Could the Internet Be Taken Down In 30 Minutes?

GhostX9 writes "Tom's Hardware recently interviewed Dino A. Dai Zovi, a former member of Sandia National Labs' IDART (the guys who test the security of national agencies). Although most of the interview is focused on personal computer security, they asked him about L0pht's claim in 1998 if the Internet could still be taken down in 30 minutes given the advances on both the security and threat sides. He said that the risk was still true."

Yes

[2.7182]

By a nuclear war for example.

Internet Backbone DDOS in 2002

[eldavojohn]

In 2002 4 or 5 of the 13 root servers [slashdot.org] were big news ... although we've come a long way since then, I think the integrity of the internet still depends on these things.

Every so often we get reports that the internet is a rickety old jalopy [slashdot.org] on it's last leg [slashdot.org].

Given this impression and add to it the fact that the botnets seem to grow in tandem with the internet, I wouldn't be surprised to see an attack take her down in 30 minutes although I'm no expert. I think 30 minutes is a generous amount of time if one of the larger botnets turned its attention on the root servers for a DDOS attack. You'd have some fail overs and some courageous engineer might save the day but I'd put my money on the bad guys.

I would be surprised if it was down for more than 24 hours following that though.

Re:Internet Backbone DDOS in 2002

[afidel]

The way to fix it would be egress filtering where all consumer class lines were barred from directly querying the root servers. Would suck greatly for anyone who wanted or needed to run their own resolver, and would break the original end to end design of the internet, but it would be the most likely response to the threat. The ISP's would love it too since it would allow them to have a captive audience for their ad laden DNS servers.

Re:Yes

[Anonymous Coward]

Too expensive. How about 2 broken routers: http://tech.slashdot.org/article.pl?sid=09/02/16/2233207 [slashdot.org]

Re:It can be taken down much faster now.

[Leafheart]

Your Internet maybe, not mine. At least, not because of that.

Re:Is this news??

[ckaminski]

If you want a ride bouncier than the storm chasers in KC10s you can do about 22-25 mph in a Ford 555 (80's vintage backhoe). And that's on a decently paved street. You hit a decent pothole and you better have your feet on the posi button because when your steering wheels hit ground again, you're likely to zoom into traffic or onto the sidewalk.

It's why I only ever did over-street travel in ours at night. Then again, backhoe's are naturally overbalanced to the rear, I never did try to get our straight farm tractor up to speed on surface streets.

I've popped a wheelie in exactly two tractors in my day, one a backhoe, another a dozer. Sort of frightening when you do it for the first time and aren't expecting it.

Re:We need to mesh more

[LostCluster]

Forced peering would lead to situations where the data flow could be tilted from one side to another. "Peering" requires relatively equal data flow between the partners.

Re:Internet Backbone DDOS in 2002

[ivan256]

If I type in 74.125.67.100 in my browser, google still shows up.

Sure, but the search results would be useless.

Re:NAH

[iluvcapra]

The DoD also approved the Space Shuttle's final dimensions on the basis of $100/lb launch costs and a constant schedule of military payloads... I think if you were to hand the DoD a purchase order for a pallet load of marshmallow peeps, they'd only be to happy to certify their nuclear/chem/bio survivability and tactical necessity. They just like to buy toys, and nobody questions them about wether they really need something, and nobody ever tests them to make sure they really use it...

At least in this case we ended up with the Internet, and not the spaceplane-that-wouldn't-die-and-syphons-science-money.

Re:Yes

[MobileTatsu-NJG]

By a nuclear war for example.

Heck, it'd go even quicker if the Vogons decided to build a hyperspace bypass! Come to think of it, if somebody travelled backwards in time incorrectly and destroyed the universe, the internet would probably be destroyed in negative minutes!!

Look at me, I'm Mr. Insightful, mod me up!

Re:I call BS

[KillerBob]

There's an awful lot of redundancy and inter-networking going on in the Internet, but a concerted attack at the right points in the Internet could take them offline, and break those links between networks.

No, it wouldn't cause your computer to blow up. It wouldn't break your home network. It wouldn't break your ISP's network. But if AT&T, L3, Verizon/UUNet, GBLX, Qwest, Sprint, etc. couldn't talk to each other, you'd as good as break the Internet. Remember the connectivity issues that were caused last year when L3 and Cogent de-peered each other? And those are relatively small players. Imagine if it were AT&T and UUNet that de-peered each other.

Somebody who knows the architecture of the Internet and *really* wanted to take it down wouldn't have a hard time at it. Just target the peering points between the big networks.

As others have pointed out, there's other weak points in the network, too. Gateway protocols and DNS are vulnerable to attack, as well, for example. :)

Re:Internet Backbone DDOS in 2002

[Ogive17]

Wouldn't there be some point where a DDOS would stop being effective because there's already too much traffic... therefore keeping up a small amount of the backbone?

If you're able to take down 80% of the servers, it's possible you wouldn't have a chance to even reach the other 20%. You'd probably lose a significant portion of your botnet if you took out that much of the backbone.

Re:NAH

[eleuthero]

yes, it does syphon science money. Why is this a bad thing? Having focused expensive projects is a way to maintain interest in science in general and provide an opportunity for related projects to be developed. Sure, it is bad news for the ag seed libraries, but even these have benefited from our ridiculously expensive space program.

On a related note, I really like orange tang and appreciate the early space program.

Re:We need to mesh more

[Casandro]

Yes, but where is the problem? A line doesn't need to be equially loaded in both directions. That's just a decision beancounters made. It doesn't make much sense in real life.

Just get a line between 2 ISPs and route only the trafic between those 2 ISPs on that line until it's full. The rest can go the long way.

Re:it was demonstrated last year

[vlm]

The internet is built with the BGP routing protocol, which is based on trust. You trust that your peers will advertise correct routes.

Only and exclusively amongst the tight knit community of tier 1 providers. No one accepts unfiltered routes from their customers. (except for unintentional mistakes).

Also, You Tube is not "the internet" as in "the entire internet". Good luck advertising a 0/0 route, even amongst tier 1 ISPs.

Re:We need to mesh more

[vlm]

ISPs should be forced to have to peer at any POP they join.

Forced to peer with spammers? no thanks!

Also "the internet" is mighty big. You might pull this off in one country, maybe the entire EU, but probably not the whole world. We (as a planet) can't even agree on basic human rights, much less the middle school girl game of whos gonna peer with who.

Re:30 mins might be optimistic

[ahabswhale]

I call bullshit.

Every so often you hear about how easy it would be to take down the internet. Yet, it has never happened. It hasn't even come close to happening. I don't doubt it's possible but if it were so easy, it would have been done by now. Some a-holes would have done it just for grins or to prove they could do it. Remember, the world is filled with a-holes.

Finally, people confuse DNS with the Internet. DNS is a feature of the Internet -- it is not THE Internet.

Could? should.

[Anonymous Coward]

The real question is should the internet be brought down in 30 min.

A: probably so.

Re:Yes

[ElizabethGreene]

To break the "whole" internet takes some doing. That said, a large scale distributed dns reflection attack or any number of other attacks can turn off large chunks of the internet more or less at will. Thirty minutes seems very optimistic, if the zombies are in place prior to the attack.

Re:30 mins might be optimistic

[NeutronCowboy]

You seem to underestimate the blood, sweat and tears that goes into keeping networks alive. Yes, some assholes could take it down in a heartbeat if everyone would just let them. Fortunately, there are a good chunk of smart people who work tirelessly so that this doesn't happen. So far, so good. the problem: the good guys need to win every time to be seen as successful. The bad guys only need to win once.

Re:30 mins might be optimistic

[Fred Ferrigno]

Isn't it the other way around? The people who say the Internet is a house of cards just waiting for a stiff breeze to bring it down are the ones underestimating the blood, sweat and tears that go into keeping networks alive. It's like saying banks would be trivial to rob if there weren't those pesky guards there to stop you.

Re:30 mins might be optimistic

[BitZtream]

The large scale providers filter bgp input from their smaller peers. You have to be 'one of the big boys' before you get to pass AS numbers through to the backbone without telling them about it first.

You might get by with it if you're peering with some smaller provider, as I have in the past, but the end result is that you still have to get them to talk to the real backbone providers to let your AS numbers out.

So while BGP could cause problems if you got a provider high enough up the food chain the chance of that is highly unlikely, and the monitoring systems in place would detect this and alert on it before it had spread across the entire internet anyway. It would probably effect a good majority of the Internet before fixed, but it wouldn't really last long outside of the tiny area where it started.

When this sort of thing happens, the backbone providers have no problem turning you off to resolve the problem immediately.

Re:We need to mesh more

[vlm]

Maybe "forcing" is a bit strong, but ISPs should definitely be encouraged to do so. Every packet which does not go over centraliced portions of the net makes it more stable.

1) Maybe if I won't peer with him, he will hire me as an upstream and I'll make money. Extra funny if both sides try the same strategy. Even funnier if one side was recently paying the other, and now refuses and/or is going bankrupt.

2) My cheap router doesn't have enough memory/CPU/whatever to peer with EVERYONE at the IX, somebody is going to get cut. Or maybe I have the hardware, but the guy I'd like to peer with simply does not.

3) Maybe the IX charges $x for each peering connection (they gotta pay their bills somehow). So, if that peer is only worth $y of paid upstream traffic, and $x > $y, then ...

4) ISP "Y" does not have enough capacity outta the IX to handle the traffic I'd like to send them. (no one ever admits in public they are the ones whom don't have a large enough pipe to the IX, its always the other guys)

5) "X"-IX is just icky and flaps all the time and drops packets. Now that is good enough for our connection to Afghanistan Telco because we can blame the problems caused by the IX, on the satellite, but our customers will not tolerate those problems when connecting to skype, so no peering for skype at that IX! Bonus points if "X"-IX is on the other side of the planet from our techs, and/or their support sucks.

6) I'm secretly a middle school girl whom runs BGP at ISP "X" (sounds like an Anime series?). Now, I heard, that she said, that he read on the bathroom wall, that the middle school girl whom runs BGP at ISP "Y" said my network sucks, so ISP "Y" is soooooo off my myspace friends list and livejournal and AIM and also I'm not inviting them to my peering party. Now personally, I believe this scenario accurately represents about 99% of all peering disputes.