https://www.businessinsider.com/russia-cuts-self-off-from-global-internet-te... says "Russia disconnected itself from the rest of the internet, a test of its new defense from cyber warfare, report says" did this show up in bgp? e.g. rv/ris? randy
On Wed, Jul 28, 2021 at 11:29 PM Randy Bush <randy@psg.com> wrote:
https://www.businessinsider.com/russia-cuts-self-off-from-global-internet-te... says "Russia disconnected itself from the rest of the internet, a test of its new defense from cyber warfare, report says"
Would that even be effective? Surely a state sponsored cyber warfare attack can use any domestic internet connection within Russia to continue the attacks.
it is weird that no dyn/kentik/oracle/etc article appeared for the event, right? like.. did they not pull routes, they just prevented access in some other manner? On Wed, Jul 28, 2021 at 7:22 PM Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On Wed, Jul 28, 2021 at 11:29 PM Randy Bush <randy@psg.com> wrote:
https://www.businessinsider.com/russia-cuts-self-off-from-global-internet-te... says "Russia disconnected itself from the rest of the internet, a test of its new defense from cyber warfare, report says"
Would that even be effective? Surely a state sponsored cyber warfare attack can use any domestic internet connection within Russia to continue the attacks.
On Wed, Jul 28, 2021 at 02:29:19PM -0700, Randy Bush wrote:
https://www.businessinsider.com/russia-cuts-self-off-from-global-internet-te... says "Russia disconnected itself from the rest of the internet, a test of its new defense from cyber warfare, report says"
did this show up in bgp? e.g. rv/ris?
Looks like it did shown on news only. We're operating in Russia too and did not noticed this disconnection at all, both traffic levels and prefix count was at normal levels. PS: I guess this disconnection was in some lab, someone just dropped any "foreign" routes and checked if at least some domestic search engines/ mail services/social networks/... continued to function.
randy
Perhaps it's the result of a successful table top exercise 😉
-----Original Message-----
From: NANOG <nanog-bounces+jacques.latour=cira.ca@nanog.org> On
Behalf Of Randy Bush
Sent: July 29, 2021 1:47 PM
To: Alexandre Snarskii <snar@snar.spb.ru>
Cc: North American Network Operators' Group <nanog@nanog.org>
Subject: [EXT] Re: russian prefixes
Looks like it did shown on news only.
:)
i wondered
Looks like it did shown on news only.
:)
i wondered They have installed devices called "TSPU" on major operators. Isolation of specific networks is done without changing BGP announcements, obviously. And the drills do not mean at all "we will turn off the Internet for all
On 2021-07-29 20:46, Randy Bush wrote: the clients and see what happens", journalists trivialized it. Most likely, they checked the autonomous functioning of specific infrastructurally important networks connected to the Internet, isolating only them. It's not so bad idea in general, if someone find another significant bug in common software, to be able to isolate important networks from the internet at the click of a button and buy time for patching systems.
On Thu, Jul 29, 2021 at 9:07 PM Denys Fedoryshchenko < nuclearcat@nuclearcat.com> wrote:
On 2021-07-29 20:46, Randy Bush wrote:
Looks like it did shown on news only.
:)
i wondered They have installed devices called "TSPU" on major operators. Isolation of specific networks is done without changing BGP announcements, obviously.
Denys, can you say anything about how these TSPU operate? I believe they at least swallow/stop TCP SYN packets toward some destinations (or across a link generally), but I'm curious as to what steps the devices take, to be able to judge impact seen as either: "broken gear" or "funky TPSU doing it's thing" thanks! -chris
And the drills do not mean at all "we will turn off the Internet for all the clients and see what happens", journalists trivialized it. Most likely, they checked the autonomous functioning of specific infrastructurally important networks connected to the Internet, isolating only them. It's not so bad idea in general, if someone find another significant bug in common software, to be able to isolate important networks from the internet at the click of a button and buy time for patching systems.
On Fri, Jul 30, 2021 at 10:57 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Thu, Jul 29, 2021 at 9:07 PM Denys Fedoryshchenko < nuclearcat@nuclearcat.com> wrote:
On 2021-07-29 20:46, Randy Bush wrote:
Looks like it did shown on news only.
:)
i wondered They have installed devices called "TSPU" on major operators. Isolation of specific networks is done without changing BGP announcements, obviously.
Denys, can you say anything about how these TSPU operate?
Denys is, I'm sure, 'lmgtfy'ing me right now but: https://therecord.media/academics-russia-deployed-new-technology-to-throttle... https://en.wikipedia.org/wiki/Internet_censorship_in_Russia#Deep_packet_insp... seems to be the system/device in question.
I believe they at least swallow/stop TCP SYN packets toward some destinations (or across a link generally), but I'm curious as to what steps the devices take, to be able to judge impact seen as either: "broken gear" or "funky TPSU doing it's thing"
thanks! -chris
And the drills do not mean at all "we will turn off the Internet for all the clients and see what happens", journalists trivialized it. Most likely, they checked the autonomous functioning of specific infrastructurally important networks connected to the Internet, isolating only them. It's not so bad idea in general, if someone find another significant bug in common software, to be able to isolate important networks from the internet at the click of a button and buy time for patching systems.
On 2021-07-30 18:45, Christopher Morrow wrote:
On Fri, Jul 30, 2021 at 10:57 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Thu, Jul 29, 2021 at 9:07 PM Denys Fedoryshchenko <nuclearcat@nuclearcat.com> wrote:
On 2021-07-29 20:46, Randy Bush wrote:
Looks like it did shown on news only.
:)
i wondered They have installed devices called "TSPU" on major operators. Isolation of specific networks is done without changing BGP announcements, obviously.
Denys, can you say anything about how these TSPU operate?
Denys is, I'm sure, 'lmgtfy'ing me right now but:
https://therecord.media/academics-russia-deployed-new-technology-to-throttle...
https://en.wikipedia.org/wiki/Internet_censorship_in_Russia#Deep_packet_insp...
seems to be the system/device in question. There is nothing magical or special in these devices, usual inline DPI with IDS / IPS functionality, installed between BRAS and CGNAT. Here is specs/description for one of them: https://www.rdp.ru/en/products/service-gateway-engine/ They also sell them abroad. Anybody want to install? (Here must be an emoticon that laughs and weeps same time)
I believe they at least swallow/stop TCP SYN packets toward some destinations (or across a link generally), but I'm curious as to what steps the devices take, to be able to judge impact seen as either: "broken gear" or "funky TPSU doing it's thing"
They are fully inline, so they can do anything they want, without informing ISP. For example, make a network engineer lose the rest of his mind in search of a network fault, while it's "TSPU doing it's thing".
thanks! -chris
And the drills do not mean at all "we will turn off the Internet for all the clients and see what happens", journalists trivialized it. Most likely, they checked the autonomous functioning of specific infrastructurally important networks connected to the Internet, isolating only them. It's not so bad idea in general, if someone find another significant bug in common software, to be able to isolate important networks from the internet at the click of a button and buy time for patching systems.
Is this done entirely in software? Looking at the PDF of the installation guide for this product the system seems to be an x86-64 network appliance motherboard in a 1U chassis from a vendor such as Lanner or similar. Any of the companies in Taiwan or China that make systems with eight, ten or twelve Intel chipset 10GbE SFP+ cage interfaces on a PCI-E 3.0 bus on a motherboard, the rest of it is a fairly normal embedded x86-64 motherboard. On Fri, Jul 30, 2021 at 3:21 PM Denys Fedoryshchenko < nuclearcat@nuclearcat.com> wrote:
On 2021-07-30 18:45, Christopher Morrow wrote:
On Fri, Jul 30, 2021 at 10:57 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Thu, Jul 29, 2021 at 9:07 PM Denys Fedoryshchenko <nuclearcat@nuclearcat.com> wrote:
On 2021-07-29 20:46, Randy Bush wrote:
Looks like it did shown on news only.
:)
i wondered They have installed devices called "TSPU" on major operators. Isolation of specific networks is done without changing BGP announcements, obviously.
Denys, can you say anything about how these TSPU operate?
Denys is, I'm sure, 'lmgtfy'ing me right now but:
https://therecord.media/academics-russia-deployed-new-technology-to-throttle...
https://en.wikipedia.org/wiki/Internet_censorship_in_Russia#Deep_packet_insp...
seems to be the system/device in question.
There is nothing magical or special in these devices, usual inline DPI with IDS / IPS functionality, installed between BRAS and CGNAT. Here is specs/description for one of them: https://www.rdp.ru/en/products/service-gateway-engine/ They also sell them abroad. Anybody want to install? (Here must be an emoticon that laughs and weeps same time)
I believe they at least swallow/stop TCP SYN packets toward some destinations (or across a link generally), but I'm curious as to what steps the devices take, to be able to judge impact seen as either: "broken gear" or "funky TPSU doing it's thing"
They are fully inline, so they can do anything they want, without informing ISP. For example, make a network engineer lose the rest of his mind in search of a network fault, while it's "TSPU doing it's thing".
thanks! -chris
And the drills do not mean at all "we will turn off the Internet for all the clients and see what happens", journalists trivialized it. Most likely, they checked the autonomous functioning of specific infrastructurally important networks connected to the Internet, isolating only them. It's not so bad idea in general, if someone find another significant bug in common software, to be able to isolate important networks from the internet at the click of a button and buy time for patching systems.
On Fri, Jul 30, 2021 at 3:21 PM Denys Fedoryshchenko < nuclearcat@nuclearcat.com> wrote:
On 2021-07-30 18:45, Christopher Morrow wrote:
On Fri, Jul 30, 2021 at 10:57 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Thu, Jul 29, 2021 at 9:07 PM Denys Fedoryshchenko <nuclearcat@nuclearcat.com> wrote:
On 2021-07-29 20:46, Randy Bush wrote:
Looks like it did shown on news only.
:)
i wondered They have installed devices called "TSPU" on major operators. Isolation of specific networks is done without changing BGP announcements, obviously.
Denys, can you say anything about how these TSPU operate?
Denys is, I'm sure, 'lmgtfy'ing me right now but:
https://therecord.media/academics-russia-deployed-new-technology-to-throttle...
https://en.wikipedia.org/wiki/Internet_censorship_in_Russia#Deep_packet_insp...
seems to be the system/device in question.
There is nothing magical or special in these devices, usual inline DPI with IDS / IPS functionality, installed between BRAS and CGNAT. Here is specs/description for one of them: https://www.rdp.ru/en/products/service-gateway-engine/ They also sell them abroad. Anybody want to install? (Here must be an emoticon that laughs and weeps same time)
oh cool.. I wonder if anyone has done pentesting/etc against these devices... because, you know.. putting inline DPI things seems: "perfectly safe, perfectly normal..."
I believe they at least swallow/stop TCP SYN packets toward some destinations (or across a link generally), but I'm curious as to what steps the devices take, to be able to judge impact seen as either: "broken gear" or "funky TPSU doing it's thing"
They are fully inline, so they can do anything they want, without informing ISP. For example, make a network engineer lose the rest of his mind in search of a network fault, while it's "TSPU doing it's thing".
ok, interesting... I'm thinking this is what's currently causing me problems :( but will have to dig out a bit more proof before I can be sure. thanks! -chris
thanks! -chris
And the drills do not mean at all "we will turn off the Internet for all the clients and see what happens", journalists trivialized it. Most likely, they checked the autonomous functioning of specific infrastructurally important networks connected to the Internet, isolating only them. It's not so bad idea in general, if someone find another significant bug in common software, to be able to isolate important networks from the internet at the click of a button and buy time for patching systems.
Does this include the ability to do something like an OOB/serial console, cabled into DWDM transport systems management interfaces, to 'admin down' the line facing optical interfaces on routes that go across the Russian border? How exactly is this "TSPU" implemented? On Thu, Jul 29, 2021 at 9:08 PM Denys Fedoryshchenko < nuclearcat@nuclearcat.com> wrote:
Looks like it did shown on news only.
:)
i wondered They have installed devices called "TSPU" on major operators. Isolation of specific networks is done without changing BGP announcements, obviously. And the drills do not mean at all "we will turn off the Internet for all
On 2021-07-29 20:46, Randy Bush wrote: the clients and see what happens", journalists trivialized it. Most likely, they checked the autonomous functioning of specific infrastructurally important networks connected to the Internet, isolating only them. It's not so bad idea in general, if someone find another significant bug in common software, to be able to isolate important networks from the internet at the click of a button and buy time for patching systems.
participants (7)
-
Alexandre Snarskii
-
Baldur Norddahl
-
Christopher Morrow
-
Denys Fedoryshchenko
-
Eric Kuhnke
-
Jacques Latour
-
Randy Bush