Could the Internet Be Taken Down In 30 Minutes? 289
GhostX9 writes "Tom's Hardware recently interviewed Dino A. Dai Zovi, a former member of Sandia National Labs' IDART (the guys who test the security of national agencies). Although most of the interview is focused on personal computer security, they asked him about L0pht's claim in 1998 if the Internet could still be taken down in 30 minutes given the advances on both the security and threat sides. He said that the risk was still true."
Yes (Score:5, Insightful)
Re: (Score:3, Funny)
Or a new strain of rapidly spreading electricity-consuming tiberium.
Or me.
Re:Yes (Score:5, Insightful)
To break the "whole" internet takes some doing. That said, a large scale distributed dns reflection attack or any number of other attacks can turn off large chunks of the internet more or less at will. Thirty minutes seems very optimistic, if the zombies are in place prior to the attack.
Re: (Score:3, Funny)
If it's lower-case i internet as in your post, then yes, two or more connected networks make an internet.
nah. (Score:3, Informative)
Actually, this is exactly what it's supposed to survive.
Re:nah. (Score:5, Informative)
NAH (Score:5, Interesting)
"A memorandum published by the DoD in March 1982 declared
that the adoption of TCP/IP as the DoD standard host-to-host
protocol was mandatory and would provide for "host-to-host
connectivity across network or subnetwork boundaries."
Military requirements for interoperability, security,
reliability and [b]survability[/b] are sufficiently pressing to
have justified the development and adoption of TCP and IP in
the absence of satisfactory nongovernment protocol
standards."
Emphasis mine.
http://www.columbia.edu/~rh120/other/tcpdigest_paper.txt [columbia.edu]
Re:NAH (Score:5, Insightful)
The DoD also approved the Space Shuttle's final dimensions on the basis of $100/lb launch costs and a constant schedule of military payloads... I think if you were to hand the DoD a purchase order for a pallet load of marshmallow peeps, they'd only be to happy to certify their nuclear/chem/bio survivability and tactical necessity. They just like to buy toys, and nobody questions them about wether they really need something, and nobody ever tests them to make sure they really use it...
At least in this case we ended up with the Internet, and not the spaceplane-that-wouldn't-die-and-syphons-science-money.
Re:NAH (Score:4, Funny)
I think if you were to hand the DoD a purchase order for a pallet load of marshmallow peeps, they'd only be to happy to certify their nuclear/chem/bio survivability and tactical necessity.
That would be a mistake. They should only certify Twinkies.
If Family Guy has taught me anything, it's that everyone should go to the nearest Twinkie factory in the event of a nuclear holocaust.
Re:NAH (Score:5, Funny)
If Family Guy has taught me anything, it's that everyone should go to the nearest Twinkie factory in the event of a nuclear holocaust.
If Family Guy has taught you anything, then may god have mercy on us all.
Re: (Score:3, Insightful)
On a related note, I really like orange tang and appreciate the early space program.
Re:NAH (Score:4, Funny)
"That's a big Twinkie."
YAH!! (Score:2)
Survivability.. so maybe
All it was designed for was to survive a single point of failure.
(note that I'm quoting canajin here in case there is any confusion)
What makes you think survivability implies the ability to survive nuclear war? The fact that you've heard as much parroted anecdotally countless times in the past?
Re: (Score:3, Informative)
Oh, I don't know.. maybe it could have meant the ability to survive a single point of failure?
Re: (Score:3, Informative)
I'm pretty sure that not having a single point of failure was considered part of "reliability" even back then.
Re: (Score:2)
Re: (Score:2)
It didn't start with a nuclear strike. They had operatives on the ground already. Watch the 1st episode again. :)
Re: (Score:2)
Re:nah. (Score:5, Funny)
OK, then what about by a Cylon invasion? (Which of course, would begin with a nuclear strike.) I doubt that our toaster children would have any trouble with Mccafree or Norton products.
In my experience if we did have a Cylon invasion McAfee and Norton may be our ONLY defense. Upload it and watch as they can no longer function
Re:nah. (Score:5, Funny)
OK, then what about by a Cylon invasion? (Which of course, would begin with a nuclear strike.) I doubt that our toaster children would have any trouble with Mccafree or Norton products.
In my experience if we did have a Cylon invasion McAfee and Norton may be our ONLY defense. Upload it and watch as they can no longer function
You're horrible. Not even the Cylons deserve Norton and McAfee.
Re:nah. (Score:5, Funny)
I'm saving my copy of windows ME just for the cylon revolt.
Re:nah. (Score:5, Funny)
Actually, this is exactly what it's supposed to survive.
Well, I'm reasonably certain my computer can't withstand a nuclear attack, and I don't think most porn stars are radiation-resistant, so it's really trivial to me whether or not there is still an internet after a nuclear war.
Re:nah. (Score:4, Funny)
The stars may not survive, but their videos could in a datastore underground. And your computer could survive in a bomb shelter. Underground. You know, where you live. In your mama's basement.
Heh heh
Re: (Score:3, Informative)
By a nuclear war for example.
That doesn't count.
Unless of course, you'd be worried about your WoW account while billions of people are dying.
Re: (Score:2, Funny)
Re: (Score:3, Insightful)
Re:Yes (Score:5, Funny)
By a nuclear war for example.
Why go to such extremes?
root@internet# shutdown -h +30 "Teh Intarwebs are going down!"
Re:Yes (Score:5, Funny)
Re: (Score:2, Funny)
Re: (Score:2, Insightful)
By a nuclear war for example.
Heck, it'd go even quicker if the Vogons decided to build a hyperspace bypass! Come to think of it, if somebody travelled backwards in time incorrectly and destroyed the universe, the internet would probably be destroyed in negative minutes!!
Look at me, I'm Mr. Insightful, mod me up!
Re: (Score:2)
All it needs is a giant Slashdotting (Score:5, Funny)
Just visit url://internet
Re:All it needs is a giant Slashdotting (Score:5, Funny)
Firefox tells me it doesn't understand URLs. I'd better just stick to HTTPs.
Re:All it needs is a giant Slashdotting (Score:4, Funny)
Internet Backbone DDOS in 2002 (Score:5, Insightful)
Every so often we get reports that the internet is a rickety old jalopy [slashdot.org] on it's last leg [slashdot.org].
Given this impression and add to it the fact that the botnets seem to grow in tandem with the internet, I wouldn't be surprised to see an attack take her down in 30 minutes although I'm no expert. I think 30 minutes is a generous amount of time if one of the larger botnets turned its attention on the root servers for a DDOS attack. You'd have some fail overs and some courageous engineer might save the day but I'd put my money on the bad guys.
I would be surprised if it was down for more than 24 hours following that though.
Re:Internet Backbone DDOS in 2002 (Score:5, Insightful)
Re: (Score:2)
Oh please god, don't make those suggestions.
I haven't been on a residential provider yet, where their DNS worked properly.
I'm not rude enough to run my own nameserver at home. I piggy back off of my work networks, with finely tuned nameservers. :) It's amazing how much nicer they work, when there are a million people checking out youtube, myspace, and facebook. (oh, and the wonderful world of pron).
Comment removed (Score:5, Interesting)
Re:Internet Backbone DDOS in 2002 (Score:4, Informative)
Comment removed (Score:5, Interesting)
Re: (Score:2, Funny)
1) There's a lot more than 13 root servers nowadays. Many of the servers are mirrored using anycast [wikipedia.org]. Wikipedia had a total of 123 in 2006 so it's a safe assumption that there are even more today.
One hundred and twenty three root servers ought to be enough for anyone.
Re: (Score:2)
Re:Internet Backbone DDOS in 2002 (Score:4, Informative)
Nope if you take out ALL The root servers right now I'll still be able to get around on the internet. My servers will still serve up information. my clients will still work.
Do it get to use the for dummies name resolution? nope.
If I type in 74.125.67.100 in my browser, google still shows up.
granted everything in google is useless as they dont log the IP addresses, but that's moot for me. PLUS I can always go to one of the alternate DNS servers and use them. or my local cache... that would work for weeks without the root servers.
Re: (Score:2, Insightful)
If I type in 74.125.67.100 in my browser, google still shows up.
Sure, but the search results would be useless.
Re: (Score:2)
Then, thank goodness for google cache.
Who and Why? (Score:2)
His answer is pretty vague, but if i know anything about computer security (and i don't), isn't the key thing to decide who your attackers are and what they want! I'd guess that the people running large botnets could DDOS the root DNS servers, but as they have no motive to do that its very unlikely they will. So who would want to take down the internet?
Perhaps russia/china/us if they were about to start a world war (possible, but if that were the scenario we'd have bigger problems)?
Re: (Score:2)
from article: [tomshardware.com]
"Alan: That's a great tip. One last question: in 1998, the members of L0pht testified in front of the US Congress that a committed team of hackers could take down the entire Internet in 30 minutes...Do you think that statement still holds today?"
"Dino: Yes, and I probably shouldn't say much more about it than that. "
Honestly, I think the guy's full o
Re:Internet Backbone DDOS in 2002 (Score:4, Informative)
root DNS != Backbone
You can DDOS a server, a network, even big routers, but you can't DDOS the internet.
Cutting random cables here and there won't work either, at most you're going to isolate parts of the net.
The only way to take down the internet in 30 minutes is to exploit vulnerabilities in the BGP core routing protocol and announce netblocks that somehow (that's where something has to be exploited, bypassing filters, smaller blocks and routing costs considerations) takes the priority over other routes for every router that receives the announce.
Not saying that's impossible, but still tough ...
Re: (Score:3, Insightful)
If you're able to take down 80% of the servers, it's possible you wouldn't have a chance to even reach the other 20%. You'd probably lose a significant portion of your botnet if you took out that much of the backbone.
Re: (Score:2)
I would be surprised if it was down for more than 24 hours following that though.
Concur - and if the bad guys would test the system more often (like they did 10 years ago when they hit Yahoo and E*Trade), we'd have a more robust system overall.
I'd be in favor of letting the white hats take a crack at the infrastructure 4 saturday mornings per year, see how much havoc they can wreak in 24 hours and then figure out how to stop them from doing it again in 3 months. We should pay them during the designated attack days based on how much trouble they cause, then pay a different set of peo
Re: (Score:2)
Re: (Score:2)
Actually, that's a lot of the reason that they made some of the root nameservers multicast. Have a look at F, and I through M. It's not perfect, but it moved the root servers away from a handful of central points.
Back in the day, the MAE's had their bandwidth graphs online. You could see the aggregate for all ports, and (if I recall correctly) utilization by port. Ports were listed out on another page, so you knew the port names, IP's and providers.
It would h
It can be taken down much faster now. (Score:5, Informative)
http://www.networkworld.com/news/2009/040209-obama-cybersecurity-bill.html
A federally enabled Internet kill switch will place an Internet Off Button in the White House which can be used to instantly deactivate the Internet in case of an emergency, such as the plebes getting riled up. This bill, introduced to the Senate on April Fools, is expected to pass.
Re:It can be taken down much faster now. (Score:5, Insightful)
Your Internet maybe, not mine. At least, not because of that.
Re: (Score:2, Informative)
People misunderstand the scope and power of this law. Sure, only American & NATO NAPs will be turned off, so some IP routing may continue. However, DNS will be vaporized, as it is currently controlled by America. So your internet will become your hosts file, and any IP addresses you've memorized. Have fun with that.
(Job) security (Score:5, Interesting)
Guy who works in security testing wants people to believe that the state of internet security is OMGcritical? Shouldn't this be tagged "jobsecurity" rather than "security"?
Is this news?? (Score:2, Interesting)
All it would take is the right cables to be cut [circleid.com] for the internet to go down. Perhaps with a rented backhoe even.
Re:Is this news?? (Score:5, Funny)
All it would take is the right cables to be cut [circleid.com] for the internet to go down. Perhaps with a rented backhoe even.
A single backhoe might have some trouble getting the entire internet in 30 minutes. What's the top speed on those things?
Re:Is this news?? (Score:5, Insightful)
It's why I only ever did over-street travel in ours at night. Then again, backhoe's are naturally overbalanced to the rear, I never did try to get our straight farm tractor up to speed on surface streets.
I've popped a wheelie in exactly two tractors in my day, one a backhoe, another a dozer. Sort of frightening when you do it for the first time and aren't expecting it.
30 mins might be optimistic (Score:5, Interesting)
Assuming a vulnerability is exploited in BGP, the internet would go bibi in a hurry. That's all our eggs in one basket, and it's a fairly rickety basket. There's still a lot of trust inherent in the BGP fabric and trust is a 4 letter word to anyone who deals with infrastructure security.
Min
Re: (Score:2)
All these posts... and YOU are the first guy to point out that, at its heart, the internet is a routing protocol problem, not a DNS problem.
Tag this: +1, Only guy who knows what the fuck.
Re: (Score:2)
BGP by design trusts in routing settings being honest... just program a router with can't-get-there-from-here routes, and you'll down the surrounding area's Internet speed, or even connections.
Re:30 mins might be optimistic (Score:5, Informative)
BGP by design trusts in routing settings being honest... just program a router with can't-get-there-from-here routes, and you'll down the surrounding area's Internet speed, or even connections.
No, no one trusts their peers anymore and their configs reflect that. Not since at least the 90s. Since before I started doing BGP support, everyone has filtered their customers routes. WAY WAY too many people try to redistribute 10/8 from their IGP, or maybe try to send us a 0/0. And unscientifically, I'd say about 25% of newbie BGP admins think they own their previous ISPs IP space... so if old ISP gave them 1.2.3/24 they'd ask us to modify our filters to allow the /24, we'd check (have to check each and every customer every time) and see its part of their old ISP's /18, and we'd educate them.
Re:30 mins might be optimistic (Score:5, Interesting)
The really funny thing about all this is that after Senator Thompson and the Government Affairs committee was finished pimpimg us out as media whores several unrelated people approached us and said "Hey, where you thinking of taking the net down this way..." And we would say "No, that's not what we thought of but your idea would probably work just as well."
The thing is many of those ideas are still valid. The global Internet network is a rickety piece of technology held together with bubble gum and bailing wire. If it wasn't for the fact that people are actively trying to keep it operational I fear it would fall apart under its own weight in a very short amount of time not to mention if someone actually wanted to take it down.
- Space Rogue
http://www.lopht.com [lopht.com]
http://www.spacerog.net [spacerogue.net]
Re:30 mins might be optimistic (Score:4, Insightful)
I call bullshit.
Every so often you hear about how easy it would be to take down the internet. Yet, it has never happened. It hasn't even come close to happening. I don't doubt it's possible but if it were so easy, it would have been done by now. Some a-holes would have done it just for grins or to prove they could do it. Remember, the world is filled with a-holes.
Finally, people confuse DNS with the Internet. DNS is a feature of the Internet -- it is not THE Internet.
Re:30 mins might be optimistic (Score:5, Insightful)
You seem to underestimate the blood, sweat and tears that goes into keeping networks alive. Yes, some assholes could take it down in a heartbeat if everyone would just let them. Fortunately, there are a good chunk of smart people who work tirelessly so that this doesn't happen. So far, so good. the problem: the good guys need to win every time to be seen as successful. The bad guys only need to win once.
Re:30 mins might be optimistic (Score:4, Insightful)
Isn't it the other way around? The people who say the Internet is a house of cards just waiting for a stiff breeze to bring it down are the ones underestimating the blood, sweat and tears that go into keeping networks alive. It's like saying banks would be trivial to rob if there weren't those pesky guards there to stop you.
Re: (Score:3, Informative)
Yet, it has never happened. It hasn't even come close to happening
Not exactly. [wikipedia.org] It was shortly before my time, but the reports are that "the internet" had some significant problems.
I think you're right that it has to be hard enough for it to be too difficult for you average a-hole. The claim was that this might take a group of exceptional a-holes. The thing about a-holes is, they generally don't like other a-holes.
Re: (Score:2)
Trust is usually a four letter word to me, but my speling kinda sucks
Re: (Score:2)
It's much better now. Not perfect, just better.
But, do you remember when someone advertised 0.0.0.0/0, and that ended up sending everything in the wrong directions? :) That was ... ummm ... around 1997 sometime, I think.
Re:30 mins might be optimistic (Score:4, Insightful)
The large scale providers filter bgp input from their smaller peers. You have to be 'one of the big boys' before you get to pass AS numbers through to the backbone without telling them about it first.
You might get by with it if you're peering with some smaller provider, as I have in the past, but the end result is that you still have to get them to talk to the real backbone providers to let your AS numbers out.
So while BGP could cause problems if you got a provider high enough up the food chain the chance of that is highly unlikely, and the monitoring systems in place would detect this and alert on it before it had spread across the entire internet anyway. It would probably effect a good majority of the Internet before fixed, but it wouldn't really last long outside of the tiny area where it started.
When this sort of thing happens, the backbone providers have no problem turning you off to resolve the problem immediately.
Re:30 mins might be optimistic (Score:4, Informative)
That really depends on what the vulnerability is.
There are several implementations of BGP from different vendors and at least two open source implementations. The protocol is also relatively simple. Consequently it's hard to imagine a vulnerability that is structural within BGP such that enough partitioning happens to make large the Internet unusable.
In the early 1990s there was a moment where there was a very large partition when AS Path prepending was used for the first time. Cisco routers did not mind the back-to-back duplicate AS. Proteon, Wellfleet and some other implementations discarded the NLRI (prefix/mask + routing information) as part of routing-information-loop avoidance. Gated-derived routers had different approach in its NLRI loop-avoidance code, and rather than use the NLRI or discard that one update, it dropped the TCP session figuring that there was a data corruption bug. The result: BGP sessions between "core" IOS-talking routers and "core" gated-derived routers bounced up and down for a while. This affected most of the exterior routing gateways of ANS, which operated the NSFNET Backbone Service at the time.
This sort of "reset" policy is now known to have been a serious mistake and now is very rare.
Also in the early 1990s there was a hardware interaction problem involving Cisco 7000-series routers equipped with Silicon Switching Processor cards. A "covering" prefix arriving via any routing protocol -- typically BGP -- would cause all the "covered" (longer match of the same prefix) to be deleted with demand-population bringing those routes back into the radix tree like data structure. Demand population used the same CPU that TCP ACK processing and other activities used, so a router in the "core" with a relatively full routing table and a high packet per second arrival rate of a mix of prefixes (as in "core" routers generally) would simply melt down. This would starve timer-sensitive activities like TCP ACKing and processing the BGP protocol state machine. This in turn led to BGP sessions resetting due to time-outs, which in turn reduced the traffic load substantially on the melting-down router. This would "thaw" the router enough that it would bring the BGP sessions back up long enough to receive a covering prefix, and so forth in a loop. This crippled one very large "tier 1" ISP for an hour and change.
There have been a number of minor "ouchies" related to information obtained from BGP neighbours in the years since, with the most embarassing ones having to do with specific implementations' reactions to very long data sets (e.g. extremely large AS_Set attributes, extremely long AS Paths).
There was also concern some years ago (late 1990s) about the frequency of BGP updates, and that a series of actors publishing up/down/up/down transitions as fast as they could might lead to a router "meltdown" with consequences along the lines of the situation described a couple of paragraphs up. This was considered a long term possibility, and as a result a couple of different approaches evolved suppress oscillating prefixes or blocks thereof at a level much lower than that where BGP's fundamentally built in mechanisms (TCP window sizes and fundamental NLRI/RIB processing speeds) would kick in.
The modern BGP "basket" is much less systematically rickety; the systemic ricketyness is the result of BGP being fundamentally being a "push" distribution of vectors rather than a "pull" acquisition of nonlocal (but widely distributed) connectivity and policy maps (as happened when one fed desired map data from USENET's u.* hierarchy into pathalias, for example, using one or more "smarthosts" as the equivalent of IP's 0.0.0.0/0 default).
Sadly, because the "push" NLRIs are not easily cryptographically signed by the source site (unlike PGP around a UUCP/USENET map file or even around an individual entry) there is still a requirement to trust your largest neighbours, although in the early 1990s the remained ANS's Policy Routing DataBase
Depends on who you ask... (Score:5, Funny)
Re: (Score:2)
Yeah, yesterday I was getting an Internet from some friends and I only got it today.
It's not just like a big truck, you know.
Ask my girlfriend . . . (Score:5, Funny)
. . . she accuses me of "turning off" or "breaking the Internet" at least once a day.
That's the power that you get with 57 levels of Slashdot Achievements. A big switch labeled "Internet On/Off."
it was demonstrated last year (Score:5, Informative)
Of course this was an accident, but a malicious attack could simply advertise lots of incorrect routes and hose up everything
Re: (Score:2)
> When Pakistan decided to block youtube ... Of course this was an accident...
Was it?
Re:it was demonstrated last year (Score:4, Insightful)
The internet is built with the BGP routing protocol, which is based on trust. You trust that your peers will advertise correct routes.
Only and exclusively amongst the tight knit community of tier 1 providers. No one accepts unfiltered routes from their customers. (except for unintentional mistakes).
Also, You Tube is not "the internet" as in "the entire internet". Good luck advertising a 0/0 route, even amongst tier 1 ISPs.
Re: (Score:3, Informative)
Funny, during all that I had no interruption to YouTube.
Because ... the Internet functioned as it was supposed to and the BGP filters at some backbone provider up the food chain from me prevented me from noticing.
Did you read the article you linked to? Let me help you:
Lets read that carefully. PCCW turned off Pakistan
CME (Score:5, Interesting)
http://www.businessinsider.com/could-the-sun-destroy-the-earth-2009-3 [businessinsider.com]
Coronal Mass Ejection, a big enough one could wipe out all life on earth, and fry all the electronics.
Ohhh yeah. (Score:2)
30 minutes? With how fast the internet is (There's few places in the world I get a ping reply within seconds), the internet could be taken down within 30 seconds if the perfectly right-wrong thing happened.
It'll probably happen eventually, but I wouldn't lose any sleep over it. It's not like the internet, you know, is a living creature that depends on every breath to survive.
We need to mesh more (Score:2)
ISPs should be forced to have to peer at any POP they join. Then the Internet would potentionally be a lot more stable.
Re: (Score:3, Insightful)
Forced peering would lead to situations where the data flow could be tilted from one side to another. "Peering" requires relatively equal data flow between the partners.
Re: (Score:3, Insightful)
Yes, but where is the problem? A line doesn't need to be equially loaded in both directions. That's just a decision beancounters made. It doesn't make much sense in real life.
Just get a line between 2 ISPs and route only the trafic between those 2 ISPs on that line until it's full. The rest can go the long way.
Re: (Score:3, Insightful)
ISPs should be forced to have to peer at any POP they join.
Forced to peer with spammers? no thanks!
Also "the internet" is mighty big. You might pull this off in one country, maybe the entire EU, but probably not the whole world. We (as a planet) can't even agree on basic human rights, much less the middle school girl game of whos gonna peer with who.
Re:We need to mesh more (Score:4, Insightful)
Maybe "forcing" is a bit strong, but ISPs should definitely be encouraged to do so. Every packet which does not go over centraliced portions of the net makes it more stable.
1) Maybe if I won't peer with him, he will hire me as an upstream and I'll make money. Extra funny if both sides try the same strategy. Even funnier if one side was recently paying the other, and now refuses and/or is going bankrupt.
2) My cheap router doesn't have enough memory/CPU/whatever to peer with EVERYONE at the IX, somebody is going to get cut. Or maybe I have the hardware, but the guy I'd like to peer with simply does not.
3) Maybe the IX charges $x for each peering connection (they gotta pay their bills somehow). So, if that peer is only worth $y of paid upstream traffic, and $x > $y, then ...
4) ISP "Y" does not have enough capacity outta the IX to handle the traffic I'd like to send them. (no one ever admits in public they are the ones whom don't have a large enough pipe to the IX, its always the other guys)
5) "X"-IX is just icky and flaps all the time and drops packets. Now that is good enough for our connection to Afghanistan Telco because we can blame the problems caused by the IX, on the satellite, but our customers will not tolerate those problems when connecting to skype, so no peering for skype at that IX! Bonus points if "X"-IX is on the other side of the planet from our techs, and/or their support sucks.
6) I'm secretly a middle school girl whom runs BGP at ISP "X" (sounds like an Anime series?). Now, I heard, that she said, that he read on the bathroom wall, that the middle school girl whom runs BGP at ISP "Y" said my network sucks, so ISP "Y" is soooooo off my myspace friends list and livejournal and AIM and also I'm not inviting them to my peering party. Now personally, I believe this scenario accurately represents about 99% of all peering disputes.
Prevent Over Logging (Score:4, Funny)
Today we take the Internet for granted, but it could go down any time from over logging. We have to prevent this by using the Internet when truly necessary, and to only view Internet porn twice a day... max.
I am ready for the DNS takedown! (Score:5, Funny)
I have all my most important sites IP addresses written on Post It notes all over my wall.
Bring it!
I find his lack of faith disturbing (Score:2)
Are jail/chroot/other sandboxes so ineffective the only way he can securely browse the web is in a virtual machine?
I know VMs are all the rage nowadays but it seams pretty dumb to rely on them for secuirty instead of designing secure systems.
DNS? (Score:2)
And would a determined botnet herder be able to 'take down' the Internet by launching a worldwide DNS cache poisoning attack and redirecting to a botnet-based DNS server farm? How much of the Internet would die?
Probably much easier to coordinate multiple botnets to DDOS the root servers, and also nail a few prominent servers at larger ISPs.
Naww. That's been pretty much fixed. Attacking BGP is so much more effecient. Nevermind.
Yes, but... (Score:2)
Yes, but no one will believe that it can be until a crazed ex-federal agent stages a "fire sale" in order to prove it. And then disaster will be narrowly averted because Bruce Willis kicks his ass.
Could? should. (Score:2, Insightful)
The real question is should the internet be brought down in 30 min.
A: probably so.
Even more of a reason to resurrect guerilla.net (Score:3, Interesting)
Someone needs to get guerilla.net [72.52.208.92] going again, now that l0pht has abandoned it. There is something attractive about being able to maintain communications even under government or terroristic attacks...
The threat is real - fight the power (Score:3, Funny)
All it would take is to lengthen Twitter messages to 616 characters. That would bring the whole thing down.
The truth is "out there."
--
Toro
Re:true (Score:5, Funny)
In 30 minutes?
You're doing it wrong.
Re:true (Score:5, Funny)
I think your're confusing your childhood with a "yo momma" joke.
Re:YES!! (Score:5, Interesting)
Take BGP for example. Very little security in it.
Sounds like somebody not involved in actual BGP work and/or just scaremongering (worship me because I say scary things).
Nobody configures their peers using dns addresses. Doesn't everyone use md5 hashes? Doesn't everyone filter their customers routes?
I did "most of" the customer side BGP at an ISP for "years" with quite a few customers... if every time someone redistributed 0/0 or 10/8 to us we took down the internet, frankly, it would have been down most of the time. Not to mention people whom thought their old providers IP space was their own (as opposed to actual ARIN space)
Then there's the guys who prepend like a hundred times, always good for a laugh or two.
Folks whom think they can take down global BGP by flapping their routes a couple times and don't even know what route dampening is... well...
Now, yeah, one bad dude could take over one router and maybe temporarily down one ISP that is run by fools who don't follow the "rules", but one badly run ISP out of bazillions is not "the internet".
Overall, I'd say out of 30K AS, of which at least 50% don't really know what they're doing, yet they still can't take the sucker down, god knows I've seen everything tried at least once, so a couple black hats don't even have a chance.
Re: (Score:3, Interesting)
couple of very skilled and knowledgeable black hats with a severely huge and well-distributed botnet who were absolutely intent on taking down the entire Internet, could probably do so using multi-pronged attacks
Well, then we're getting into definition games. If 50% of the hosts on the net were infected and flooded the other 50% who were not infected/uninfectable yeah then something like that. You're going to have a huge task to find and flood every single BGP peer connection and flood all of them.
Also bear in mind that 99.999% of attacks are perpetrated by completely incompetent amateurs.
Yeah no kidding, and the folks whom do front line BGP support know it. I know it sounds rough, but in many cases it seemed the only difference between the black hats and the customers is the customers paid us money and
Re: (Score:3, Insightful)
There's an awful lot of redundancy and inter-networking going on in the Internet, but a concerted attack at the right points in the Internet could take them offline, and break those links between networks.
No, it wouldn't cause your computer to blow up. It wouldn't break your home network. It wouldn't break your ISP's network. But if AT&T, L3, Verizon/UUNet, GBLX, Qwest, Sprint, etc. couldn't talk to each other, you'd as good as break the Internet. Remember the connectivity issues that were caused last y
Re: (Score:3, Funny)
Again.