Could the Internet Be Taken Down In 30 Minutes? 289
GhostX9 writes "Tom's Hardware recently interviewed Dino A. Dai Zovi, a former member of Sandia National Labs' IDART (the guys who test the security of national agencies). Although most of the interview is focused on personal computer security, they asked him about L0pht's claim in 1998 if the Internet could still be taken down in 30 minutes given the advances on both the security and threat sides. He said that the risk was still true."
(Job) security (Score:5, Interesting)
Guy who works in security testing wants people to believe that the state of internet security is OMGcritical? Shouldn't this be tagged "jobsecurity" rather than "security"?
Is this news?? (Score:2, Interesting)
All it would take is the right cables to be cut [circleid.com] for the internet to go down. Perhaps with a rented backhoe even.
30 mins might be optimistic (Score:5, Interesting)
Assuming a vulnerability is exploited in BGP, the internet would go bibi in a hurry. That's all our eggs in one basket, and it's a fairly rickety basket. There's still a lot of trust inherent in the BGP fabric and trust is a 4 letter word to anyone who deals with infrastructure security.
Min
Re:Internet Backbone DDOS in 2002 (Score:5, Interesting)
I think 30 minutes is a generous amount of time if one of the larger botnets turned its attention on the root servers for a DDOS attack
I think you are overlooking a two things:
1) There's a lot more than 13 root servers nowadays. Many of the servers are mirrored using anycast [wikipedia.org]. Wikipedia had a total of 123 in 2006 so it's a safe assumption that there are even more today.
2) Even if you could render the root servers inaccessible, this doesn't "take down" the internet. Many sites would still be accessible until their DNS cache entires timed out in the nameserver that you use (likely your ISP). A lot of sites set short timeouts on the www 'A' record (for load balancing purposes) but long timeouts on the 'NS' records for the domain. In this scenario your nameserver would still know where to go to get the 'A' record and wouldn't need to consult with the root servers.
Those caches wouldn't last forever but it would seem to offer enough time to deal with the DDOS. The internet would have limited functionality for awhile but it wouldn't "go down". Many operations (site to site VPNs for example) might not even notice.
CME (Score:5, Interesting)
http://www.businessinsider.com/could-the-sun-destroy-the-earth-2009-3 [businessinsider.com]
Coronal Mass Ejection, a big enough one could wipe out all life on earth, and fry all the electronics.
NAH (Score:5, Interesting)
"A memorandum published by the DoD in March 1982 declared
that the adoption of TCP/IP as the DoD standard host-to-host
protocol was mandatory and would provide for "host-to-host
connectivity across network or subnetwork boundaries."
Military requirements for interoperability, security,
reliability and [b]survability[/b] are sufficiently pressing to
have justified the development and adoption of TCP and IP in
the absence of satisfactory nongovernment protocol
standards."
Emphasis mine.
http://www.columbia.edu/~rh120/other/tcpdigest_paper.txt [columbia.edu]
Re:30 mins might be optimistic (Score:5, Interesting)
The really funny thing about all this is that after Senator Thompson and the Government Affairs committee was finished pimpimg us out as media whores several unrelated people approached us and said "Hey, where you thinking of taking the net down this way..." And we would say "No, that's not what we thought of but your idea would probably work just as well."
The thing is many of those ideas are still valid. The global Internet network is a rickety piece of technology held together with bubble gum and bailing wire. If it wasn't for the fact that people are actively trying to keep it operational I fear it would fall apart under its own weight in a very short amount of time not to mention if someone actually wanted to take it down.
- Space Rogue
http://www.lopht.com [lopht.com]
http://www.spacerog.net [spacerogue.net]
Re:YES!! (Score:5, Interesting)
Take BGP for example. Very little security in it.
Sounds like somebody not involved in actual BGP work and/or just scaremongering (worship me because I say scary things).
Nobody configures their peers using dns addresses. Doesn't everyone use md5 hashes? Doesn't everyone filter their customers routes?
I did "most of" the customer side BGP at an ISP for "years" with quite a few customers... if every time someone redistributed 0/0 or 10/8 to us we took down the internet, frankly, it would have been down most of the time. Not to mention people whom thought their old providers IP space was their own (as opposed to actual ARIN space)
Then there's the guys who prepend like a hundred times, always good for a laugh or two.
Folks whom think they can take down global BGP by flapping their routes a couple times and don't even know what route dampening is... well...
Now, yeah, one bad dude could take over one router and maybe temporarily down one ISP that is run by fools who don't follow the "rules", but one badly run ISP out of bazillions is not "the internet".
Overall, I'd say out of 30K AS, of which at least 50% don't really know what they're doing, yet they still can't take the sucker down, god knows I've seen everything tried at least once, so a couple black hats don't even have a chance.
Re:Yes (Score:1, Interesting)
Or by throwing anchor in Mediterranean sea :-)
Re:YES!! (Score:3, Interesting)
couple of very skilled and knowledgeable black hats with a severely huge and well-distributed botnet who were absolutely intent on taking down the entire Internet, could probably do so using multi-pronged attacks
Well, then we're getting into definition games. If 50% of the hosts on the net were infected and flooded the other 50% who were not infected/uninfectable yeah then something like that. You're going to have a huge task to find and flood every single BGP peer connection and flood all of them.
Also bear in mind that 99.999% of attacks are perpetrated by completely incompetent amateurs.
Yeah no kidding, and the folks whom do front line BGP support know it. I know it sounds rough, but in many cases it seemed the only difference between the black hats and the customers is the customers paid us money and were at attempting to do something productive.
Thing is, though, anyone with that much skill and knowledge would have far better things to do and would probably not benefit in anyway from bringing down the whole thing.
Unless they were a government hell bent on regulating it and controlling everyone/everything...
Re:Internet Backbone DDOS in 2002 (Score:5, Interesting)
I'm not rude enough to run my own nameserver at home.
Out of curiosity, why is that 'rude'? Are the root servers overloaded or something? I've always run my own nameserver and aside from a few times when I messed around with linking it to work, I've usually had it going directly to the source. Should I re-evaluate this practice?
Even more of a reason to resurrect guerilla.net (Score:3, Interesting)
Someone needs to get guerilla.net [72.52.208.92] going again, now that l0pht has abandoned it. There is something attractive about being able to maintain communications even under government or terroristic attacks...
Re:NAH (Score:2, Interesting)