Bill Cheswick On Internet Security

Franki3 invites our attention to a SecurityFocus interview with Bill Cheswick. He started the Internet Mapping Project in the 90s; you have probably seen the maps that resulted. The interview ranges over firewalling, logging, NIDS and IPS, how to fight DDoS, and the future of BGP and DNS. From the interview: "I have been impressed with the response of the network community. These problems, and others like security weaknesses, security exploits, etc., usually get dealt with in a few days. For example, the SYN packet DOS attacks in 1996 quickly brought together ad hoc teams of experts, and within a week, patches with new mitigations were appearing from the vendors. You can take the Internet down, but probably not for very long."

A week?

[Nemetroid]

I would call a week very long time for something as vital as the Internet now is.

Re:A week?

[PhxBlue]

Now, yes; but it was nowhere that important 11 years ago.

Re:A week?

['nother poster]

Well, if you don't want to risk the outage get a private network set up. Shouldn't be that expensive. ;)

Since most net servers are Window or Linux and most routers are made by two or so vendors there will be exposures that take out lots of infrastructure in the future, just like in the past. Even if they have a fix in ten minutes it will take days to get the patches out and applied due to the complexity of getting the patches out without a well functioning public network. "Crap, someone has pwned the Cisco routers, dial them up for the patches."

Re:alphabet soup

[99BottlesOfBeerInMyF]

The interview ranges over firewalling, logging, NIDS(Network Intrusion Detection System) and IPS(Intrusion Prevention System), how to fight DDoS(Distributed Denial of Service), and the future of BGP(Border Gateway Protocol) and DNS(Domain Name System).

If you don't know what all of these are, the chances are you won't care about or understand what he has to say anyway.

Re:We haven't seen a big outage yet

[jmorris42]

> The Morris worm took out a very large fraction of the net.

It did no lasting damage. I'm talking about something that would brick a few million Dells and Ciscos. The key weakness today is flash memory and the all too common practice of leaving things flashable by default. Getting an executable able to identify and wipe 80-90% of the motherboards in corporate use is an achievable goal for an attacker with resources. Also consider that many optical and hard drives have flashable firmware. The backlog a widespread attack could create at the few facilities with the specialized tools to reflash a totally bricked PC would mean months before all machines were back in service.

Re:Using internet mapping for damage assessment

[Anonymous Coward]

Of course smart people with covert network connections would notice the packets came in on the wrong interface and would reply back on the same interface so as not to reveal the covert connection.

Extra connections into a network are more difficult to hide then this. They must pass all traffic that should be getting through and drop all traffic that should not. They must spoof all ICMP TTL expiration messages. They must also spoof all inbound ICMP TTL expiration messages. Also, all other routers in the path must likewise spoof or a mapping of the IP range would show a path that breaks at ttl 4 and resumes somewhere unrelated at ttl 5.

Misconfigured routes have a huge signature if something is scanning for them (like Ches' previous company, Lumeta). A misconfigured firewall has all the paths correct but something subtle slips through unnoticed.

Not to be a bubble-burster, but I hope this shows that subverting routes leaves a huge signature if you know what to look for.