Re: Bin Laden Associate Warns of Cyberattack
It is a great example of how well Al-Quedah manipulates the media. There are more ways to wreak havoc than script kiddies and DOS attacks.
When was the last time you took a sample and tested for the presence of fertilizer *BEFORE* you let the truck driver put that diesel into your generator tanks? And did anyone else notice how the NY Times article gave some clear instructions on how to identify the building in Tribeca even though they didn't include the street address? The best defence against all of these potential terrorist attacks is to do what the military does, i.e. spread out. Never put more than a fraction of your eggs in one basket. Use the network to connect diverse and widespread assets so that they can function as a unit even though they are physically separated. This philosophy works whether your assets are combat soldiers or network PoPs. And again, there is a role for government here. How about tax reductions for companies who harden their networks by removing single points of failure that are vulnerable to terrorist attack? --Michael Dillon
Thus spake <Michael.Dillon@radianz.com>
When was the last time you took a sample and tested for the presence of fertilizer *BEFORE* you let the truck driver put that diesel into your generator tanks?
Worst case, you'd detect this during your periodic generator test :)
The best defence against all of these potential terrorist attacks is to do what the military does, i.e. spread out. Never put more than a fraction of your eggs in one basket. Use the network to connect diverse and widespread assets so that they can function as a unit even though they are physically separated.
Isn't that the reason that IP was designed the way it was? 9/11 showed us that, despite the relatively concentrated POPs in NYC, the Internet was still the only communications medium that survived the attack --and it was largely unaffected, even for users located in NYC itself! CAIDA tells us that over 25% of the Internet must be removed before connectivity degrades. I'm quite a cynic, but I doubt the CIA could pull off that kind of damage, much less al Qaeda.
This philosophy works whether your assets are combat soldiers or network PoPs. And again, there is a role for government here. How about tax reductions for companies who harden their networks by removing single points of failure that are vulnerable to terrorist attack?
Oh yes, let's create a tax credit system which will essentially become an arbitrary means for government officials to reward friends in the private sector in return for kickbacks. That'll definitely solve the problem (which has been shown not to exist). Look how well it's worked for healthcare and oil companies! S
9/11 showed us that, despite the relatively concentrated POPs in NYC, the Internet was still the only communications medium that survived the attack --and it was largely unaffected, even for users located in NYC itself!
Does of us who where providing emergency transit to providers that where completely isolated knows that that was more because of luck than actual planning.
CAIDA tells us that over 25% of the Internet must be removed before connectivity degrades. I'm quite a cynic, but I doubt the CIA could pull off that kind of damage, much less al Qaeda.
I am not sure what you mean with 25% of the Internet? What connectivity would degrade? From where to where? - kurtis -
"Kurt" == Kurt Erik Lindqvist <kurtis@kurtis.pp.se> writes:
Kurt> I am not sure what you mean with 25% of the Internet? What Kurt> connectivity would degrade? From where to where? If you randomly select nodes to remove, by the time you have removed 25% of them, the network breaks up into many isolated islands. As Sean pointed out, the CAIDA study considered a sample of the 50k most connected nodes. So a successful attack aimed at 12500 big routers simultaneously would break the Internet into little pieces. If more strategy is used in the selection process, you get localized outages -- i.e. disabling everything in 60 Hudson or 151 Front is likely to cause significant problems in New York or Toronto but you'll probably be able to see the rest of the world just fine from Sweden. A distributed physical attack against a large number of Telco Hotels and trans-oceanic fibre landing points would be somewhat worse. It would also be very difficult to do from a laptop. With the exception of E911 service (which normally doesn't use IP anyways), any such disruption is unlikely to really hurt anyone. Such hand-wringing whenever someone threatens to break the Internet is maybe a sign of an unhealthy dependence on a medium that is younger than most of the people on this list? Taking the fear mongering and sabre rattling too seriously is much more dangerous than any possible network outage. -w
Kurt> I am not sure what you mean with 25% of the Internet? What Kurt> connectivity would degrade? From where to where?
If you randomly select nodes to remove, by the time you have removed 25% of them, the network breaks up into many isolated islands. As Sean
Well, depending on topology and where you shut things off - you could make one new island per node I take away. I don't see anything relatively new to this. All networking people at the larger ISPs have a pretty good knowledge of exactly which nodes to take out to...
pointed out, the CAIDA study considered a sample of the 50k most connected nodes. So a successful attack aimed at 12500 big routers simultaneously would break the Internet into little pieces.
To be honest - you would need to go for far less than 12500 routers if you know what you are doing. That everything worked well on the Internet on 9-11 most likely comes from comparing it with the phone network. The "Internet" (rather specific networks) where affected by 9-11 and only stayed up due to co-operation among a lot of people.
Taking the fear mongering and sabre rattling too seriously is much more dangerous than any possible network outage.
Although I generally agree with this - there is a large risk with underestimating the problem as well. We have for the last few years been busy catching up with the attackers, mostly because of sloppiness and laziness on the operators side. no ip directed broadcast and more recently the discussions of ingress-filtering are just examples of this. - kurtis -
William Waites wrote:
Taking the fear mongering and sabre rattling too seriously is much more dangerous than any possible network outage. -w
The context may be different, however, the following two stories tell yet other sides of cyber security problem. In this case, it is not the net but the users of the net, both the public (govt.) http://zdnet.com.com/2100-1105-966444.html and private sector seem susceptible. http://computerworld.com/securitytopics/security/cybercrime/story/0,10801,76... Don't know whether this fear mongering/saber rattling or something else. -raj ============================================================= http://computerworld.com/securitytopics/security/cybercrime/story/0,10801,76... http://zdnet.com.com/2100-1105-966444.html
Given the attacks and scale of attacks, such as 300+ broken into servers simultaneously spewing the same spam (we've experienced this) recently described here, I think it would be very naive to shrug it all off as mere obnoxiousness. The attack on the WTC not only took out the WTC, it essentially has taken out our airline industry. Many bombings and similar have been targetted at tourist locations in countries sensitive to tourist income. This enemy is very savvy about economics. Their general terrorist technique is to scare or discourage the general populace out from under some economic base. It's nearly impossible to believe they haven't figured out that poisoning the internet with spam, worms, viruses etc will drive the public away, as it has. One of our worst problems has been we (i.e., the targets) have been relatively slow to "get it" and prefer to dismiss attacks as random events by sociopaths rather than concerted efforts by true and viable enemies. Final food for thought: Just because spam actually seems to advertise something doesn't prove it's innocent. Remember that Al Qaida was funding millions of dollars per month via discount coupon fraud in the US. Just because they were real coupons for real and innocent looking products didn't mean there wasn't evil afoot. How much is really known about the spammers? That they may be roping in dopes to pay them doesn't particularly exonerate them in my mind. In fact, it would tend to fit their MO (i.e., don't just wreck things, try to make some money wrecking things!) -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
On Thu, 21 Nov 2002, Barry Shein wrote:
The attack on the WTC not only took out the WTC, it essentially has taken out our airline industry.
It may be argued that airline industry has taken out itself by first not having elementary precautions (like closed cockpit doors and having pilots to carry guns, with adequate training) which are standard in less complacent parts of the world, and then by making life truly miserable for those who wish or have to travel, in a fit of post-disaster paranoia. It is not enemies who are savvy, it is managers who are stupid. Like, the "crash airplane into some high-value target" scenario was well-aired more than decade ago - and it is only due to total incompetence of airline security people that this was allowed to happen. I hope that US airlines go out of business and El Al moves in; isn't that what competition is supposed to be about? The same holds for the Internet (with special thanks to the toothless antimonopoly enforcement which allowed operating systems to become a monoculture). --vadim
On Thu, 21 Nov 2002 20:12:20 -0800 (PST), Vadim Antonov wrote:
On Thu, 21 Nov 2002, Barry Shein wrote:
The attack on the WTC not only took out the WTC, it essentially has taken out our airline industry.
It may be argued that airline industry has taken out itself by first not having elementary precautions (like closed cockpit doors and having pilots to carry guns, with adequate training) which are standard in less complacent parts of the world,
I've heard this argument many times, but it's just plain false. And so obviously false that I always look for an ulterior motive when I hear it. Suppose, for example, we'd had closed cockpit doors. The 9/11 terrorists would have threatened the lives of the passengers and crew to induce the pilots to open the doors. The pilots would have opened the doors because the reasoning until that time was that you did whatever the hostages told you to do until you could get the plane on the ground. It was the rules of engagement that failed. Nothing more, nothing less.
and then by making life truly miserable for those who wish or have to travel, in a fit of post-disaster paranoia.
The airline industry did that?
It is not enemies who are savvy, it is managers who are stupid. Like, the "crash airplane into some high-value target" scenario was well-aired more than decade ago
Not the "crash jetliner full of passengers into high-value target" scenario. If you were able to make the decision to shoot down or not shoot down the two jetliners before either struck a building, knowing only that they were not responding and probably hijaacked, what would you have done? Imagine if the U.S. had shot down all the planes. What would people be saying about all the innocent people the military had murdered? Again, it's the rules of engagement that failed.
- and it is only due to total incompetence of airline security people that this was allowed to happen.
So tell me what they should have done differently. Not allowed knives on the plane? The terrorists would have used their bare hands. Strip searched every passenger? Arm their pilots -- they weren't allowed to.
I hope that US airlines go out of business and El Al moves in; isn't that what competition is supposed to be about?
Except that there is no competition. Airlines don't get to make their own security rules, they're largely preempted by the government ownership and control of airports and the FARs.
The same holds for the Internet (with special thanks to the toothless antimonopoly enforcement which allowed operating systems to become a monoculture).
This is a great bit of double-think. It has nothing to do with the fact that people overwhelmingly prefer to have compatible operating systems, it's the fact that nobody forced them to diversify against their will. DS
On 20 Nov 2002, William Waites wrote:
If you randomly select nodes to remove, by the time you have removed 25% of them, the network breaks up into many isolated islands.
One of the key points was the nodes were removed in ranked order, not in random order. Removing the nodes in ranked order result in a linear decrease in connectivity, i.e. remove the top 1% of the core nodes removes 1% of the connections. But then the scary academic language appears "the curves appear to be highly asymmetric around a critical point." That is an understatement like "Houston, we have a problem." http://www.caida.org/outreach/papers/2001/OSD/ Its a very interesting paper, and I recommend anyone responsible for network integrity or reliability read it.
Perhaps something I've mised, but is ARIN.Net no longer handling lookups? I usually use them to find offending users but got this when doing a lookup. No match for 64.124.168.60 Thanks in Advance off on on list. -Joe
Worked for me: [mlyon@fitzharris mlyon]$ whois -h whois.arin.net 64.124.168.60 [whois.arin.net] OrgName: Abovenet Communications, Inc OrgID: ABVE NetRange: 64.124.0.0 - 64.125.255.255 CIDR: 64.124.0.0/15 NetName: ABOVENET NetHandle: NET-64-124-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS.ABOVE.NET NameServer: NS3.ABOVE.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2000-07-06 Updated: 2001-04-27 TechHandle: NOC41-ORG-ARIN TechName: Metromedia Fiber Networks/AboveNet TechPhone: +1-408-367-6666 TechEmail: noc@above.net OrgTechHandle: MFNA1-ARIN OrgTechName: Metromedia Fiber Networks AboveNet OrgTechPhone: +1-408-367-6666 OrgTechEmail: ARSystem@above.net # ARIN Whois database, last updated 2002-11-20 19:05 # Enter ? for additional hints on searching ARIN's Whois database. [mlyon@fitzharris mlyon]$ -Mike On Thu, 21 Nov 2002, Joe wrote:
Perhaps something I've mised, but is ARIN.Net no longer handling lookups? I usually use them to find offending users but got this when doing a lookup.
No match for 64.124.168.60
Thanks in Advance off on on list. -Joe
Thanks All for the response. Looks like the web interface (www.arin.net) is the problem. Thanks again!
Perhaps something I've mised, but is ARIN.Net no longer handling lookups? I usually use them to find offending users but got this when doing a lookup.
No match for 64.124.168.60
I did have the same problem yesterday (Wednesday). Looks like it is working today. Maybe some leftover bug from their conversion to the new formats? Or just high load... you can try our ipinfo page, which caches whois queries. If you are lucky, someone else looked up the same ip... http://www.dshield.org/ipinfo.php?ip=64.124.168.60 -- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org
"Sean" == Sean Donelan <sean@donelan.com> writes:
Sean> On 20 Nov 2002, William Waites wrote: >> If you randomly select nodes to remove, by the time you have >> removed 25% of them, the network breaks up into many isolated >> islands. Sean> One of the key points was the nodes were removed in ranked Sean> order, not in random order. I stand corrected. It would be interesting to see what outdegree looks like as a function of rank -- in the paper they give only the maximum and average (geo. mean) outdegrees. Is there also a critical point 25% of the way through the ranking? Probably not or one would expect they'd have mentioned it... So then the 12500 *biggest* routers have to be disabled before the graph breaks into many islands. This would be yet harder from an attacker's point of view, no? -w
Thus spake "William Waites" <ww@styx.org>
I stand corrected.
It would be interesting to see what outdegree looks like as a function of rank -- in the paper they give only the maximum and average (geo. mean) outdegrees. Is there also a critical point 25% of the way through the ranking? Probably not or one would expect they'd have mentioned it...
So then the 12500 *biggest* routers have to be disabled before the graph breaks into many islands. This would be yet harder from an attacker's point of view, no?
Perhaps. What would happen if every public exchange went offline at the same time? I think there's enough private connections in the DFZ to maintain full connectivity, even if it might get a little slower. Attacking carrier POPs would be a different matter. You can take all of UUnet down by hitting the same number of buildings, but the addresses aren't so easily discovered, and that's still only one carrier in one country. However, all of this is still a relatively minor risk compared to the damage that can be caused by simple human error. S
"Stephen" == Stephen Sprunk <ssprunk@cisco.com> writes:
Stephen> However, all of this is still a relatively minor risk Stephen> compared to the damage that can be caused by simple human Stephen> error. Absolutely. So why the panic? -w
On 22 Nov 2002, William Waites wrote:
"Stephen" == Stephen Sprunk <ssprunk@cisco.com> writes: Stephen> However, all of this is still a relatively minor risk Stephen> compared to the damage that can be caused by simple human Stephen> error.
Absolutely.
So why the panic?
Mean Time To Repair
Thanks for posting Sean. Any other papers along the same vein ? Dee -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean Donelan Sent: Wednesday, November 20, 2002 7:17 PM To: nanog@merit.edu Subject: Network integrity and non-random removal of nodes On 20 Nov 2002, William Waites wrote:
If you randomly select nodes to remove, by the time you have removed 25% of them, the network breaks up into many isolated islands.
One of the key points was the nodes were removed in ranked order, not in random order. Removing the nodes in ranked order result in a linear decrease in connectivity, i.e. remove the top 1% of the core nodes removes 1% of the connections. But then the scary academic language appears "the curves appear to be highly asymmetric around a critical point." That is an understatement like "Houston, we have a problem." http://www.caida.org/outreach/papers/2001/OSD/ Its a very interesting paper, and I recommend anyone responsible for network integrity or reliability read it.
participants (13)
-
Barry Shein
-
David Schwartz
-
Joe
-
Johannes Ullrich
-
Kurt Erik Lindqvist
-
Michael.Dillon@radianz.com
-
Mike Lyon
-
Rajendra G. Kulkarni
-
Sean Donelan
-
Stephen Sprunk
-
Vadim Antonov
-
W.D.McKinney
-
William Waites