There is a lot of news lately about terrorist groups doing recon on potential targets. The stories got me thinking. What are the real threats to the global Internet? I am looking for anything that might be a potential attack point. I don't want to start a flame war, but any interesting or even way out there idea is welcome. Is it feasible that a coordinated attack could shutdown the entire net? I am not talking DDoS. What if someone actually had the skills to disrupt BGP on a widescale? jas
On Thu, Jul 04, 2002 at 01:56:54PM -0400, Jason Lewis wrote:
There is a lot of news lately about terrorist groups doing recon on potential targets. The stories got me thinking.
What are the real threats to the global Internet?
I am looking for anything that might be a potential attack point. I don't want to start a flame war, but any interesting or even way out there idea is welcome.
Is it feasible that a coordinated attack could shutdown the entire net? I am not talking DDoS. What if someone actually had the skills to disrupt BGP on a widescale?
There are a few interesting things on this front that could be done. As in most routers the data+control plane are the same, one can DoS the processor or router in interesting ways. The easiest thing to probally do would be to do some poking and prodding in the lab of various vendors routers and see if there is some sort of fatal update that can be sent that won't take affect until after it has been propogated. Doing this could cause interesting cascade failures. The good news is, it wouldn't take too long until someone isolates the injection point of such an update and turns the connection off. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Thu, Jul 04, 2002 at 02:01:16PM -0400, Jared Mauch wrote:
Is it feasible that a coordinated attack could shutdown the entire net? I am not talking DDoS. What if someone actually had the skills to disrupt BGP on a widescale?
There are a few interesting things on this front that could be done.
As in most routers the data+control plane are the same, one can DoS the processor or router in interesting ways.
I can't quite picture Osama leading a crack team of BGP commandos on a jihad against the internet... Maybe blowing up some important net targets, or cutting some important fiber (and then leaving anti-personnel mines for the people who come to splice it)... Though if they took out the MAE's, I think routing would improve. :) I've always wondered if someone could get away with colo'ing explosives at major locations. Take a large computer or router chassis (a 12016 would do nicely, or some Sun gear), fill it with explosives, and colo it... It could even be operated over the internet, running "bombd" as it were. Or what about an attack against the people running the net, say a NANOG or IETF meeting... Or maybe something more constructive, like MPLSCon... But I'm sure there are probably more subtile ways to do it. As with all good vulnerabilities, it takes someone who is working on the inside to REALLY know how to muck things up... Fortunately the terrorists seem to be concerned with killing thousands of innocent people and scaring millions, not pissing off a few nerds and disrupting eBay's profit margin for a week. As much as we like to think we are important, I'd hardly put them in the same class. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Thu, Jul 04, 2002 at 02:35:32PM -0400, Richard A Steenbergen wrote:
But I'm sure there are probably more subtile ways to do it. As with all good vulnerabilities, it takes someone who is working on the inside to REALLY know how to muck things up... Fortunately the terrorists seem to be concerned with killing thousands of innocent people and scaring millions, not pissing off a few nerds and disrupting eBay's profit margin for a week. As much as we like to think we are important, I'd hardly put them in the same class.
Or, you could work behind the scene, get Michael Powell appointed to the FCC, and make sure there are no brakes on the shortsightedness of lawyers at the RIAA, the MPAA, and the US RBOCs. Oh. Wait. That's been done. Nevermind.
Ah the infamous accounting.eml of 2002, good call. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Geo. Sent: Thursday, July 04, 2002 5:01 PM To: Richard A Steenbergen Cc: nanog@merit.edu Subject: Re: Internet vulnerabilities
I can't quite picture Osama leading a crack team of BGP commandos on a jihad against the internet...
It won't be OBL who takes down the net, it will be a bunch of accounts like those at WCOM.. Geo.
I'm actually more worried about script/packet kiddies. 13 year olds with some scripting knowledge rarely know the financial cost of their "fun". --Phil -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Geo. Sent: Thursday, July 04, 2002 6:01 PM To: Richard A Steenbergen Cc: nanog@merit.edu Subject: Re: Internet vulnerabilities
I can't quite picture Osama leading a crack team of BGP commandos on a
jihad against the internet...
It won't be OBL who takes down the net, it will be a bunch of accounts like those at WCOM.. Geo.
I'm actually more worried about script/packet kiddies.
13 year olds with some scripting knowledge rarely know the financial cost of their "fun".
Does the possibility of these 13 year olds being recruited exist? I think so. I think most people are grouping terrorist into the "strap a bomb to your body and commit suicide" stereotype. Is there a possibility that intelligent terrorists exist? Or even people that have the knowledge and sympathize with them? OBL used a satellite phone, they found laptops in Afghanistan, there is evidence they are using the web to transmit information to each other. I think someone out there has a clue about computers. Crippling the entire net may be impossible, but it sure sounds like a well planned out series of attacks could do some serious damage. jas
On Thu, 4 Jul 2002, Jason Lewis wrote:
I think most people are grouping terrorist into the "strap a bomb to your body and commit suicide" stereotype. Is there a possibility that intelligent terrorists exist? Or even people that have the knowledge and sympathize with them? OBL used a satellite phone, they found laptops in Afghanistan, there is evidence they are using the web to transmit information to each other. I think someone out there has a clue about computers.
I'm sure a number of people have seen this article already: http://www.business2.com/articles/mag/0,1640,41206,00.html The Technology Secrets of Cocaine Inc. Colombian cartels have spent billions of dollars to build one of the world's most sophisticated IT infrastructures. It's helping them smuggle more dope than ever before. By Paul Kaihla, July 2002 Issue The article goes on to talk about how the drug dealers are using complex data-mining techniques (and in one instance an AS400) to run and protect their businesses. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now."
The 13 year olds generally do it for the glory of being elite, not for greater political agendas. And, while I think that if terrorists wanted to, they could... I think terrorists are more interested in collateral damage. --Phil -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jason Lewis Sent: Thursday, July 04, 2002 6:42 PM To: nanog@merit.edu Subject: RE: Internet vulnerabilities
I'm actually more worried about script/packet kiddies.
13 year olds with some scripting knowledge rarely know the financial cost of their "fun".
Does the possibility of these 13 year olds being recruited exist? I think so. I think most people are grouping terrorist into the "strap a bomb to your body and commit suicide" stereotype. Is there a possibility that intelligent terrorists exist? Or even people that have the knowledge and sympathize with them? OBL used a satellite phone, they found laptops in Afghanistan, there is evidence they are using the web to transmit information to each other. I think someone out there has a clue about computers. Crippling the entire net may be impossible, but it sure sounds like a well planned out series of attacks could do some serious damage. jas
On Thu, 4 Jul 2002, Phil Rosenthal wrote:
And, while I think that if terrorists wanted to, they could... I think terrorists are more interested in collateral damage.
The terrorist attack was on the WTC but the message was meant for muslims (and for anyone else who has a beef with america). Muslims knew what the WTC towers were, but they wouldnt understand what an attack on the internet is. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Jason Lewis wrote:
... Is there a possibility that intelligent terrorists exist?
I'd take that as a given. Planning, security and execution of the Sept. 11 attack were all done competently. These guys are certainly fanatics and arguably crazy, but they are neither stupid nor incompetent. Osama's a university graduate. I taught English at the same U (King Abdul Aziz in Jeddah) a few years after he left. It wasn't at the level of MIT or Cambridge, but it wasn't dreadful either.
Or even people that have the knowledge and sympathize with them?
Most of my best students were Palestinian scholarship winners. This was early 80s. Most of those kids had grown up in refugee camps where their parents had been since the 50s. Care to guess where their sympathies were?
OBL used a satellite phone, they found laptops in Afghanistan, there is evidence they are using the web to transmit information to each other. I think someone out there has a clue about computers.
In assessing threats, the rule I'd use as a first approximation is that they have, or can easily get, any skill you can expect from a bachelor's degree or tech college grad in any field. If they need a water systems engineer, an embedded computers guy and a biochemist to pull off a particular attack, assume that they're almost certain to have at least one of each. The question of whether they have the skills is only interesting for more esoteric attacks, where they may not have exactly the specialist they need.
Crippling the entire net may be impossible, but it sure sounds like a well planned out series of attacks could do some serious damage.
Various worms have done moderately serious damage. My guess would be that a well-planned and executed attack could take the net down for a few days.
Thinking about a physical threat... If you go to 111 8th ave, NYC. They have added security since 9-11-01 which now requires either building ID, or showing a driver's license before entering building (because terrorists don't have driver's licenses). On some floors (eg the 7th). The building risers and conduits are completely exposed. I can't help but wonder how much damage a terrorist attack to that would do. Also, say someone from a moderately fast internet connection (OC-3) ran nmap across the entire internet on ports like 21,22,53,80,443,3306. In one day, they can probably have a list of every server answering those ports, and the versions of the daemons on them. Next, just wait for an wide enough exploit to come out, and then write a Trojan that has a list of every other server vulnerable, and on every hack, it splits the list in 2, and roots another box and gives it the 2nd half of the list. I estimate that with a wide enough exploit (eg apache or openssh), you could probably compromise 20% of the servers on the net within 1 hour, and then have them all begin a ping flood of something "far away" network wise (meaning a box in NYC would flood a box in SJC, a box in SJC would flood a box in Japan, etc... Trying to have as much bit distance as possible). Damn scary, but I believe if someone was determined enough, they could take down the whole 'net within one hour of pressing "enter". I suppose there really isn't anything that can be done at this point to make that scenario impossible. --Phil -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jason Lewis Sent: Thursday, July 04, 2002 1:57 PM To: nanog@merit.edu Subject: Internet vulnerabilities There is a lot of news lately about terrorist groups doing recon on potential targets. The stories got me thinking. What are the real threats to the global Internet? I am looking for anything that might be a potential attack point. I don't want to start a flame war, but any interesting or even way out there idea is welcome. Is it feasible that a coordinated attack could shutdown the entire net? I am not talking DDoS. What if someone actually had the skills to disrupt BGP on a widescale? jas
Coordinated infrastructure attacks are scary for that reason. They are scary. :) Netcraft will provide you the information on every web server/server OS just for the asking -- you don't need an OC3 or even nmap. Historically, wide spreading worms have had a flaw in the program that prevented how much damage they could cause. (i.e., either too virulent or too patient). I suspect even in your dd solution, the attacker would leave a delay to allow some additional CPU power devoted to attacking other destinations. If the timeout is too short and interesting machines go down fast, the spread takes longer. If its too long, it can be stopped before it gets as far. The nastier you make it, the less far it spreads. In some paranoid networks, within 20 minutes of the content disappearing they would probably pull all or many of their most significant machines off line while they are figuring out what attack is occuring. The least responsive networks are going to be the most vulnerable to a scenario like this. Rate limiting ICMP (or your favorite attack packet) isn't as difficult as it used to be (even at the border), and since most large networks use automatic configuration generators -- no matter how cumbersome -- it is concievable that the brute force attack could be killed on the largest networks at a mean of 10-12 hrs. Server damage would take longer depending on how available/recent backups are. The best part of multilevel NOCs (level 1-2 open tickets 3+ solve problems) is that under large, cascading attacks of this sort, those who actually solve the problem are not as bogged down by frantic customers calling. ---- Risers (inside) a building aren't even that big a deal. Most manholes around these carrier hotels are not welded shut, and most of the POEs (no matter how many there are) have a man hole or two on the street for splicing purposes. A few bad guys could drop a <explosive, incendiary, acid, etc> in each of these around each major carrier hotel and disable the hotel in about 20 minutes from start-to-finish. (4 men teams at each major infrastructure location in the U.S. -- say 10?) could disable everything in less than 5 minutes from start to finish and be making a quick exit before the first fiber goes down. If you simultaneously melt/explode/destroy every POE to every major cable landing/telecom hotel in the U.S., you will have problems (sky links MIGHT be excepted if you are especially clever). And >24 hr repair times, assuming you can get the repair call out in the first place. Lets not forget that manholes are almost always in public right of way, or similarly accessible. Opening them quickly/publicly won't even freak out too many people. Worst case 2-3 blocks away you triple the number of manholes to open/disable, and have no tech-savvy types or building-security types have the chance to even see it go down -- better, no welded manholes to worry about whatsoever. --- Its almost ridiculous to worry about protecting carrier-buildings from deliberate mischief because they are far more vulnerable outside than inside. Security guards inside are (IMO) to keep large pieces of equipment from walking out without getting a good look at the guy(s) doing it. Even then, most misunderstand their role and rely on the basic honesty of the visitors to maintain anything... I could just be grumpy though. Deepak Jain AiNET
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Phil Rosenthal Sent: Thursday, July 04, 2002 2:17 PM To: jlewis@packetnexus.com; nanog@merit.edu Subject: RE: Internet vulnerabilities
Thinking about a physical threat... If you go to 111 8th ave, NYC. They have added security since 9-11-01 which now requires either building ID, or showing a driver's license before entering building (because terrorists don't have driver's licenses).
On some floors (eg the 7th). The building risers and conduits are completely exposed. I can't help but wonder how much damage a terrorist attack to that would do.
Also, say someone from a moderately fast internet connection (OC-3) ran nmap across the entire internet on ports like 21,22,53,80,443,3306. In one day, they can probably have a list of every server answering those ports, and the versions of the daemons on them.
Next, just wait for an wide enough exploit to come out, and then write a Trojan that has a list of every other server vulnerable, and on every hack, it splits the list in 2, and roots another box and gives it the 2nd half of the list.
I estimate that with a wide enough exploit (eg apache or openssh), you could probably compromise 20% of the servers on the net within 1 hour, and then have them all begin a ping flood of something "far away" network wise (meaning a box in NYC would flood a box in SJC, a box in SJC would flood a box in Japan, etc... Trying to have as much bit distance as possible).
Damn scary, but I believe if someone was determined enough, they could take down the whole 'net within one hour of pressing "enter".
I suppose there really isn't anything that can be done at this point to make that scenario impossible.
--Phil
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jason Lewis Sent: Thursday, July 04, 2002 1:57 PM To: nanog@merit.edu Subject: Internet vulnerabilities
There is a lot of news lately about terrorist groups doing recon on potential targets. The stories got me thinking.
What are the real threats to the global Internet?
I am looking for anything that might be a potential attack point. I don't want to start a flame war, but any interesting or even way out there idea is welcome.
Is it feasible that a coordinated attack could shutdown the entire net? I am not talking DDoS. What if someone actually had the skills to disrupt BGP on a widescale?
jas
I think the worm problem is because theres no research data to suggest what a perfect worm is... its all trial and error. But you have to admit, as each new major worm comes out it gets better at better at timing and deployment, so perhaps eventually someone will figure out the perfect timing and do some real nasty damage, Steve On Thu, 4 Jul 2002, Deepak Jain wrote:
Coordinated infrastructure attacks are scary for that reason. They are scary. :) Netcraft will provide you the information on every web server/server OS just for the asking -- you don't need an OC3 or even nmap.
Historically, wide spreading worms have had a flaw in the program that prevented how much damage they could cause. (i.e., either too virulent or too patient). I suspect even in your dd solution, the attacker would leave a delay to allow some additional CPU power devoted to attacking other destinations. If the timeout is too short and interesting machines go down fast, the spread takes longer. If its too long, it can be stopped before it gets as far. The nastier you make it, the less far it spreads.
In some paranoid networks, within 20 minutes of the content disappearing they would probably pull all or many of their most significant machines off line while they are figuring out what attack is occuring. The least responsive networks are going to be the most vulnerable to a scenario like this.
Rate limiting ICMP (or your favorite attack packet) isn't as difficult as it used to be (even at the border), and since most large networks use automatic configuration generators -- no matter how cumbersome -- it is concievable that the brute force attack could be killed on the largest networks at a mean of 10-12 hrs. Server damage would take longer depending on how available/recent backups are.
The best part of multilevel NOCs (level 1-2 open tickets 3+ solve problems) is that under large, cascading attacks of this sort, those who actually solve the problem are not as bogged down by frantic customers calling.
----
Risers (inside) a building aren't even that big a deal. Most manholes around these carrier hotels are not welded shut, and most of the POEs (no matter how many there are) have a man hole or two on the street for splicing purposes.
A few bad guys could drop a <explosive, incendiary, acid, etc> in each of these around each major carrier hotel and disable the hotel in about 20 minutes from start-to-finish. (4 men teams at each major infrastructure location in the U.S. -- say 10?) could disable everything in less than 5 minutes from start to finish and be making a quick exit before the first fiber goes down.
If you simultaneously melt/explode/destroy every POE to every major cable landing/telecom hotel in the U.S., you will have problems (sky links MIGHT be excepted if you are especially clever). And >24 hr repair times, assuming you can get the repair call out in the first place.
Lets not forget that manholes are almost always in public right of way, or similarly accessible. Opening them quickly/publicly won't even freak out too many people. Worst case 2-3 blocks away you triple the number of manholes to open/disable, and have no tech-savvy types or building-security types have the chance to even see it go down -- better, no welded manholes to worry about whatsoever.
---
Its almost ridiculous to worry about protecting carrier-buildings from deliberate mischief because they are far more vulnerable outside than inside. Security guards inside are (IMO) to keep large pieces of equipment from walking out without getting a good look at the guy(s) doing it. Even then, most misunderstand their role and rely on the basic honesty of the visitors to maintain anything...
I could just be grumpy though.
Deepak Jain AiNET
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Phil Rosenthal Sent: Thursday, July 04, 2002 2:17 PM To: jlewis@packetnexus.com; nanog@merit.edu Subject: RE: Internet vulnerabilities
Thinking about a physical threat... If you go to 111 8th ave, NYC. They have added security since 9-11-01 which now requires either building ID, or showing a driver's license before entering building (because terrorists don't have driver's licenses).
On some floors (eg the 7th). The building risers and conduits are completely exposed. I can't help but wonder how much damage a terrorist attack to that would do.
Also, say someone from a moderately fast internet connection (OC-3) ran nmap across the entire internet on ports like 21,22,53,80,443,3306. In one day, they can probably have a list of every server answering those ports, and the versions of the daemons on them.
Next, just wait for an wide enough exploit to come out, and then write a Trojan that has a list of every other server vulnerable, and on every hack, it splits the list in 2, and roots another box and gives it the 2nd half of the list.
I estimate that with a wide enough exploit (eg apache or openssh), you could probably compromise 20% of the servers on the net within 1 hour, and then have them all begin a ping flood of something "far away" network wise (meaning a box in NYC would flood a box in SJC, a box in SJC would flood a box in Japan, etc... Trying to have as much bit distance as possible).
Damn scary, but I believe if someone was determined enough, they could take down the whole 'net within one hour of pressing "enter".
I suppose there really isn't anything that can be done at this point to make that scenario impossible.
--Phil
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jason Lewis Sent: Thursday, July 04, 2002 1:57 PM To: nanog@merit.edu Subject: Internet vulnerabilities
There is a lot of news lately about terrorist groups doing recon on potential targets. The stories got me thinking.
What are the real threats to the global Internet?
I am looking for anything that might be a potential attack point. I don't want to start a flame war, but any interesting or even way out there idea is welcome.
Is it feasible that a coordinated attack could shutdown the entire net? I am not talking DDoS. What if someone actually had the skills to disrupt BGP on a widescale?
jas
:: Said in my best Dr. Evil voice :: Ok, here is my master plan to take down the Internet. First, we will spend two weeks writing up several hundred seemingly simple, short questions and innane statements regarding ORBS, filtering RFC1918 space, Peering, and all of Nanog's other favorite topics. Then, we'll start posting the messages to NANOG addressed from two seemingly intelligent ex-dot-comer's named Bob and Jay. Thus, our code name for this project will be "Jay and Silent Bob Strike Back". We'll start by sending the first message out to NANOG. Now, you know that all the IMPORTANT engineers on the Internet have no way to resist reading these messages and responding to them. The threads will begin to build in traffic during the subsequent hours taking up the precious brain power of critical engineers. Every hour, we will submit a new message from our database - sent, of course, through some open relay so the message sources are randomized and hard to filter and with private source addresses so they cannot be traced. After a single day, the traffic level on NANOG will be so great that it will have effectively consumed all available resources for every NANOG member, rendering them completely unable to do any work. The traffic from these emails, which are replicated and amplified by engineers who can't resist responding to our innane, repetative, and silly messages, will grow exponentially until all peers and backbone circuits on the Internet are full. No one will notice their threshold alarms going off. No one will notice HPOV desperately trying to page them. No one will see the tickets queuing in their ticket systems. No one will notice Instant Messages from loved ones warning them that the Internet is imploding. No one will see us as we move in and take over the world!!!!!! Any questions? :: reaches for a hot pocket :: Dr. Evil.
Ok, here is my master plan to take down the Internet. First, we will spend two weeks writing up several hundred seemingly simple, short questions and innane statements regarding ORBS, filtering RFC1918 space, Peering, and all of Nanog's other favorite topics. Then, we'll start posting the messages to NANOG addressed from two seemingly intelligent ex-dot-comer's named Bob and Jay. Thus, our code name for this project will be "Jay and Silent Bob Strike Back". ...
empirical evidence indicates that this plan does not work. as we all have seen, it has been going on for some time and the internet still kinda works. randy
Phil Rosenthal wrote:
Also, say someone from a moderately fast internet connection (OC-3) ran nmap across the entire internet on ports like 21,22,53,80,443,3306. In one day, they can probably have a list of every server answering those ports, and the versions of the daemons on them.
Given the ability (which anyone can have with a few downloaded scripts) to subvert poorly secured machines on cable or DSL links and make them do the work, you could do this without a fast connection, and without being obvious enough to raise major alarms from intrusion detection systems. It might take a few weeks or even months. For some types of target, you may not even need nmap. Look at MX records, or at mail headers, to find mail servers, at news headers to find Usenet servers. Use a web crawler, or an existing index, to find web and FTP servers. Or write a little program that searches the DNS for names with leftmost element ftp, mail, pop, smpt, www, ns, dns, ... These won't get you a full list, but perhaps enough.
Next, just wait for an wide enough exploit to come out, and then write a Trojan that has a list of every other server vulnerable,
You don't need them all, just a few 1000 with good net conections to get things rolling. Once you have those infected, it doesn't matter if your method of spreading further is inefficient; you'll get everything anyway. Also, you may not need a new exploit. Many systems are not patched against the old ones, and it is certainly possible to try multiple exploits in a single worm.
and on every hack, it splits the list in 2, and roots another box and gives it the 2nd half of the list.
Better, give it the whole list and have each instance start at a random point in the list. That way, even if some instances are caught and killed, you still get the whole list.
I estimate that with a wide enough exploit (eg apache or openssh), you could probably compromise 20% of the servers on the net within 1 hour,
For better estimates and detailed discussion of worm design, see: http://www.cs.berkeley.edu/~nweaver/warhol.html
and then have them all begin a ping flood of something "far away" network wise (meaning a box in NYC would flood a box in SJC, a box in SJC would flood a box in Japan, etc... Trying to have as much bit distance as possible).
Why futz with a ping flood? If the objective is to take down the net, you want to attack infrastructure -- nameservers, routers, ...
From that viewpoint, the ideal worm would use whatever it needed to become widespread, but would switch attacks once it had spread, trying for known holes in things like BIND or IOS, or just flooding the root name servers.
Damn scary, but I believe if someone was determined enough, they could take down the whole 'net within one hour of pressing "enter".
<quote who="Jason Lewis">
What if someone actually had the skills to disrupt BGP on a widescale?
I think the media talk about "taking down the Internet" are kind of bogus. Nobody has ever died because they couldn't check their email. If the net went down for an hour, a day, or even a week I think that my mom and the rest of the non "glued-to-their-terminal" world would somehow struggle through and sustain a normal daily routine. -davidu [who probably would not survive a week long net outage ;) ] -- "Never doubt that a small group of thoughtful citizens can change the world. Indeed, it is the only thing that ever has." --Margaret Mead
Except what if in my scenario, while flooding, it executed dd if=/dev/zero of=(hd) on all of the system drives. If someone wanted to do it, it could be done. --Phil -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of David Ulevitch Sent: Thursday, July 04, 2002 2:23 PM To: nanog@merit.edu Subject: Re: Internet vulnerabilities <quote who="Jason Lewis">
What if someone actually had the skills to disrupt BGP on a widescale?
I think the media talk about "taking down the Internet" are kind of bogus. Nobody has ever died because they couldn't check their email. If the net went down for an hour, a day, or even a week I think that my mom and the rest of the non "glued-to-their-terminal" world would somehow struggle through and sustain a normal daily routine. -davidu [who probably would not survive a week long net outage ;) ] -- "Never doubt that a small group of thoughtful citizens can change the world. Indeed, it is the only thing that ever has." --Margaret Mead
I think the media talk about "taking down the Internet" are kind of bogus.
Nobody has ever died because they couldn't check their email.
If the net went down for an hour, a day, or even a week I think that my mom and the rest of the non "glued-to-their-terminal" world would somehow struggle through and sustain a normal daily routine.
-davidu [who probably would not survive a week long net outage ;) ]
How many companies base profits on their internet connection? While you might survive, there would be a lot of money lost. Disrupting the economy seems to be the goal.
On Thu, 4 Jul 2002, Jason Lewis wrote: :What are the real threats to the global Internet? I realize this seems like nitpicking, but asking what the real risks are might be a more useful question. The reason I mention this is because the washington post report the other day about threats to SCADA systems was blown out of proportion, because it equated the seriousness of the threats with their associated risks. Yes, most ASN.1 implementations have serious vulnerabilities, welcome to 1988. The ASN.1 vulnerabilities being talked about right now are serious threats, but lower risk than say, millions of unpatched IIS and apache servers, public exploits and a worm on the loose. Application level vulnerabilities that have to be patched on a host by host basis, cause a greater risk than say, SNMP vulnerabilities that can be filtered at the gateway, which protects from opportunistic external attacks. When you talk about threats to the global Internet, there are hundreds of equally serious vulnerabilities of varying risk. Also, the "global Internet" has many different meanings. It can mean "the ability to send and recieve packets on layer 3" or "people being able to conduct business electronically, with some reasonable expectation of the confidentiality, integrity and reliability of their transactions." So, it all depends on what you mean by the Internet:) I think this is an extremely important discussion to have on the list, I just think it should be framed in terms of real risks, root causes, and potential solutions. :I am looking for anything that might be a potential attack point. I don't :want to start a flame war, but any interesting or even way out there idea :is welcome. : :Is it feasible that a coordinated attack could shutdown the entire net? I :am not talking DDoS. What if someone actually had the skills to disrupt :BGP on a widescale? Once you start thinking about the Internet from a security perspective, you realize there is no "entire net" subject to the sum of its parts in any practical sense. It is a network of networks that serves a continuum of interests, bounded by economics, and driven by porn. ;) The attack point is anywhere you think will do the most harm to the people you dislike. If you just want to break something, find serious, easy to exploit, security design limitations in BGP, MPLS, BIND and drive a major global backbone like UUNet into insolvency. ..What? Oh ...Too late. -- batz
How about this: ISP X had its tftp server compromised by a wily hacker who evaded tripwire and covered his track well, uploaded some cracked Cisco code (the current release for their GSRs). This code was designed to corrupt the directories and shut down the router at date XX:XX:XX. Each of these affected GSRs, 7-five new roll-outs and 2 upgrades--went down at the same time (save one who's time was no set correctly). Each site had to driven to, flashcards replaced. ISP X severely crippled for 6 hours. The hacker could have gone the extra leg to have the tftp server expunge the backup configs at the same time--extra couple hours--but did not. We all download code from Cisco/Juniper/Bay in good faith... when's the last time you saw a signature attached to any of those? Most security breeches happen from within anyway. A disgruntled DE.... Just a wicked thought. j -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of batz Sent: Thursday, July 04, 2002 2:17 PM To: Jason Lewis Cc: nanog@merit.edu Subject: Re: Internet vulnerabilities On Thu, 4 Jul 2002, Jason Lewis wrote: :What are the real threats to the global Internet? I realize this seems like nitpicking, but asking what the real risks are might be a more useful question. The reason I mention this is because the washington post report the other day about threats to SCADA systems was blown out of proportion, because it equated the seriousness of the threats with their associated risks. Yes, most ASN.1 implementations have serious vulnerabilities, welcome to 1988. The ASN.1 vulnerabilities being talked about right now are serious threats, but lower risk than say, millions of unpatched IIS and apache servers, public exploits and a worm on the loose. Application level vulnerabilities that have to be patched on a host by host basis, cause a greater risk than say, SNMP vulnerabilities that can be filtered at the gateway, which protects from opportunistic external attacks. When you talk about threats to the global Internet, there are hundreds of equally serious vulnerabilities of varying risk. Also, the "global Internet" has many different meanings. It can mean "the ability to send and recieve packets on layer 3" or "people being able to conduct business electronically, with some reasonable expectation of the confidentiality, integrity and reliability of their transactions." So, it all depends on what you mean by the Internet:) I think this is an extremely important discussion to have on the list, I just think it should be framed in terms of real risks, root causes, and potential solutions. :I am looking for anything that might be a potential attack point. I don't :want to start a flame war, but any interesting or even way out there idea :is welcome. : :Is it feasible that a coordinated attack could shutdown the entire net? I :am not talking DDoS. What if someone actually had the skills to disrupt :BGP on a widescale? Once you start thinking about the Internet from a security perspective, you realize there is no "entire net" subject to the sum of its parts in any practical sense. It is a network of networks that serves a continuum of interests, bounded by economics, and driven by porn. ;) The attack point is anywhere you think will do the most harm to the people you dislike. If you just want to break something, find serious, easy to exploit, security design limitations in BGP, MPLS, BIND and drive a major global backbone like UUNet into insolvency. ..What? Oh ...Too late. -- batz
On Thu, Jul 04, 2002 at 02:47:24PM -0500, jnelson wrote:
How about this: ISP X had its tftp server compromised by a wily hacker who evaded tripwire and covered his track well, uploaded some cracked Cisco code (the current release for their GSRs). This code was designed to corrupt the directories and shut down the router at date XX:XX:XX. Each of these affected GSRs, 7-five new roll-outs and 2 upgrades--went down at the same time (save one who's time was no set correctly). Each site had to driven to, flashcards replaced. ISP X severely crippled for 6 hours. The hacker could have gone the extra leg to have the tftp server expunge the backup configs at the same time--extra couple hours--but did not.
Who needs malicious hacking, running the latest code for a GSR will crash your network just fine... The specific crash date and time functionality hadn't been added yet though, maybe you could put in a feature request. :) Besides, if someone actually did get the IOS code (laugh) AND manage to compile images out of that cruft, I'm pretty sure changing the MD5 signature on cco would be the least of their problems. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Keep the gloves up...cruft...lol, but if you wanted to compare Cisco "features", I've dealt with some bugs that would cook your hair. Unfortunately, I've only worked with Juniper in an MPLS lab--but I've heard some good things concerning their reliability (but mostly form people that won't shut up about FreeBSD, so take it for what it is). j -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Richard A Steenbergen Sent: Thursday, July 04, 2002 4:07 PM To: jnelson Cc: 'batz'; 'Jason Lewis'; nanog@merit.edu Subject: Re: Internet vulnerabilities On Thu, Jul 04, 2002 at 02:47:24PM -0500, jnelson wrote:
How about this: ISP X had its tftp server compromised by a wily hacker who evaded tripwire and covered his track well, uploaded some cracked Cisco code (the current release for their GSRs). This code was designed to
the directories and shut down the router at date XX:XX:XX. Each of
affected GSRs, 7-five new roll-outs and 2 upgrades--went down at the same time (save one who's time was no set correctly). Each site had to driven to, flashcards replaced. ISP X severely crippled for 6 hours. The hacker could have gone the extra leg to have the tftp server expunge
corrupt these the
backup configs at the same time--extra couple hours--but did not.
Who needs malicious hacking, running the latest code for a GSR will crash your network just fine... The specific crash date and time functionality hadn't been added yet though, maybe you could put in a feature request. :) Besides, if someone actually did get the IOS code (laugh) AND manage to compile images out of that cruft, I'm pretty sure changing the MD5 signature on cco would be the least of their problems. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
At 04:20 PM 7/4/2002 -0500, jnelson wrote:
Keep the gloves up...cruft...lol, but if you wanted to compare Cisco "features", I've dealt with some bugs that would cook your hair.
I don't think software is a good focus. Facility destruction would be a far worse "attack" than software. I think we'd recover much faster from a "layer 3" + attack vs. a layer 1 attack.
participants (17)
-
batz
-
Dan Hollis
-
David Ulevitch
-
Deepak Jain
-
Eric Gauthier
-
Geo.
-
Gwendolynn ferch Elydyr
-
Jared Mauch
-
Jason Lewis
-
jnelson
-
Martin Hannigan
-
Pete Ehlke
-
Phil Rosenthal
-
Randy Bush
-
Richard A Steenbergen
-
Sandy Harris
-
Stephen J. Wilcox