally greater security within colocation environments
This is all great, except that the same metro fiber runs are used to get carriers into the super-secure facility, and, since neither
who
originate information, nor those who ultimately consume the information are located completely within facility, you still have the same problem. If we add to it that the diverse fibers tend to aggregate in the basement of the building that houses the facility, multiple carriers use the same manholes>for their diverse fiber and so on.
Fine - we both agree that no transport provider is entirely protected from physical tampering if its fiber travels through insecure passageways. Note that some transport capacity into an IX doesn't necessarily
along the same path as the metro providers, particularly those IXes located outside a metro region. There are also a multitude of paths, proportional to the # of providers still around in the metro area, that
attack the transit - provide. It they those travel provide
alternative paths into the IX. Within an IX therefore is a concentration of alternative providers, and these alternative providers can be used as needed in the event of a path cut.
2) It is faster to repair physical disruptions at fewer points, leveraging cutovers to alternative providers present in the
collocation > > IX model, as > > > > opposed to the Direct Circuit model where provisioning additional> > > > capacities to many end points may take days or months.> > > > > >This again is great in theory, unless you are talking about > > someone who > > >is planning on taking out the IX not accidently, but > > deliberately. To > > >illustrate this, one just needs to recall the infamous fiber cut > > in McLean > > >in 1999 when a backhoe not just cut Worldcom and Level(3) > > circuits, but > > >somehow let a cement truck to pour cement into Verizon's manhole > > that was > > >used by Level(3) and Worldcom. > > > > Terrorists in cement trucks? > > > > Again, it seems more likely and more technically effective to > > attack > > internally than physically. Focus again here on the cost/benefit > > analysis > > from both the provider and disrupter perspective and you will see > > what I mean. > > > > > > >Alex > > > > > > >
-- Dave Israel Senior Manager, DNE SE
On Thu, 5 Sep 2002 sgorman1@gmu.edu wrote:
There is a good foundation of knowledge on the implications of cyber attacks, but the what-if of an intentional physical attack is an important question I believe. The context in this discussion has been very valuable and many thanks to everyone that has offered opinions.
In our open western society a determined group of people can cause a lot of problems if they just want to. Most fiber and electrical connections are very easy to hit because either they are very visable (power lines) or they go along few stretches of way (usually along train rails or roads). Getting information where the infrastructure is located is not very hard, especially if you're in the industry already. I don't know about the US, but cutting Sweden in half power- and fiber-wise would involve 1-2 weeks of work for 2-3 people with explosives. This would cause huge problems, especially with telecommunications. I would guess that the situation is the same in the US, there aren't that many different east/west fiberstretches that you need to cut to generate a lot of problems for everybody. Imagine all the problems caused by backhoes and extrapolate this into something done by someone actually wanting to cause as much trouble as possible. It's not easy to do anything about this, our society is based on cooperation, law and order. If this starts to break down we're all very vulnerable. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Thu, 5 Sep 2002 sgorman1@gmu.edu wrote:
The question is what if someone was gunning for your fiber. To date cuts have been unintentional.
Think about it: - how many fiber paths are there that cross the deserts or mountains between the densely populated areas in the US? - how hard would it be to take out enough so the remaining phone and IP capacity gets massively congested? - how hard would it be to slow down repair efforts? Safeguarding an interconnect location is a lot easier than safeguarding a cross-continental fiber. And generally, when a pure interconnect location goes down, the impact is farly minimal: usually only mild congestion for some destinations. Just the networks that were stupid enough to have their transit run through the exchange location have a real problem. (And some people are cheap enough to do this.) The real problems start when the problem is bigger and colocation facilities go down. Then authentication services can get wiped out which hurts entire classes of users. Engineering an IP network that can survive partial outages isn't all that hard. Finding someone to pay for it all is harder. But engineering services that store large amounts of data that can survive partial outages isn't an easy thing to do.
On Thu, 5 Sep 2002 sgorman1@gmu.edu wrote: :The question is what if someone was gunning for your fiber. To date :cuts have been unintentional. Obviously the risk level is much higher :doing a phyisical attack, but the bad guys in this scenario are not :teenage hackers in the parents basement. This happened recently in Quebec where there is a labour dispute with Videotron and one of the unions representing its workers. The dispute has been exaserbated by the sabotage of the companies fiber lines. Now, while this may affect Videotrons bottom line, it only becomes a critical infrastructure issue when it becomes a Hydro Quebec issue, or it interferes with the provinces ability to deliver services. Honestly, if a few million people can't get their porn streams, the world isn't going to end. If 911 operators, or ambulance services can't direct emergency crews for 10 people, then you have a serious problem. :There is a good foundation of knowledge on the implications of cyber :attacks, but the what-if of an intentional physical attack is an :important question I believe. The context in this discussion has been :very valuable and many thanks to everyone that has offered opinions. The What-If questions have to be sorted from a particular view, and it will be the legislators view which will ultimately matter. You can bluesky, whiteboard, game and scheme all you like, but there are only a few opinions that matter when it comes to deciding what is of importance to national security, and until we hear from them, we can be as paranoid and imaginative as we want, and it won't help the infrastructure become more secure. So, as for Nasdaq, vs Google, vs the GSA vs Agriculture vs CNN, until we have the correct order in which to place these entities, we can't provide a useful or accurate model of how vulnerable the infrastructure is. You mentioned that you thought Nasdaq would be the most important asset to protect, but what happens if some Internet traders on AOL can't make their trades because of a fiber cut, vs not being able to get their infotainment from CNN, vs weather and crop data data not getting to farmers on time. It's a relative and ultimately political discussion. -- batz
At 07:41 PM 05/09/2002 -0400, batz wrote:
On Thu, 5 Sep 2002 sgorman1@gmu.edu wrote:
:The question is what if someone was gunning for your fiber. To date :cuts have been unintentional. Obviously the risk level is much higher :doing a phyisical attack, but the bad guys in this scenario are not :teenage hackers in the parents basement.
This happened recently in Quebec where there is a labour dispute with Videotron and one of the unions representing its workers. The dispute has been exaserbated by the sabotage of the companies fiber lines.
Quick summary for those not familiar with this story http://therecord.com/business/technology/z083017A.html Its an interesting to contemplate how this event was presented in the media and perceived by the public at large. Consider the end result in the above story and consider two different motives. a) Angry union or union sympathizers cut fibre optic lines to put pressure on company, or corporate strike busters cut cable to make union look bad.... vs. b) International terrorists cut fibre optic lines.... With a) its a filler news item to be displaced by Shark Attacks and Gary Condit. b) Two words: media frenzy. Same end result, but two totally different reactions because of who the terrorists are/were... How about network operators ? Would you be any more or less pissed and react differently at the motives as to why someone attacked your network ? On a day to day basis, I see far more attacks from the "usual suspects" than from anything media frenzy worthy. I mean, how many code red and MS-SQL worm attacks do you see on a day to day basis.... Its so much, that I explain to customers its like cosmic background radiation when they turn on their firewalls for the first time and see connect attempts to port 1433 from international IP addresses :-( ---Mike
On Fri, 6 Sep 2002, Mike Tancsa wrote: :How about network operators ? Would you be any more or less pissed and :react differently at the motives as to why someone attacked your network :? To a network technician, it doesn't matter whether it's terrorists or cow tipping teenagers causing outages, as the depth of analysis required to fix the problem doesn't involve speculating about the identities and motives of the perpetrators. Even as a network operator, you have to respond to incidents based on what you can do about them, which with a few exceptions, is seperate from who caused the incident, or why they did it. The "Why's" of network outages have more to do with "why didn't it fail over and how can be make sure it does next time?", than "are cow tipping terrorists rampaging through my network?". There is a human tendency to react to situations using information from the very edge of our knowledge and understanding, ("It must be something to do with superstrings! Just let me do some reasearch and I'll get back to you about the *real* cause of these network problems..") and this is something we have to take into account when working on problems so we don't get sidetracked from solving the problem at hand. Cheers, -- batz
On Fri, 06 Sep 2002 17:15:52 EDT, batz said:
To a network technician, it doesn't matter whether it's terrorists or cow tipping teenagers causing outages, as the depth of analysis required to fix the problem doesn't involve speculating about the identities and motives of the perpetrators.
Actually, it does. If it's a cable cut caused by a backhoe or a cow-tipping teenager, I can probably safely send out a tech with a splicing kit. If it's a terrorist attack, I may want to think for a bit whether I can re-route around it and let authorities secure the area before I even THINK of sending in a tech with a splicing kit. It's the rare backhoe or bovine that presents a threat of boobytraps, chemical/biological weapons, snipers, etc.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Fri, 6 Sep 2002, batz wrote:
To a network technician, it doesn't matter whether it's terrorists or cow tipping teenagers causing outages, as the depth of analysis required to fix the problem doesn't involve speculating about the identities and motives of the perpetrators.
It does matter. A cow might fall over and break a line card, but a savvy attacker could give you a linecard that kills chassis such that they make linecards that kill chassis.. When every piece of gear you have in a reagon is dead due to poor failure containment, you'll be wishing you had only suffered a chance failure.
participants (7)
-
batz
-
Greg Maxwell
-
Iljitsch van Beijnum
-
Mikael Abrahamsson
-
Mike Tancsa
-
sgorman1@gmu.edu
-
Valdis.Kletnieks@vt.edu