Internet vulnerabilities

There is a lot of news lately about terrorist groups doing recon on
potential targets. The stories got me thinking.

What are the real threats to the global Internet?

I am looking for anything that might be a potential attack point. I don't
want to start a flame war, but any interesting or even way out there idea
is welcome.

Is it feasible that a coordinated attack could shutdown the entire net? I
am not talking DDoS. What if someone actually had the skills to disrupt
BGP on a widescale?

jas

There are a few interesting things on this front that could be
done.

  As in most routers the data+control plane are the same, one can
DoS the processor or router in interesting ways.

  The easiest thing to probally do would be to do some poking
and prodding in the lab of various vendors routers and see if there is
some sort of fatal update that can be sent that won't take affect until
after it has been propogated.

  Doing this could cause interesting cascade failures. The
good news is, it wouldn't take too long until someone isolates the
injection point of such an update and turns the connection off.

  - Jared

Thinking about a physical threat...
If you go to 111 8th ave, NYC. They have added security since 9-11-01
which now requires either building ID, or showing a driver's license
before entering building (because terrorists don't have driver's
licenses).

On some floors (eg the 7th). The building risers and conduits are
completely exposed. I can't help but wonder how much damage a terrorist
attack to that would do.

Also, say someone from a moderately fast internet connection (OC-3) ran
nmap across the entire internet on ports like 21,22,53,80,443,3306. In
one day, they can probably have a list of every server answering those
ports, and the versions of the daemons on them.

Next, just wait for an wide enough exploit to come out, and then write a
Trojan that has a list of every other server vulnerable, and on every
hack, it splits the list in 2, and roots another box and gives it the
2nd half of the list.

I estimate that with a wide enough exploit (eg apache or openssh), you
could probably compromise 20% of the servers on the net within 1 hour,
and then have them all begin a ping flood of something "far away"
network wise (meaning a box in NYC would flood a box in SJC, a box in
SJC would flood a box in Japan, etc... Trying to have as much bit
distance as possible).

Damn scary, but I believe if someone was determined enough, they could
take down the whole 'net within one hour of pressing "enter".

I suppose there really isn't anything that can be done at this point to
make that scenario impossible.

--Phil

<quote who="Jason Lewis">

What if someone actually had the skills to disrupt BGP on a widescale?

I think the media talk about "taking down the Internet" are kind of bogus.

Nobody has ever died because they couldn't check their email.

If the net went down for an hour, a day, or even a week I think that my
mom and the rest of the non "glued-to-their-terminal" world would somehow
struggle through and sustain a normal daily routine.

-davidu [who probably would not survive a week long net outage ]

Except what if in my scenario, while flooding, it executed dd
if=/dev/zero of=(hd) on all of the system drives.

If someone wanted to do it, it could be done.
--Phil

I can't quite picture Osama leading a crack team of BGP commandos on a
jihad against the internet...

Maybe blowing up some important net targets, or cutting some important
fiber (and then leaving anti-personnel mines for the people who come to
splice it)... Though if they took out the MAE's, I think routing would
improve.

I've always wondered if someone could get away with colo'ing explosives at
major locations. Take a large computer or router chassis (a 12016 would do
nicely, or some Sun gear), fill it with explosives, and colo it... It
could even be operated over the internet, running "bombd" as it were.

Or what about an attack against the people running the net, say a NANOG or
IETF meeting... Or maybe something more constructive, like MPLSCon...

But I'm sure there are probably more subtile ways to do it. As with all
good vulnerabilities, it takes someone who is working on the inside to
REALLY know how to muck things up... Fortunately the terrorists seem to be
concerned with killing thousands of innocent people and scaring millions,
not pissing off a few nerds and disrupting eBay's profit margin for a
week. As much as we like to think we are important, I'd hardly put them in
the same class.

I think the media talk about "taking down the Internet" are kind of
bogus.

Nobody has ever died because they couldn't check their email.

If the net went down for an hour, a day, or even a week I think that my
mom and the rest of the non "glued-to-their-terminal" world would
somehow struggle through and sustain a normal daily routine.

-davidu [who probably would not survive a week long net outage ]

How many companies base profits on their internet connection? While you
might survive, there would be a lot of money lost. Disrupting the economy
seems to be the goal.

Or, you could work behind the scene, get Michael Powell appointed to the
FCC, and make sure there are no brakes on the shortsightedness of
lawyers at the RIAA, the MPAA, and the US RBOCs.

Oh. Wait. That's been done. Nevermind.

Coordinated infrastructure attacks are scary for that reason. They are
scary. Netcraft will provide you the information on every web
server/server OS just for the asking -- you don't need an OC3 or even nmap.

Historically, wide spreading worms have had a flaw in the program that
prevented how much damage they could cause. (i.e., either too virulent or
too patient). I suspect even in your dd solution, the attacker would leave a
delay to allow some additional CPU power devoted to attacking other
destinations. If the timeout is too short and interesting machines go down
fast, the spread takes longer. If its too long, it can be stopped before it
gets as far. The nastier you make it, the less far it spreads.

In some paranoid networks, within 20 minutes of the content disappearing
they would probably pull all or many of their most significant machines off
line while they are figuring out what attack is occuring. The least
responsive networks are going to be the most vulnerable to a scenario like
this.

Rate limiting ICMP (or your favorite attack packet) isn't as difficult as it
used to be (even at the border), and since most large networks use automatic
configuration generators -- no matter how cumbersome -- it is concievable
that the brute force attack could be killed on the largest networks at a
mean of 10-12 hrs. Server damage would take longer depending on how
available/recent backups are.

The best part of multilevel NOCs (level 1-2 open tickets 3+ solve problems)
is that under large, cascading attacks of this sort, those who actually
solve the problem are not as bogged down by frantic customers calling.

:What are the real threats to the global Internet?

I realize this seems like nitpicking, but asking what the real risks are
might be a more useful question. The reason I mention this is because the
washington post report the other day about threats to SCADA systems was
blown out of proportion, because it equated the seriousness of the threats
with their associated risks. Yes, most ASN.1 implementations have serious
vulnerabilities, welcome to 1988.

The ASN.1 vulnerabilities being talked about right now are serious threats,
but lower risk than say, millions of unpatched IIS and apache servers,
public exploits and a worm on the loose. Application level vulnerabilities
that have to be patched on a host by host basis, cause a greater risk than
say, SNMP vulnerabilities that can be filtered at the gateway, which
protects from opportunistic external attacks.

When you talk about threats to the global Internet, there are hundreds of
equally serious vulnerabilities of varying risk. Also, the "global Internet"
has many different meanings. It can mean "the ability to send and recieve
packets on layer 3" or "people being able to conduct business electronically,
with some reasonable expectation of the confidentiality, integrity and
reliability of their transactions."

So, it all depends on what you mean by the Internet:) I think this is
an extremely important discussion to have on the list, I just think
it should be framed in terms of real risks, root causes, and
potential solutions.

:I am looking for anything that might be a potential attack point. I don't
:want to start a flame war, but any interesting or even way out there idea
:is welcome.
:
:Is it feasible that a coordinated attack could shutdown the entire net? I
:am not talking DDoS. What if someone actually had the skills to disrupt
:BGP on a widescale?

Once you start thinking about the Internet from a security perspective,
you realize there is no "entire net" subject to the sum of its parts in
any practical sense. It is a network of networks that serves a continuum
of interests, bounded by economics, and driven by porn.

The attack point is anywhere you think will do the most harm to the
people you dislike. If you just want to break something, find serious,
easy to exploit, security design limitations in BGP, MPLS, BIND and
drive a major global backbone like UUNet into insolvency.

..What? Oh ...Too late.

How about this:
ISP X had its tftp server compromised by a wily hacker who evaded
tripwire and covered his track well, uploaded some cracked Cisco code
(the current release for their GSRs). This code was designed to corrupt
the directories and shut down the router at date XX:XX:XX. Each of these
affected GSRs, 7-five new roll-outs and 2 upgrades--went down at the
same time (save one who's time was no set correctly). Each site had to
driven to, flashcards replaced. ISP X severely crippled for 6 hours. The
hacker could have gone the extra leg to have the tftp server expunge the
backup configs at the same time--extra couple hours--but did not.

We all download code from Cisco/Juniper/Bay in good faith... when's the
last time you saw a signature attached to any of those? Most security
breeches happen from within anyway. A disgruntled DE....

Just a wicked thought.
j

Who needs malicious hacking, running the latest code for a GSR will crash
your network just fine... The specific crash date and time functionality
hadn't been added yet though, maybe you could put in a feature request.

Besides, if someone actually did get the IOS code (laugh) AND manage to
compile images out of that cruft, I'm pretty sure changing the MD5
signature on cco would be the least of their problems.

Keep the gloves up...cruft...lol, but if you wanted to compare Cisco
"features", I've dealt with some bugs that would cook your hair.

Unfortunately, I've only worked with Juniper in an MPLS lab--but I've
heard some good things concerning their reliability (but mostly form
people that won't shut up about FreeBSD, so take it for what it is).

j

I can't quite picture Osama leading a crack team of BGP commandos on a
jihad against the internet...

It won't be OBL who takes down the net, it will be a bunch of accounts like
those at WCOM..

Geo.

Ah the infamous accounting.eml of 2002, good call.

I'm actually more worried about script/packet kiddies.

13 year olds with some scripting knowledge rarely know the financial
cost of their "fun".

--Phil

Phil Rosenthal wrote:

Also, say someone from a moderately fast internet connection (OC-3) ran
nmap across the entire internet on ports like 21,22,53,80,443,3306. In
one day, they can probably have a list of every server answering those
ports, and the versions of the daemons on them.

Given the ability (which anyone can have with a few downloaded scripts)
to subvert poorly secured machines on cable or DSL links and make them
do the work, you could do this without a fast connection, and without
being obvious enough to raise major alarms from intrusion detection
systems. It might take a few weeks or even months.

For some types of target, you may not even need nmap. Look at MX
records, or at mail headers, to find mail servers, at news headers
to find Usenet servers. Use a web crawler, or an existing index, to
find web and FTP servers. Or write a little program that searches the
DNS for names with leftmost element ftp, mail, pop, smpt, www, ns,
dns, ... These won't get you a full list, but perhaps enough.

Next, just wait for an wide enough exploit to come out, and then write a
Trojan that has a list of every other server vulnerable,

You don't need them all, just a few 1000 with good net conections to get
things rolling. Once you have those infected, it doesn't matter if your
method of spreading further is inefficient; you'll get everything anyway.

Also, you may not need a new exploit. Many systems are not patched
against the old ones, and it is certainly possible to try multiple
exploits in a single worm.

and on every hack, it splits the list in 2, and roots another box and
gives it the 2nd half of the list.

Better, give it the whole list and have each instance start at a random
point in the list. That way, even if some instances are caught and
killed, you still get the whole list.

I estimate that with a wide enough exploit (eg apache or openssh), you
could probably compromise 20% of the servers on the net within 1 hour,

For better estimates and detailed discussion of worm design, see:
http://www.cs.berkeley.edu/~nweaver/warhol.html

and then have them all begin a ping flood of something "far away"
network wise (meaning a box in NYC would flood a box in SJC, a box in
SJC would flood a box in Japan, etc... Trying to have as much bit
distance as possible).

Why futz with a ping flood? If the objective is to take down the net,
you want to attack infrastructure -- nameservers, routers, ...

From that viewpoint, the ideal worm would use whatever it needed to

become widespread, but would switch attacks once it had spread, trying
for known holes in things like BIND or IOS, or just flooding the root
name servers.

I'm actually more worried about script/packet kiddies.

13 year olds with some scripting knowledge rarely know the financial
cost of their "fun".

Does the possibility of these 13 year olds being recruited exist? I think
so.

I think most people are grouping terrorist into the "strap a bomb to your
body and commit suicide" stereotype. Is there a possibility that
intelligent terrorists exist? Or even people that have the knowledge and
sympathize with them? OBL used a satellite phone, they found laptops in
Afghanistan, there is evidence they are using the web to transmit
information to each other. I think someone out there has a clue about
computers.

Crippling the entire net may be impossible, but it sure sounds like a well
planned out series of attacks could do some serious damage.

jas

I'm sure a number of people have seen this article already:

  http://www.business2.com/articles/mag/0,1640,41206,00.html

  The Technology Secrets of Cocaine Inc.
  Colombian cartels have spent billions of dollars to build one of
  the world's most sophisticated IT infrastructures. It's helping
  them smuggle more dope than ever before.
  By Paul Kaihla, July 2002 Issue

The article goes on to talk about how the drug dealers are using complex
data-mining techniques (and in one instance an AS400) to run and protect
their businesses.

cheers!

The 13 year olds generally do it for the glory of being elite, not for
greater political agendas.

And, while I think that if terrorists wanted to, they could... I think
terrorists are more interested in collateral damage.
--Phil