Could the Internet Be Taken Down In 30 Minutes?

GhostX9 writes "Tom's Hardware recently interviewed Dino A. Dai Zovi, a former member of Sandia National Labs' IDART (the guys who test the security of national agencies). Although most of the interview is focused on personal computer security, they asked him about L0pht's claim in 1998 if the Internet could still be taken down in 30 minutes given the advances on both the security and threat sides. He said that the risk was still true."

Yes

[2.7182]

By a nuclear war for example.

Re:Yes

[techprophet]

Or a new strain of rapidly spreading electricity-consuming tiberium.

Or me.

Re:Yes

[Ruede]

i think it is not a big issue too switch a few routers and switches off.

Re:Yes

[Jurily]

By a nuclear war for example.

That doesn't count.

Unless of course, you'd be worried about your WoW account while billions of people are dying.

Re:Yes

Too expensive. How about 2 broken routers: http://tech.slashdot.org/article.pl?sid=09/02/16/2233207

Re:Yes

[Cube+Steak]

But I have level 80, purple gear you insensitive clod!

Re:Yes

[Chris+Burke]

By a nuclear war for example.

Why go to such extremes?

root@internet# shutdown -h +30 "Teh Intarwebs are going down!"

Re:Yes

Define the internet. If you hit google you got like the face of internet.

Seems quite easy, reading the recent DNS and routing news (remember youtube redirecting to china?)

Re:Yes

[dimko]

Or by a sucessfull Collider Experiment..

Re:Yes

Or by throwing anchor in Mediterranean sea :-)

Re:Yes

[MobileTatsu-NJG]

By a nuclear war for example.

Heck, it'd go even quicker if the Vogons decided to build a hyperspace bypass! Come to think of it, if somebody travelled backwards in time incorrectly and destroyed the universe, the internet would probably be destroyed in negative minutes!!

Look at me, I'm Mr. Insightful, mod me up!

Re:Yes

[eleuthero]

or whatever it is that causes large middle eastern countries to lose all access to the outside world for days at a time (apart from satellite feeds) on multiple occasions all with multiple cable failures at the same time.

Re:Yes

[ElizabethGreene]

To break the "whole" internet takes some doing. That said, a large scale distributed dns reflection attack or any number of other attacks can turn off large chunks of the internet more or less at will. Thirty minutes seems very optimistic, if the zombies are in place prior to the attack.

Re:Yes

It wouldn't break anonet.org, because that's linked together using VPNs over the Int.... Aaaah.

Re:Yes

[rpmayhem]

root@internet# shutdown -c "I'm still reading slashdot you insensitive clod!"

Re:Yes

[Hoi+Polloi]

Easier to just flush some paper towels down it and clog up the tubes.

Re:Yes

[sorak]

By a nuclear war for example.

Why go to such extremes?

root@internet# shutdown -h +30 "Teh Intarwebs are going down!"

Why shut it down when you can blow it up?

root@inernet# yum install Windows-Vista.x86_64

Re:Yes

[mrops]

Prior question is, at what point does a network become "internet".

Do two networks connected make a internet... 3, maybe 4.... When do you call it "internet".

If its a large number of networks, then a ship with its anchor down in red sea can pretty quickly bring down the internet.

Re:Yes

[N3Roaster]

If it's lower-case i internet as in your post, then yes, two or more connected networks make an internet.

Re:Yes

How appropriate. I was just thinking we needed an Internet "Doomsday Clock" with the current setting at about 30 minutes :-)

Re:Yes

[NerveGas]

Yeah, it would take several DIFFERENT networks' router-jockeys horking up their BGP rules at the same time...

That was *mostly* tongue-in-cheek.

Re:Yes

wasn't the entire point of ARPANET to keep communications going in case of a nucelar strike?

Re:Yes

[sexconker]

My favorite harvester unit response is "But what about the tiberium?".

The way he says it, completely concerned about not getting any more tiberium, in a shaky voice, all because you moved him away from the incoming attackers for a few seconds.

Re:Yes

[portalcake625]

Why shut down when you can remove it all?

root@internet# rm -rf *

Re:Yes

The Vogons can't do anything in 30 minutes without the proper paperwork filled out in triplicate. So I suppose they could do it in 30 minutes if there was the proper paperwork but c'mon, the lines!

Re:Yes

[pmarini]

that's not the only issue... where I live, each time there is some big worldwide news and consequent heavy use of the nearby cell tower, my cellular Internet connection (you know, those "nifty" 3G USB sticks) stops working altogether...

Re:Yes

[Bromskloss]

root@internet# shutdown -P 25 "There's nothing to see there, just move along."

Re:Yes

[TSchut]

It's already been done in the future, by skynet.

Re:Yes

well..
``if you put "google" into google, you CAN break the Internet''

All it needs is a giant Slashdotting

Just visit url://internet

Re:All it needs is a giant Slashdotting

[Chris+Mattern]

Firefox tells me it doesn't understand URLs. I'd better just stick to HTTPs.

Re:All it needs is a giant Slashdotting

[ozbird]

That's because Firefox saves thar Interwebs. IE would probably give you an animated "It looks like you're trying to take down the Internet" helper.

Re:All it needs is a giant Slashdotting

[daveime]

Nah, MSIE would say "It looks like the internet is down ... would you like to search for help online".

Connection Paradox 101 ala Microsoft ;-)

Re:All it needs is a giant Slashdotting

[pmarini]

and you know it's down when you get a 404 ? :-)

Re:All it needs is a giant Slashdotting

[rastos1]

The GP was wrong. The correct URL is http://www.turnofftheinternet.com/. Unfortunately it does not look that nice in current version of FF as it did in some older IE6.

nah.

[neo]

Actually, this is exactly what it's supposed to survive.

Re:nah.

[canajin56]

Not true! ARPANET was designed as it was because there were only a few super computing sites at the time, and they were separated by quite a bit. The redundancy comes in to play only because they didn't want to lose important access if a router broke somewhere, as they are wont to do. All it was designed for was to survive a single point of failure. But even that is distorted. Just because ARPANET was designed that way decades ago, doesn't mean that large corporations decided to keep with that philosophy when they took over!

Re:nah.

[2.7182]

OK, then what about by a Cylon invasion? (Which of course, would begin with a nuclear strike.) I doubt that our toaster children would have any trouble with Mccafree or Norton products.

Re:nah.

[interkin3tic]

Actually, this is exactly what it's supposed to survive.

Well, I'm reasonably certain my computer can't withstand a nuclear attack, and I don't think most porn stars are radiation-resistant, so it's really trivial to me whether or not there is still an internet after a nuclear war.

Re:nah.

[JWSmythe]

    It didn't start with a nuclear strike. They had operatives on the ground already. Watch the 1st episode again. :)

Re:nah.

[ParanoiaBOTS]

OK, then what about by a Cylon invasion? (Which of course, would begin with a nuclear strike.) I doubt that our toaster children would have any trouble with Mccafree or Norton products.

In my experience if we did have a Cylon invasion McAfee and Norton may be our ONLY defense. Upload it and watch as they can no longer function

Re:nah.

[rcamans]

The stars may not survive, but their videos could in a datastore underground. And your computer could survive in a bomb shelter. Underground. You know, where you live. In your mama's basement.
Heh heh

Re:nah.

[2.7182]

You mean watch the mini-series again. The first episode was "33".

Re:nah.

[freyyr890]

OK, then what about by a Cylon invasion? (Which of course, would begin with a nuclear strike.) I doubt that our toaster children would have any trouble with Mccafree or Norton products.

In my experience if we did have a Cylon invasion McAfee and Norton may be our ONLY defense. Upload it and watch as they can no longer function

You're horrible. Not even the Cylons deserve Norton and McAfee.

Re:nah.

[cayenne8]

"Well, I'm reasonably certain my computer can't withstand a nuclear attack, and I don't think most porn stars are radiation-resistant, so it's really trivial to me whether or not there is still an internet after a nuclear war."

Remember, after a nuclear war, there will only be two things left, cockroaches and Keith Richards.

Re:nah.

[peragrin]

I'm saving my copy of windows ME just for the cylon revolt.

Re:nah.

[Kell+Bengal]

Imagine skinjobs grinding to a halt and falling over as their CPUs max out whenever they get an email...

Re:nah.

I live in YOUR mama's basement, fucker!

Re:nah.

[interkin3tic]

Is the AC talking to rcamans or me? Because if it's me, my mamma's basement ain't big enough for the both of us. Neither is my bomb shelter porn collection.

Re:nah.

[infinite9]

That won't work. Jeff Goldblum taught us that the aliens are all using apples.

Re:nah.

[e-scetic]

In my experience if we did have a Cylon invasion McAfee and Norton may be our ONLY defense. Upload it and watch as they can no longer function

Oh, I read that as upload it and watch as Norton and McAffee no longer function, meaning there goes our only defense.

Re:nah.

"The stars may not survive, but their videos could in a datastore underground."

There was a documentary about specifically saving those kinds of valuable human assets, making the videos rather superfluous. The documentary had a weird title. "Dr. Strangelove", I think it was.

Re:nah.

or was it "How I learned to Stop Worrying and Love The Bomb"?

Re:nah.

Gives new meaning to "My god! It's full of stars!", doesn't it.

Re:nah.

[linzeal]

I am keeping Microsoft Bob. Nothing even remotely compares to its crappiness, imagine a UI that relied almost completely on clippy like interactions.

Re:nah.

[thegermanpolice]

I'm saving my copy of windows ME just for the cylon revolt.

I've got a Mac book to interface with alien technology in case this sort of thing happens, so between us we should be ok.

Re:nah.

[jonwil]

If it was the Borg, we just need to upload Norton Internet Security. Based on the complete lack of network access I experienced last time I installed that piece of garbage, installing it on the Borg networks will cause them to loose connectivity to the collective.

Re:nah.

[sgt_doom]

Excellent points all, Good Citizen canajin56. A small amount of the proper explosive or incendiary device distributed among seven IXP sites should be sufficient. (Note I said IXP, not ISP!)

Re:nah.

I got as far as 'imagine grinding against skinjobs' and got lost in thinking about a dozen 6s in a lesbian spank inferno

Re:nah.

[daveime]

Well they would function, only the red "knight rider" light on their faces would move back and forward really, really, slowwwwwllllllyyyyyy.

Anyone waiting for Norton to finish a full scan of the C: drive knows exactly what I'm talking about.

Re:nah.

[kalirion]

In the olden days, the Borg were taken out by Microsoft's lawyers. It should be much easier to handle the Cylons today - just send an anonymous tip to **AA.

true

The internet can take down my pants in 30 minutes.

Re:true

In 30 minutes?

You're doing it wrong.

Re:true

[__aaclcg7560]

When super extra-tight jeans became the rage in the early 1980's, it would take my Mom thirty minutes to get into or out of her pants. Often with my Dad holding a pair of pliers for the zipper and using all his strength. Before that in the 1970's, the knee-high white boots which also required a pair of pliers.

Re:true

[644bd346996]

He spends the first 29 minutes on ./

Re:true

[mollymoo]

I think your're confusing your childhood with a "yo momma" joke.

Re:true

[FishOuttaWater]

Aw, c'mon, creimer, you can't ask for a better setup than this. Just say it! "I think my childhood *was* ..."

Re:true

This is my favorite post of the day.

Internet Backbone DDOS in 2002

[eldavojohn]

In 2002 4 or 5 of the 13 root servers were big news ... although we've come a long way since then, I think the integrity of the internet still depends on these things.

Every so often we get reports that the internet is a rickety old jalopy on it's last leg.

Given this impression and add to it the fact that the botnets seem to grow in tandem with the internet, I wouldn't be surprised to see an attack take her down in 30 minutes although I'm no expert. I think 30 minutes is a generous amount of time if one of the larger botnets turned its attention on the root servers for a DDOS attack. You'd have some fail overs and some courageous engineer might save the day but I'd put my money on the bad guys.

I would be surprised if it was down for more than 24 hours following that though.

Re:Internet Backbone DDOS in 2002

[afidel]

The way to fix it would be egress filtering where all consumer class lines were barred from directly querying the root servers. Would suck greatly for anyone who wanted or needed to run their own resolver, and would break the original end to end design of the internet, but it would be the most likely response to the threat. The ISP's would love it too since it would allow them to have a captive audience for their ad laden DNS servers.

Re:Internet Backbone DDOS in 2002

[Shakrai]

I think 30 minutes is a generous amount of time if one of the larger botnets turned its attention on the root servers for a DDOS attack

I think you are overlooking a two things:

1) There's a lot more than 13 root servers nowadays. Many of the servers are mirrored using anycast. Wikipedia had a total of 123 in 2006 so it's a safe assumption that there are even more today.

2) Even if you could render the root servers inaccessible, this doesn't "take down" the internet. Many sites would still be accessible until their DNS cache entires timed out in the nameserver that you use (likely your ISP). A lot of sites set short timeouts on the www 'A' record (for load balancing purposes) but long timeouts on the 'NS' records for the domain. In this scenario your nameserver would still know where to go to get the 'A' record and wouldn't need to consult with the root servers.

Those caches wouldn't last forever but it would seem to offer enough time to deal with the DDOS. The internet would have limited functionality for awhile but it wouldn't "go down". Many operations (site to site VPNs for example) might not even notice.

Re:Internet Backbone DDOS in 2002

The way to fix it would be egress filtering where all consumer class lines were barred from directly querying the root servers. Would suck greatly for anyone who wanted or needed to run their own resolver, and would break the original end to end design of the internet, but it would be the most likely response to the threat. The ISP's would love it too since it would allow them to have a captive audience for their ad laden DNS servers.

Congratulations, you sound like the possible "courageous engineer" mentioned in my post. I only hope your solution is ready to be turned on at the flip of a switch and the ISPs have a corresponding fail over system to switch to for their consumers when it happens. Ad laden DNS servers are better than no DNS servers at all, correct?

Re:Internet Backbone DDOS in 2002

[purpledinoz]

One has to remember that even though the Internet was developed by the military to be resistant against attacks, the private sector has built most of it with cost in mind. So naturally it's not as robust as it could be, but it's quite cheap.

Re:Internet Backbone DDOS in 2002

[Lumpy]

Nope if you take out ALL The root servers right now I'll still be able to get around on the internet. My servers will still serve up information. my clients will still work.

Do it get to use the for dummies name resolution? nope.

If I type in 74.125.67.100 in my browser, google still shows up.

granted everything in google is useless as they dont log the IP addresses, but that's moot for me. PLUS I can always go to one of the alternate DNS servers and use them. or my local cache... that would work for weeks without the root servers.

Re:Internet Backbone DDOS in 2002

1) There's a lot more than 13 root servers nowadays. Many of the servers are mirrored using anycast [wikipedia.org]. Wikipedia had a total of 123 in 2006 so it's a safe assumption that there are even more today.

One hundred and twenty three root servers ought to be enough for anyone.

Re:Internet Backbone DDOS in 2002

It was developed by research agencies to rapidly communicate data. It was most definitely built with cost in mind from the get-go.

It was never designed to be resistant to attacks, nuclear or otherwise, except that it was supposed to be a support tool for researchers who were probably studying those very things.

In any event, the research they were working on would not be a priority during such attacks if they had ever occurred. It would have been extremely unlikely to distill results in the time scale necessary to be an effective battlefield tool. Any information that researchers would be able to provide to commanders in the field could be communicated just as quickly with conventional means.

Re:Internet Backbone DDOS in 2002

[ivan256]

If I type in 74.125.67.100 in my browser, google still shows up.

Sure, but the search results would be useless.

Re:Internet Backbone DDOS in 2002

[iamhassi]

Actually the question was if it could be taken down by hackers, not if the mainlines in the ocean being cut would take down the internet.

from article:
"Alan: That's a great tip. One last question: in 1998, the members of L0pht testified in front of the US Congress that a committed team of hackers could take down the entire Internet in 30 minutes...Do you think that statement still holds today?"

"Dino: Yes, and I probably shouldn't say much more about it than that. "

Honestly, I think the guy's full of it.

Re:Internet Backbone DDOS in 2002

[six]

root DNS != Backbone

You can DDOS a server, a network, even big routers, but you can't DDOS the internet.

Cutting random cables here and there won't work either, at most you're going to isolate parts of the net.

The only way to take down the internet in 30 minutes is to exploit vulnerabilities in the BGP core routing protocol and announce netblocks that somehow (that's where something has to be exploited, bypassing filters, smaller blocks and routing costs considerations) takes the priority over other routes for every router that receives the announce.

Not saying that's impossible, but still tough ...

Re:Internet Backbone DDOS in 2002

[Ogive17]

Wouldn't there be some point where a DDOS would stop being effective because there's already too much traffic... therefore keeping up a small amount of the backbone?

If you're able to take down 80% of the servers, it's possible you wouldn't have a chance to even reach the other 20%. You'd probably lose a significant portion of your botnet if you took out that much of the backbone.

Re:Internet Backbone DDOS in 2002

[JoeMerchant]

I would be surprised if it was down for more than 24 hours following that though.

Concur - and if the bad guys would test the system more often (like they did 10 years ago when they hit Yahoo and E*Trade), we'd have a more robust system overall.

I'd be in favor of letting the white hats take a crack at the infrastructure 4 saturday mornings per year, see how much havoc they can wreak in 24 hours and then figure out how to stop them from doing it again in 3 months. We should pay them during the designated attack days based on how much trouble they cause, then pay a different set of people based on how well they withstand the same attacks 3 months later.

Re:Internet Backbone DDOS in 2002

[rdebath]

All you need to do is fetch and use ftp://rs.internic.net/domain/root.zone.gz and you're independent of the root name servers.

Re:Internet Backbone DDOS in 2002

[JWSmythe]

    Actually, that's a lot of the reason that they made some of the root nameservers multicast. Have a look at F, and I through M. It's not perfect, but it moved the root servers away from a handful of central points.

    Back in the day, the MAE's had their bandwidth graphs online. You could see the aggregate for all ports, and (if I recall correctly) utilization by port. Ports were listed out on another page, so you knew the port names, IP's and providers.

    It would have been a pretty simple matter to flood traffic towards a few specific ports in a couple MAE's, and watch things break.

    Now there are a lot more peerings, and those peerings are significantly more robust. It was one thing to kill a 100Mb/s interconnection (oohh, and that was fast then too), but filling up an OC192 will take a lot more work. To overwhelm a MAE, it wouldn't just be one or two OC192's, it would be a significant number of them.

    Have a look at the 1998 MAE services description. If you dig around a little bit on there, you'll see that they used to publish the IP's of each customer interface. "Ahh, lets knock down provider X", sure, you see the IP's of every interface. Flood them to death. :) Of course back then, most people were sitting on 56k dialups, which never really saw 56k, and those frequently connected through modem servers on a T1. You may be able to support 28 dialup modems on a T1, but they'd oversubscribe them like crazy.

    Now, people have bandwidth to do more damage, but it's much less likely to do damage to the core of the Internet. The real damage can occur on small sites, with single servers up on relatively slow lines.

    I was actually surprised there hadn't been a successful attack on some major peerings. I always assumed someone would manage a sustained attack that would do damage. Now it's than much more complex, where you don't get the luxury of bandwidth graphs on the target. :) The only real successful large scale "attacks" I've seen lately were where one provider got annoyed by another provider, and cut off their peering on short notice.

Re:Internet Backbone DDOS in 2002

[JWSmythe]

    Oh please god, don't make those suggestions.

    I haven't been on a residential provider yet, where their DNS worked properly.

    I'm not rude enough to run my own nameserver at home. I piggy back off of my work networks, with finely tuned nameservers. :) It's amazing how much nicer they work, when there are a million people checking out youtube, myspace, and facebook. (oh, and the wonderful world of pron).

Re:Internet Backbone DDOS in 2002

[coolsnowmen]

Then, thank goodness for google cache.

Re:Internet Backbone DDOS in 2002

[vlm]

How about every ISP host their own anycast-ed root server?

Its not unusual anymore (since, like, the 90s) for ISPs to host their own NTP, why not an anycasted root?

I'm not sure there is a scalability reason to not have a zillion anycasted root servers... is there?

If, somehow, someone knocked out AT&T wisconsin's dns root, why would I know or care unless I were downstream of it?

And I can still run my own DNS server, which actually works unlike my ISPs DNS.

Re:Internet Backbone DDOS in 2002

[Thinboy00]

What if you run a web server and don't feel like wiping your logs and rebooting four times a year, and don't have the money to:
1)Fix the problems
2)Be concerned about (criminal) hackers since you're not a big business, hence the crackers don't have an incentive to attack you (they could more easily attack /dev/random/corporation)

Re:Internet Backbone DDOS in 2002

[neo]

I'd be in favor of letting the white hats take a crack at the infrastructure 4 saturday mornings per year...

Exactly WHOSE "morning"? And whose SATURDAY for that matter. Your morning isn't the same as Italy's or Japan's or ... well you get the idea.

Re:Internet Backbone DDOS in 2002

[JoeMerchant]

I'm assuming the white hats would only attack targets that actually care about security - ones that consent to be attacked for the sake of improving their robustness.

In another light: who cares about lame-o sites that can't be bothered with this? You probably don't have any money to extort anyway - so you're just a possible 'bot to the bad guys, not a direct target. The targets are the ones who should care enough to improve themselves.

The program would still benefit the little guys with new security patches against the newly found attacks, if the little guys could be bothered to do an automatic update.

Re:Internet Backbone DDOS in 2002

[aix+tom]

If 1) and 2) are true, then there is a high probability that

3) You don't care if your web server is down for a few hours/days.

is also true.

Also, 1) would be most likely fixed without charge, if you have the normal OS security updates enabled on your web server.

Re:Internet Backbone DDOS in 2002

[spacefiddle]

Yah, i have to agree. By and large, the reason it hasn't happened IMHO is it would be footbullet to major badguy players; they're using their zombies to make money. They can't do that without an internets.

Anyone with the knowlege to wreck the net probably realizes they'd have not just the law, but the criminals after them as well. GLWT.

Re:Internet Backbone DDOS in 2002

[Intron]

We could always just install a really, really big hosts file.

Re:Internet Backbone DDOS in 2002

[Shakrai]

I'm not rude enough to run my own nameserver at home.

Out of curiosity, why is that 'rude'? Are the root servers overloaded or something? I've always run my own nameserver and aside from a few times when I messed around with linking it to work, I've usually had it going directly to the source. Should I re-evaluate this practice?

Re:Internet Backbone DDOS in 2002

[Shakrai]

That's a good idea. May I make the following suggestion for the first entry:

127.0.0.1 *.doubleclick.net

Re:Internet Backbone DDOS in 2002

That is what i have been doing fo-
206 - Message terminated abruptly

Re:Internet Backbone DDOS in 2002

[JoeMerchant]

Yeah, I thought about that... I suppose that New York's Saturday morning would be as good as any... as long as it is after close of business Friday and before open of business Monday everywhere.

Re:Internet Backbone DDOS in 2002

[JWSmythe]

    Well, it goes a little something like this.

    If every user ran their own nameservers at home, that would put a tremendous load on the root nameservers. It's probably something they can handle, but still not very nice. It also puts some load

    Going through a common nameserver (like your ISP) lets them cache the responses, so even though you haven't resolved a name before, someone else may have, reducing the load.

    Unfortunately, large ISP's don't necessarily put the budget they should into nameservers. Some of that fault lies with end users. How many script kiddies could possibly be on a large provider in a large metro area, sharing your nameservers? :) Think of the "what domain isn't registered" game, searching through every letter/number combination there is.

    I prefer to have my own good ones at work. I lose a little from latency from home to work, but I make up a lot where those nameservers are rarely under much load. They do a lot of work, and answer a lot of queries, but nothing like the numbers a large metro ISP can do. :)

Re:Internet Backbone DDOS in 2002

[Yvanhoe]

I'm safe : I noted locally the IPs of Google, Slashdot, the wikipedia, my mail servers and... hem... some sites. Sure they do change, but not every day. It will be enough for me to stay connected. Now that disk space is cheap. There should be a DNS mirror on most machines, it would greatly reduce our dependence on these main machines. Wasn't there a project to make a P2P DNS that exchanged cryptographically signed informations ?

Re:Internet Backbone DDOS in 2002

[neo]

http://www.timeanddate.com/worldclock/fixedtime.html?month=4&day=25&year=2009&hour=10&min=0&sec=0&p1=179

I think you'd just be pissing off most of Africa and Europe then.

Re:Internet Backbone DDOS in 2002

Yes, that's a great idea! Who cares about the peons that actually use the Internet, why should they be able to do anything beyond using their ISP's email and surfing websites!

Re:Internet Backbone DDOS in 2002

[thefuz]

I would be surprised if it was down for more than 24 hours following that though.

That's the thing... so they take down the Internets within 30 mins. Does it really matter _that_ much if it's just back up again in a day or so (and after that, now the folks trying to figure out who owns all the bots have much more data to figure out the responsible parties)? Doesn't seem like an event of this nature would be more than a bump in the road or yet another reason to sell some "I survived the Internet B0tst0rmz of 2009" t-shirts. Speaking of that:

1) Gather monster-storm of zombie PCs
2) Take down Internets
3) Sell "I survived the Internet B0tst0rmz of 2009" t-shirts
4) Profit

Re:Internet Backbone DDOS in 2002

[imemyself]

Using a common DNS server also means you are putting a lot of trust in whoever runs that common DNS server. Considering that my internal DNS servers (that use root hints) are not accessible from outside of my networks, I have more faith in the security of my DNS servers than I do in my ISP's (even though the small ISP I use does not try to actively screw me over like some places :). Caching is also not always a good thing, especially when ISP's cache records for far longer than they should. Anyway's, the number of home users running their own DNS servers (using root hints) is small enough to be completely negligible.

Re:Internet Backbone DDOS in 2002

DNS servers are Tiered, you shouldn't be talking to the top of the ladder.

Re:Internet Backbone DDOS in 2002

[afidel]

Are you behind a consumer grade firewall appliance ala Netgear or Linksys? If you are then you are almost 100% guaranteed to be more at risk running your own resolved than you are forwarding to a decent ISP run setup. The reason is that none of the consumer grade firewalls support source port randomization meaning you are very vulnerable to DNS cache poising attacks.

Re:Internet Backbone DDOS in 2002

[afidel]

I didn't say it was a great idea (in fact I pointed out the major drawback), it's just likely to be the real world response to such an attack.

Re:Internet Backbone DDOS in 2002

Fair enough

Re:Internet Backbone DDOS in 2002

[DarkOx]

True, but if your goal is just "take down the internet", then you don't need to keep your botnet on the net. You give the bots the instruction to begin the attack,

They then automatically do something like
traceroute to some pretty central sites. Google, Microsft, maybe the government sites around the world etc.
Each bot picks randomly form the targets. Then each bot starts the attack.

The attack is not focused on the destination but say two hops before that.

As the host loses its ability to reach that hop it moves its attack to the hop before that and so on and so fourth until its attacking its default router.

You don't need to keep control of the botnet. Hell the bots can close their control channel after the attack order is given so not whitehat can tell them to stop. They just keep doing their evil work until someone manages to kill the host or at least your process.

It will be hell, and take weeks to fix.

Re:Internet Backbone DDOS in 2002

[imemyself]

Nope, I'm behind a Cisco router (doing NAT and with a few ACL's). I have a BIND 9 DNS server on Linux and one on windows Server 2008, both of which randomize their source ports.

That's interesting though, I did not realize it was a major problem with consumer stuff. I wonder why those companies have such great difficulty in making their products work properly.

Re:Internet Backbone DDOS in 2002

[Shakrai]

How many script kiddies could possibly be on a large provider in a large metro area, sharing your nameservers? :)

Well, for what it's worth, I've got my own nameservers (from my authoritative one at work to my personal one at home) configured to only allow access from local hosts. I further monitor them (and every other service on my servers for that matter) and would notice traffic out of ordinary like that. It's too bad that more people don't make that effort. It's not really that hard.

I prefer to have my own good ones at work. I lose a little from latency from home to work, but I make up a lot where those nameservers are rarely under much load

I had that once upon a time when I was stuck with a rural WISP. They would capture DNS packets bound out of their network and redirect them to the local name servers. Don't ask me why. Anyway, they messed up the NXDOMAIN error message for a webpage redirect and annoyed the hell out of me. So I set up a VPN to work, set up a local nameserver to use a work nameserver over the VPN as a forwarder. Gave me a local cache for everything and a good nameserver that wasn't contaminated by hijacking-ad bullshit.

Re:Internet Backbone DDOS in 2002

[Shakrai]

I wonder why those companies have such great difficulty in making their products work properly.

Read Dilbert sometime. That's why.

Re:Internet Backbone DDOS in 2002

[JWSmythe]

    Actually, the first line you quoted, I had intended to imply that it's the large metro ISP that would have the problem with script kiddies, not your own. :) The ISP's nameservers are absolutely pounded on, while others aren't.

    It's actually kind of funny, on my old network, with well over a million daily viewers on a slow day, and more attacks than I care to consider, and our nameservers were never amazing hardware. Fast enough to do the job. Slow enough to not be able to handle any other real jobs. :) And those nameservers were always blazing fast compared to any ISP's nameservers I used. Of course, just being authoritative for tens of thousands of domains is pretty easy compared to being the recursive resolver for several hundred thousand legitimate users and a few thousand script kiddie. :) Even though we had what I was told was an insanely short TTL (5 minutes) so we could make changes quickly, over 100 servers using them for resolution, and a few dozen real human users (like myself), they were still amazingly fast.

    I never had an ISP hijack my DNS traffic, but I did have some with evil traffic shaping. Using a PPP over SSH tunnel to work (it was quick to do, and worked wonderfully) got around those pesky problems. I actually had a more reliable connection with that, with some well scripted monitoring, than any VPN I've used since. :) I had better transfer rates over that, than I did without it, even using the machine I was using for the tunnel as my endpoint for both tests. Oh ya, and I tested frequently. :)

 

Re:Internet Backbone DDOS in 2002

[afidel]

Hell even a lot of high end products didn't do things correctly until patches were released in response to the DNS issue. We run one of the big 3 at work and ours did not do port randomization correctly so we forwarded all requests to a properly patched 3rd party without an affected firewall because AT&T at the time also did not have the correct solution in place. We are going to go to a direct resolver configuration when we upgrade our firewalls later this year which will give us a slight increase in performance but due to having a working solution it hasn't been a priority. Have you verified that your version of IOS does port randomization correctly by testing your resolver? The easiest way to test correctly is documented here.

Re:Internet Backbone DDOS in 2002

[imemyself]

Yeah I actually did that today to check to make sure that the ports were actually was being randomized before I said they were. I'd never really looked into it much before.

Re:Internet Backbone DDOS in 2002

[u38cg]

I'm not so foolish to think that there are aren't ways in which someone who really wanted to could cause serious damage, but I don't include any of the large botnets in this category. These guys want to spam, phish, harvest data, and sell network time. 1995 style penis stroking attacks are not hugely interesting when you're coining it like these operators are.

Re:Internet Backbone DDOS in 2002

[Lumpy]

Only for you. Many people and ISP cache DNS. I can go for weeks without the root DNS servers running. and Smarter ISP's will be able to as well.

Or I can switch to ALterDNS servers and still get DNS name resolution for months or even years after the root DNS servers were nuked.

Being on slashdot I assumed you were savvy and knew something about DNS and it's alternatives.

Re:Internet Backbone DDOS in 2002

[ivan256]

Your DNS cache only contains entries for names you've resolved already. Odds are, search results are going to return a bunch of sites you've never been to.

Besides, Google's DNS entries have a 300 second TTL, so if your DNS server is working correctly, you shouldn't be able to resolve Google anymore after 5 minutes.

Being on slashdot I assumed you were savvy and knew something about DNS and it's alternatives.

I just got trolled, didn't I?

Re:Internet Backbone DDOS in 2002

[JoeMerchant]

Cool site, somebody is always awake - personally, I'd rather lose access to my E*Trade account on one known Saturday every 3 months, instead of one unknown weekday every 5 years.

It can be taken down much faster now.

http://www.networkworld.com/news/2009/040209-obama-cybersecurity-bill.html

A federally enabled Internet kill switch will place an Internet Off Button in the White House which can be used to instantly deactivate the Internet in case of an emergency, such as the plebes getting riled up. This bill, introduced to the Senate on April Fools, is expected to pass.

Re:It can be taken down much faster now.

[Leafheart]

Your Internet maybe, not mine. At least, not because of that.

Re:It can be taken down much faster now.

People misunderstand the scope and power of this law. Sure, only American & NATO NAPs will be turned off, so some IP routing may continue. However, DNS will be vaporized, as it is currently controlled by America. So your internet will become your hosts file, and any IP addresses you've memorized. Have fun with that.

Re:It can be taken down much faster now.

[sam0737]

That just kills the US network I believe, at least not the China's part.

Oh never mind, with the sophisticated great firewall, it's pretty much the same as killed.

Re:It can be taken down much faster now.

[sam0737]

Ok or we should just learn from North Korea, who built their own version of Internet and disconnected from "the Internet." By then, who cares about "the Internet" being shutdown?

Re:It can be taken down much faster now.

[zoloto]

Sounds like they need to have one of these: http://catb.org/esr/jargon/html/magic-story.html

Re:It can be taken down much faster now.

[IDtheTarget]

http://www.networkworld.com/news/2009/040209-obama-cybersecurity-bill.html

A federally enabled Internet kill switch will place an Internet Off Button in the White House which can be used to instantly deactivate the Internet in case of an emergency, such as the plebes getting riled up. This bill, introduced to the Senate on April Fools, is expected to pass.

The guy in the white house may soon be able to take out the Internet when those who inhabit it publish information that is embarrassing to him, but there are other methods of digital conversation, such as Packet Radio, Ham Radio satellites, and other Amateur Radio communications methods.

We will truly know that we are an occupied nation when the white house declares ham radio to be illegal. One of the first steps of any tyranny is the control of information

Re:It can be taken down much faster now.

Key words there are April 1st.

Re:It can be taken down much faster now.

[gclef]

That'll be an interesting negotiation, actually...the US controls the organization that approves the root zone, but the US doesn't host all the root nameservers (and the agreements between ICANN and the roots is not terribly formal, to my understanding, so the root operators are under no particular requirement to do what the US gov asks).

The more interesting one is the gtld-servers, and the affilias servers, which together control all of .com, .net and .org.

In short, the US could nuke some, but not all, of the roots, and all of .com, .net, and .org, but the cc tld's would live on. Less than ideal, granted.

Re:It can be taken down much faster now.

HAMs are already a list of federally interesting people whose names are kept on file before they are allowed to use their radios. If you doubt that radios are more threatening to governments than guns, consider which device requires mandatory licensing.

The HAM list just means it's easier to figure out who's first up against the wall.

Re:It can be taken down much faster now.

[F�an�ro]

Would my ISPs DNS server cease working?
That server would no longer be able to access the root servers for .com, .net, and .org, but wouldn't it have all common names cached?
And what about country tlds?

Re:It can be taken down much faster now.

[metachimp]

You joke, but the Chinese actually have this. They have the capability, at least in theory, to disconnect the entire country from the larger internet.

Re:It can be taken down much faster now.

http://www.networkworld.com/news/2009/040209-obama-cybersecurity-bill.html

A federally enabled Internet kill switch will place an Internet Off Button in the White House which can be used to instantly deactivate the Internet in case of an emergency, such as the plebes getting riled up. This bill, introduced to the Senate on April Fools, is expected to pass.

Good thing the proposed legislation is from a Rockefeller.

Re:It can be taken down much faster now.

First up, this seems like a natural progression of hobby / other stuff, to public safety, to military and other key stuffs. Starts out open, but as it becomes more important, it becomes more regulated.

FAA primary example.

I've yet to read the bill itself, but I'd assume it'd be a similar thing such as this.

But - as far as military and other aspects... surely the military and other important / sensitive networks would be utterly independent from the public networks. If they're not, someone's been extremely stupid :)

In general, the idea is frightening for any libertarian for sure :)

Re:It can be taken down much faster now.

[rastos1]

A federally enabled Internet kill switch will place an Internet Off Button in the White House

And this is what it looks like .

(Job) security

Guy who works in security testing wants people to believe that the state of internet security is OMGcritical? Shouldn't this be tagged "jobsecurity" rather than "security"?

Re:(Job) security

Kind of like Global Warming and Research Scientists...

Re:(Job) security

I agree completely. Warnings like this from security workers can't be trusted. They should be coming from the cleaning lady - now there's a source for internets security info that can't be balked at.

Re:(Job) security

[technicalandsocial]

Except if you were in the security community, or even spent an hour looking up some of the things he has done, you would realize he is someone worth listening too.

Is this news??

[eclectro]

All it would take is the right cables to be cut for the internet to go down. Perhaps with a rented backhoe even.

Re:Is this news??

[myVarNamesAreTooLon]

All it would take is the right cables to be cut for the internet to go down. Perhaps with a rented backhoe even.

A single backhoe might have some trouble getting the entire internet in 30 minutes. What's the top speed on those things?

Re:Is this news??

[ckaminski]

If you want a ride bouncier than the storm chasers in KC10s you can do about 22-25 mph in a Ford 555 (80's vintage backhoe). And that's on a decently paved street. You hit a decent pothole and you better have your feet on the posi button because when your steering wheels hit ground again, you're likely to zoom into traffic or onto the sidewalk.

It's why I only ever did over-street travel in ours at night. Then again, backhoe's are naturally overbalanced to the rear, I never did try to get our straight farm tractor up to speed on surface streets.

I've popped a wheelie in exactly two tractors in my day, one a backhoe, another a dozer. Sort of frightening when you do it for the first time and aren't expecting it.

Re:Is this news??

Ah you need a JCB.

Re:Is this news??

No thanks buddy, I don't swing that way.

30 mins might be optimistic

[Minupla]

Assuming a vulnerability is exploited in BGP, the internet would go bibi in a hurry. That's all our eggs in one basket, and it's a fairly rickety basket. There's still a lot of trust inherent in the BGP fabric and trust is a 4 letter word to anyone who deals with infrastructure security.

Min

Re:30 mins might be optimistic

[gandhi_2]

All these posts... and YOU are the first guy to point out that, at its heart, the internet is a routing protocol problem, not a DNS problem.

Tag this: +1, Only guy who knows what the fuck.

Re:30 mins might be optimistic

[LostCluster]

BGP by design trusts in routing settings being honest... just program a router with can't-get-there-from-here routes, and you'll down the surrounding area's Internet speed, or even connections.

Re:30 mins might be optimistic

[spacerog]

Actually if I remember correctly the specific flaw that we discovered waaay back in the olden days of 1999 (or was it 98?) was with the Border Gateway Protocol which would cause a cascade router failure. We estimated best case scenario that large chunks of the Internet could be unreachable for up to 12 hours and worst case could be down for several days.

The really funny thing about all this is that after Senator Thompson and the Government Affairs committee was finished pimpimg us out as media whores several unrelated people approached us and said "Hey, where you thinking of taking the net down this way..." And we would say "No, that's not what we thought of but your idea would probably work just as well."

The thing is many of those ideas are still valid. The global Internet network is a rickety piece of technology held together with bubble gum and bailing wire. If it wasn't for the fact that people are actively trying to keep it operational I fear it would fall apart under its own weight in a very short amount of time not to mention if someone actually wanted to take it down.

- Space Rogue
http://www.lopht.com
http://www.spacerog.net

Re:30 mins might be optimistic

[lord_sarpedon]

Trust is usually a four letter word to me, but my speling kinda sucks

Re:30 mins might be optimistic

[vlm]

BGP by design trusts in routing settings being honest... just program a router with can't-get-there-from-here routes, and you'll down the surrounding area's Internet speed, or even connections.

No, no one trusts their peers anymore and their configs reflect that. Not since at least the 90s. Since before I started doing BGP support, everyone has filtered their customers routes. WAY WAY too many people try to redistribute 10/8 from their IGP, or maybe try to send us a 0/0. And unscientifically, I'd say about 25% of newbie BGP admins think they own their previous ISPs IP space... so if old ISP gave them 1.2.3/24 they'd ask us to modify our filters to allow the /24, we'd check (have to check each and every customer every time) and see its part of their old ISP's /18, and we'd educate them.

Re:30 mins might be optimistic

[JWSmythe]

    It's much better now. Not perfect, just better.

    But, do you remember when someone advertised 0.0.0.0/0, and that ended up sending everything in the wrong directions? :) That was ... ummm ... around 1997 sometime, I think.

Re:30 mins might be optimistic

[ahabswhale]

I call bullshit.

Every so often you hear about how easy it would be to take down the internet. Yet, it has never happened. It hasn't even come close to happening. I don't doubt it's possible but if it were so easy, it would have been done by now. Some a-holes would have done it just for grins or to prove they could do it. Remember, the world is filled with a-holes.

Finally, people confuse DNS with the Internet. DNS is a feature of the Internet -- it is not THE Internet.

Re:30 mins might be optimistic

So you're saying anyone who deals with infrastructure is illiterate?

Re:30 mins might be optimistic

[NeutronCowboy]

You seem to underestimate the blood, sweat and tears that goes into keeping networks alive. Yes, some assholes could take it down in a heartbeat if everyone would just let them. Fortunately, there are a good chunk of smart people who work tirelessly so that this doesn't happen. So far, so good. the problem: the good guys need to win every time to be seen as successful. The bad guys only need to win once.

Re:30 mins might be optimistic

[Vellmont]

Yet, it has never happened. It hasn't even come close to happening

Not exactly. It was shortly before my time, but the reports are that "the internet" had some significant problems.

I think you're right that it has to be hard enough for it to be too difficult for you average a-hole. The claim was that this might take a group of exceptional a-holes. The thing about a-holes is, they generally don't like other a-holes.

Re:30 mins might be optimistic

[Fred+Ferrigno]

Isn't it the other way around? The people who say the Internet is a house of cards just waiting for a stiff breeze to bring it down are the ones underestimating the blood, sweat and tears that go into keeping networks alive. It's like saying banks would be trivial to rob if there weren't those pesky guards there to stop you.

Re:30 mins might be optimistic

[BitZtream]

The large scale providers filter bgp input from their smaller peers. You have to be 'one of the big boys' before you get to pass AS numbers through to the backbone without telling them about it first.

You might get by with it if you're peering with some smaller provider, as I have in the past, but the end result is that you still have to get them to talk to the real backbone providers to let your AS numbers out.

So while BGP could cause problems if you got a provider high enough up the food chain the chance of that is highly unlikely, and the monitoring systems in place would detect this and alert on it before it had spread across the entire internet anyway. It would probably effect a good majority of the Internet before fixed, but it wouldn't really last long outside of the tiny area where it started.

When this sort of thing happens, the backbone providers have no problem turning you off to resolve the problem immediately.

Re:30 mins might be optimistic

[SignalFreq]

Interestingly, one of the data centers that our company has rack space at just suffered downtime tangentially because of BGP. They had a top level switch fail internally (route processor hardware problem), causing it to see all its BGP peers as down. It then established itself as the Master switch of a VRRP group, causing all traffic to be routed to it and then fail to be routed out because of the route processor error. All the peers continued to see the switch as up, thus preventing them from doing fail over.

Re:30 mins might be optimistic

Random slashdotter calls bullshit on ... the l0pht. Irony meters break worldwide.

GET FUCKING REAL. These guys were among the very best hackers in the world when they were going. I have no reason to suppose they've let their standards slip since then.

Now, get off my lawn.

Re:30 mins might be optimistic

Yup, you're absolutely right, that's exactly why random ISPs all over the world occasionally announce bullshit routes which the rest of the Internet picks up like hotcakes. Yup, you're spot on.

Just because you can't announce 0/0 doesn't mean someone couldn't announce something equally as damaging. Again, you're putting so much faith into backbone providers (tier 1), and that's amazing given their inability to maintain their own shit even on *layer 1*.

I'm glad/happy to know you Do It Right(tm), and I know a lot of people who do as well. That's excellent. But a lot of people don't. You're putting a lot of blind faith in individuals. Do you *really* think every individual with access to a router + uplink-facing ISP is subscribed to NANOG and as intelligent as you or said subscribers? If so, we might as well shut the Internet off now.

I love some of your below comments too:

"(except for unintentional mistakes)" -- it is those mistakes which we have to assume will happen, thus, the whole trust-based protocol known as BGP fails us. There really isn't any other way to see it. It flat out is a miracle that the Internet works as well as it does -- but factually, it *is* broken 24x7x365.

"Doesn't everyone use md5 hashes? Doesn't everyone filter their customers routes?" -- no, and no. What makes you think some ISP in Romania even knows what MD5 hashes are used for on routers? What makes you think their documentation describes it? What makes you think the "original network admin who set this all up" still works there? What makes you think the person who took it over knew how to manage it just as good as the original did?

Again, you put so much blind faith into something that can be destroyed in a matter of minutes. Yes, I said minutes, and I mean minutes. You and I both know how long it takes for routes to propagate.

As a finale, I'll point out that you also put faith into vendors such as Juniper and Cisco to have everything coded correctly. That just isn't the case. If you've been around the block a bit, you'd know that Juniper's BGP implementation still has some improving needed (yes, it has bugs -- hey man, I just set up a policy that announces alternate routes and depreferences another... why did our BGP session just go down? JTAC case #......), and Cisco's had a long history of fixing flaws in their implementation as well. Once again, who's to say every IOS or RE is upgraded with fixed code? There are lots of areas of the world who refuse to pay for IOS upgrades, etc...

Think outside the box a bit. What goes on around you is pretty scary, it just takes a few years of "getting out on the Internet" to see the insanity that exists here, and how much of a miracle it is that all of this truly does work 47 years later.

Re:30 mins might be optimistic

[hr+raattgift]

That really depends on what the vulnerability is.

There are several implementations of BGP from different vendors and at least two open source implementations. The protocol is also relatively simple. Consequently it's hard to imagine a vulnerability that is structural within BGP such that enough partitioning happens to make large the Internet unusable.

In the early 1990s there was a moment where there was a very large partition when AS Path prepending was used for the first time. Cisco routers did not mind the back-to-back duplicate AS. Proteon, Wellfleet and some other implementations discarded the NLRI (prefix/mask + routing information) as part of routing-information-loop avoidance. Gated-derived routers had different approach in its NLRI loop-avoidance code, and rather than use the NLRI or discard that one update, it dropped the TCP session figuring that there was a data corruption bug. The result: BGP sessions between "core" IOS-talking routers and "core" gated-derived routers bounced up and down for a while. This affected most of the exterior routing gateways of ANS, which operated the NSFNET Backbone Service at the time.

This sort of "reset" policy is now known to have been a serious mistake and now is very rare.

Also in the early 1990s there was a hardware interaction problem involving Cisco 7000-series routers equipped with Silicon Switching Processor cards. A "covering" prefix arriving via any routing protocol -- typically BGP -- would cause all the "covered" (longer match of the same prefix) to be deleted with demand-population bringing those routes back into the radix tree like data structure. Demand population used the same CPU that TCP ACK processing and other activities used, so a router in the "core" with a relatively full routing table and a high packet per second arrival rate of a mix of prefixes (as in "core" routers generally) would simply melt down. This would starve timer-sensitive activities like TCP ACKing and processing the BGP protocol state machine. This in turn led to BGP sessions resetting due to time-outs, which in turn reduced the traffic load substantially on the melting-down router. This would "thaw" the router enough that it would bring the BGP sessions back up long enough to receive a covering prefix, and so forth in a loop. This crippled one very large "tier 1" ISP for an hour and change.

There have been a number of minor "ouchies" related to information obtained from BGP neighbours in the years since, with the most embarassing ones having to do with specific implementations' reactions to very long data sets (e.g. extremely large AS_Set attributes, extremely long AS Paths).

There was also concern some years ago (late 1990s) about the frequency of BGP updates, and that a series of actors publishing up/down/up/down transitions as fast as they could might lead to a router "meltdown" with consequences along the lines of the situation described a couple of paragraphs up. This was considered a long term possibility, and as a result a couple of different approaches evolved suppress oscillating prefixes or blocks thereof at a level much lower than that where BGP's fundamentally built in mechanisms (TCP window sizes and fundamental NLRI/RIB processing speeds) would kick in.

The modern BGP "basket" is much less systematically rickety; the systemic ricketyness is the result of BGP being fundamentally being a "push" distribution of vectors rather than a "pull" acquisition of nonlocal (but widely distributed) connectivity and policy maps (as happened when one fed desired map data from USENET's u.* hierarchy into pathalias, for example, using one or more "smarthosts" as the equivalent of IP's 0.0.0.0/0 default).

Sadly, because the "push" NLRIs are not easily cryptographically signed by the source site (unlike PGP around a UUCP/USENET map file or even around an individual entry) there is still a requirement to trust your largest neighbours, although in the early 1990s the remained ANS's Policy Routing DataBase

Re:30 mins might be optimistic

[hr+raattgift]

I'm inclined to agree. There are systemic weaknesses in the Internet, and a few systematic ones that mostly involve being effectively unable to do useful things with perfectly-flowing IP packets. (For example, the utility of the Internet drops enormously if you disable your own DNS locally; try it and go web surfing, or emailing, or whatnot).

Mostly the weaknesses are centred around what could happen if there is a large scale increase in the proportion of bad actors to good actors in various stability-sensitive aspects of the Internet, which given the occasional emergence of host software monoculture is not the best news. A really bad situation would be if, for example, a software update from a large supplier started generating traffic much more aggressively than RFC 2001 / RFC 3465 style TCP, whether through a TCP implementation bug or a deliberate choice of a non-TCP/non-congestion-avoiding protocol for some form of bulk data transfer that becomes very popular. (An obvious approaching-worst case might be if for every packet received by each of a huge number of hosts, an uncached/non-recursive pair of DNS queries (PTR, then A or AAAA) is made on the source address.)

Consequently, the greatest practical risk now comes from insiders at large network operators, router vendors, or one or two particular host software vendors. A bad actor there, or an incompetent one, could lead to sustained widespread trouble.

Re:30 mins might be optimistic

[Minupla]

No, no one trusts their peers anymore

I disagree. This may be true with the providers you work with, but when you get outside of NorthAm, into Central or South America for instance, it's not true anymore.

I had a client who was peering with a tier-1 international provider in one of those countries, the router admin fat fingered something and for a period of time, all the tier-1's traffic was routing through them. Oops. Also, hands up anyone who believes that no one in a tier-1 has a bot infested PC? You with the hands up, go back through Slashdot till you find the military contractor who p2p'd the plans for Marine 1, and answer again.

The biggest reason why the internet stays up is the people running the dark side have a vested interest in it staying up. If you have access to a tier-1, your power is in keeping that tier-1 routing traffic.

Min

Re:30 mins might be optimistic

+5 Insightful.

Re:30 mins might be optimistic

Every so often you hear about how easy it would be to take down the internet. Yet, it has never happened. It hasn't even come close to happening.

The Morris Worm probably qualifies in this regard. More recently submarine cable outages have taken out service to large areas of the world.

Agree about DNS but actually all you need are a large tectonic movement in the Pacific, a wayward anchor in the Mediterranean, an inquisitive student in the US and for good measure Russian mafiosi deciding to bot-pwn eastern Europe or a faulty Windows patch. And so on.

It is not especially difficult to imagine a small number of unrelated and mostly uncontrollable events occuring in close time proximity to wreak havoc. Frequently the way of things in telecoms.

Possible,

[powerslave12r]

Now that the internet has been slashdotted...

YES!!

[s1lhouette]

Pay the right people, know what you are doing, and you could take the ENTIRE thing down. The entire Structure of the Internet is VERY hacked together. Take BGP for example. Very little security in it. And although they are working on sBPG, the current state of things is dreadful. Not to even mention DNS. So yes. We might not have Internet tomorrow. Although I am not an alarmist, I recognize that there are no good assurances in the Internet.

Re:YES!!

[vlm]

Take BGP for example. Very little security in it.

Sounds like somebody not involved in actual BGP work and/or just scaremongering (worship me because I say scary things).

Nobody configures their peers using dns addresses. Doesn't everyone use md5 hashes? Doesn't everyone filter their customers routes?

I did "most of" the customer side BGP at an ISP for "years" with quite a few customers... if every time someone redistributed 0/0 or 10/8 to us we took down the internet, frankly, it would have been down most of the time. Not to mention people whom thought their old providers IP space was their own (as opposed to actual ARIN space)

Then there's the guys who prepend like a hundred times, always good for a laugh or two.

Folks whom think they can take down global BGP by flapping their routes a couple times and don't even know what route dampening is... well...

Now, yeah, one bad dude could take over one router and maybe temporarily down one ISP that is run by fools who don't follow the "rules", but one badly run ISP out of bazillions is not "the internet".

Overall, I'd say out of 30K AS, of which at least 50% don't really know what they're doing, yet they still can't take the sucker down, god knows I've seen everything tried at least once, so a couple black hats don't even have a chance.

Re:YES!!

[morgan_greywolf]

While I tend to agree with you, I do think that a couple of very skilled and knowledgeable black hats with a severely huge and well-distributed botnet who were absolutely intent on taking down the entire Internet, could probably do so using multi-pronged attacks (BGP hacks would only be one part. Remember, for example, the Pakistan YouTube thing a while back?)

Also bear in mind that 99.999% of attacks are perpetrated by completely incompetent amateurs.

Thing is, though, anyone with that much skill and knowledge would have far better things to do and would probably not benefit in anyway from bringing down the whole thing.

Re:YES!!

[vlm]

couple of very skilled and knowledgeable black hats with a severely huge and well-distributed botnet who were absolutely intent on taking down the entire Internet, could probably do so using multi-pronged attacks

Well, then we're getting into definition games. If 50% of the hosts on the net were infected and flooded the other 50% who were not infected/uninfectable yeah then something like that. You're going to have a huge task to find and flood every single BGP peer connection and flood all of them.

Also bear in mind that 99.999% of attacks are perpetrated by completely incompetent amateurs.

Yeah no kidding, and the folks whom do front line BGP support know it. I know it sounds rough, but in many cases it seemed the only difference between the black hats and the customers is the customers paid us money and were at attempting to do something productive.

Thing is, though, anyone with that much skill and knowledge would have far better things to do and would probably not benefit in anyway from bringing down the whole thing.

Unless they were a government hell bent on regulating it and controlling everyone/everything...

Re:YES!!

> Doesn't everyone use md5 hashes?

no

> Doesn't everyone filter their customers routes?

obviously not

> don 't even know what route dampening is

See RIPE-368 "the application of flap damping in ISP networks is NOT recommended."

see also:

http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml

Re:YES!!

who

Re:YES!!

So you're basically triple-dog daring someone to do it, right?

Re:YES!!

And since when has any software, even that which "powers the internet", ever been safe from huge gaping holes which are only discovered decades later? You take any protocol (the more complicated the better) and one smart guy or gal to concieve of some twisted method of attack and the whole kitten kaboodle's vulnerable. Not to say that it is currently, but as history has shown we can't simply trust the protocol is safe from harm or claim ignorance because it's too hard to figure out.

Not to mention this is all based on the idea of remote attacks like you mention with one bad dude taking over a router admin'd by fools. Who's to say someone couldn't simply bust into one or two high profile NOCs and impel the local admins to give up the access to anything/everything? Perhaps a mole of some kind collecting the information for later use. I think there's a lot to be said for the human factor when discussing taking down "teh whole interwebs".

I call BS

[jimbolauski]

The whole internet could not be taken down so easily any attempt would have to not only destroy the internet in a precise manor as to make sure that pockets were not created but also make sure that when backups kick in that the attack can reach them.

Re:I call BS

[KillerBob]

There's an awful lot of redundancy and inter-networking going on in the Internet, but a concerted attack at the right points in the Internet could take them offline, and break those links between networks.

No, it wouldn't cause your computer to blow up. It wouldn't break your home network. It wouldn't break your ISP's network. But if AT&T, L3, Verizon/UUNet, GBLX, Qwest, Sprint, etc. couldn't talk to each other, you'd as good as break the Internet. Remember the connectivity issues that were caused last year when L3 and Cogent de-peered each other? And those are relatively small players. Imagine if it were AT&T and UUNet that de-peered each other.

Somebody who knows the architecture of the Internet and *really* wanted to take it down wouldn't have a hard time at it. Just target the peering points between the big networks.

As others have pointed out, there's other weak points in the network, too. Gateway protocols and DNS are vulnerable to attack, as well, for example. :)

Just to get it out of the way

There's no way the Internet could be tak

[NO CARRIER]

Re:Just to get it out of the way

Nah, the fact that you (and only you) were disconnected doesn't mean that the whole intern

[NO CARRIER]

Re:Just to get it out of the way

ha, you suckers. i'm still getting 101.2 mbps spee
[NO CARRIER]

Depends on who you ask...

[imajinarie]

According to my parents and people in my office, the Internet is occasionally down for several hours at a time. Fortunately, they have the ability to reboot it when necessary.

Re:Depends on who you ask...

[Andr+T.]

Yeah, yesterday I was getting an Internet from some friends and I only got it today.

It's not just like a big truck, you know.

Re:Depends on who you ask...

[nilbog]

Fortunately I have the internet backed up on to some CDs. Yup, all 8 gigabytes.

kdawson article?

[kj_kabaje]

Checking to see if this is a kdawson article... Nope. Read on panic mf-er. Panic!

Re:kdawson article?

[kj_kabaje]

Troll, seriously? So hard to tell when kdawson bashing is in vogue or not. Oh well.

it was demonstrated last year

[Paralizer]

When Pakistan decided to block youtube they inadvertently caused a global routing blackhole. The internet is built with the BGP routing protocol, which is based on trust. You trust that your peers will advertise correct routes. If they don't then you get misinformation like in the Pakistan/Youtube situation and it spreads, pretty soon everyone thinks going through Pakistan is the best way to reach youtube so all traffic (or almost all) goes there, then Pakistan simply drops those packets.

Of course this was an accident, but a malicious attack could simply advertise lots of incorrect routes and hose up everything ... at least for a little while.

Re:it was demonstrated last year

[John+Hasler]

> When Pakistan decided to block youtube ... Of course this was an accident...

Was it?

Re:it was demonstrated last year

[vlm]

The internet is built with the BGP routing protocol, which is based on trust. You trust that your peers will advertise correct routes.

Only and exclusively amongst the tight knit community of tier 1 providers. No one accepts unfiltered routes from their customers. (except for unintentional mistakes).

Also, You Tube is not "the internet" as in "the entire internet". Good luck advertising a 0/0 route, even amongst tier 1 ISPs.

Re:it was demonstrated last year

Blocking YouTube wasn't an accident, Crippling the Internet was

Re:it was demonstrated last year

[BitZtream]

Funny, during all that I had no interruption to YouTube.

Because ... the Internet functioned as it was supposed to and the BGP filters at some backbone provider up the food chain from me prevented me from noticing.

Did you read the article you linked to? Let me help you:

The telecom company that carries most of Pakistan's traffic, PCCW, has found it necessary to shut Pakistan off from the Internet while they filter out the malicious routes that a Pakistani ISP

Lets read that carefully. PCCW turned off Pakistan. They turned the country off to prevent the problem from continuing to cause more wide spread problems, and to buy themselves some time. End of story. Most of the rest of the Internet had no clue.

There are also methods to detect router black holes and prevent them, so even when this sort of thing occurs, it is automatically worked around at some backbone providers.

This has all happened before, and will all happen again and no one that matters will notice next time either. Nor will it be nearly as scary as this thread would like everyone to think it is.

Re:it was demonstrated last year

Your logic is flawless.

hey guy! this big world-wide disruption thing happened but someone somewhere figured it out and did something to stop it! therefore the problem does not exist!

also bsg 4 lif

CME

[rthille]

http://www.businessinsider.com/could-the-sun-destroy-the-earth-2009-3

Coronal Mass Ejection, a big enough one could wipe out all life on earth, and fry all the electronics.

Re:CME

[fan777]

I did that once. It felt pretty good.

Re:CME

[mellon]

If the CME wipes out all life on earth, who *cares* about the electronics?

Re:CME

[Arthur+Grumbine]

>

Coronal Mass Ejection, a big enough one could wipe out all life on earth, and fry all the electronics.

I have a feeling that one of those two consequences won't matter if the other occurs...

I mean, seriously, life would totally not be worth living without my electronics...

Re:CME

[commodoresloat]

a big enough one could wipe out all life on earth, and fry all the electronics.

yes, yes, but how will it affect the Internet?

Ohhh yeah.

[Aphoxema]

30 minutes? With how fast the internet is (There's few places in the world I get a ping reply within seconds), the internet could be taken down within 30 seconds if the perfectly right-wrong thing happened.

It'll probably happen eventually, but I wouldn't lose any sleep over it. It's not like the internet, you know, is a living creature that depends on every breath to survive.

We need to mesh more

[Casandro]

ISPs should be forced to have to peer at any POP they join. Then the Internet would potentionally be a lot more stable.

Re:We need to mesh more

[LostCluster]

Forced peering would lead to situations where the data flow could be tilted from one side to another. "Peering" requires relatively equal data flow between the partners.

Re:We need to mesh more

[Casandro]

Yes, but where is the problem? A line doesn't need to be equially loaded in both directions. That's just a decision beancounters made. It doesn't make much sense in real life.

Just get a line between 2 ISPs and route only the trafic between those 2 ISPs on that line until it's full. The rest can go the long way.

Re:We need to mesh more

[vlm]

ISPs should be forced to have to peer at any POP they join.

Forced to peer with spammers? no thanks!

Also "the internet" is mighty big. You might pull this off in one country, maybe the entire EU, but probably not the whole world. We (as a planet) can't even agree on basic human rights, much less the middle school girl game of whos gonna peer with who.

Re:We need to mesh more

[Casandro]

Maybe "forcing" is a bit strong, but ISPs should definitely be encouraged to do so. Every packet which does not go over centraliced portions of the net makes it more stable.

Re:We need to mesh more

[vlm]

Maybe "forcing" is a bit strong, but ISPs should definitely be encouraged to do so. Every packet which does not go over centraliced portions of the net makes it more stable.

1) Maybe if I won't peer with him, he will hire me as an upstream and I'll make money. Extra funny if both sides try the same strategy. Even funnier if one side was recently paying the other, and now refuses and/or is going bankrupt.

2) My cheap router doesn't have enough memory/CPU/whatever to peer with EVERYONE at the IX, somebody is going to get cut. Or maybe I have the hardware, but the guy I'd like to peer with simply does not.

3) Maybe the IX charges $x for each peering connection (they gotta pay their bills somehow). So, if that peer is only worth $y of paid upstream traffic, and $x > $y, then ...

4) ISP "Y" does not have enough capacity outta the IX to handle the traffic I'd like to send them. (no one ever admits in public they are the ones whom don't have a large enough pipe to the IX, its always the other guys)

5) "X"-IX is just icky and flaps all the time and drops packets. Now that is good enough for our connection to Afghanistan Telco because we can blame the problems caused by the IX, on the satellite, but our customers will not tolerate those problems when connecting to skype, so no peering for skype at that IX! Bonus points if "X"-IX is on the other side of the planet from our techs, and/or their support sucks.

6) I'm secretly a middle school girl whom runs BGP at ISP "X" (sounds like an Anime series?). Now, I heard, that she said, that he read on the bathroom wall, that the middle school girl whom runs BGP at ISP "Y" said my network sucks, so ISP "Y" is soooooo off my myspace friends list and livejournal and AIM and also I'm not inviting them to my peering party. Now personally, I believe this scenario accurately represents about 99% of all peering disputes.

Re:We need to mesh more

you know nothing

Who and Why?

[RiotingPacifist]

His answer is pretty vague, but if i know anything about computer security (and i don't), isn't the key thing to decide who your attackers are and what they want! I'd guess that the people running large botnets could DDOS the root DNS servers, but as they have no motive to do that its very unlikely they will. So who would want to take down the internet?
Perhaps russia/china/us if they were about to start a world war (possible, but if that were the scenario we'd have bigger problems)?

Re:Who and Why?

[Niris]

On one hand I think some people would want to take it down to go in history as the person who took down the Internet. On the other, they'd probably end up ripped apart by the hordes of WoW players who are forced out of their basements by the lack of Night Elf cleavage.

Prevent Over Logging

[teko_teko]

Today we take the Internet for granted, but it could go down any time from over logging. We have to prevent this by using the Internet when truly necessary, and to only view Internet porn twice a day... max.

Re:Prevent Over Logging

Today we take the Internet for granted, but it could go down any time from over logging. We have to prevent this by using the Internet when truly necessary, and to only view Internet porn twice a day... max.

point the finger at yourself. not everyone is a internet engineer.

Re:Prevent Over Logging

south park?

Re:Prevent Over Logging

for many hours at a time, leading to 'as usual' practice of using the internet, hence making your plan a strategic WIN

There you go, i am now fully prepared for my physics exam

NAH

[neo]

"A memorandum published by the DoD in March 1982 declared
that the adoption of TCP/IP as the DoD standard host-to-host
protocol was mandatory and would provide for "host-to-host
connectivity across network or subnetwork boundaries."

          Military requirements for interoperability, security,
          reliability and [b]survability[/b] are sufficiently pressing to
          have justified the development and adoption of TCP and IP in
          the absence of satisfactory nongovernment protocol
          standards."

Emphasis mine.
http://www.columbia.edu/~rh120/other/tcpdigest_paper.txt

Re:NAH

[iluvcapra]

The DoD also approved the Space Shuttle's final dimensions on the basis of $100/lb launch costs and a constant schedule of military payloads... I think if you were to hand the DoD a purchase order for a pallet load of marshmallow peeps, they'd only be to happy to certify their nuclear/chem/bio survivability and tactical necessity. They just like to buy toys, and nobody questions them about wether they really need something, and nobody ever tests them to make sure they really use it...

At least in this case we ended up with the Internet, and not the spaceplane-that-wouldn't-die-and-syphons-science-money.

Re:NAH

[truthsearch]

I think if you were to hand the DoD a purchase order for a pallet load of marshmallow peeps, they'd only be to happy to certify their nuclear/chem/bio survivability and tactical necessity.

That would be a mistake. They should only certify Twinkies.

If Family Guy has taught me anything, it's that everyone should go to the nearest Twinkie factory in the event of a nuclear holocaust.

Re:NAH

[eleuthero]

yes, it does syphon science money. Why is this a bad thing? Having focused expensive projects is a way to maintain interest in science in general and provide an opportunity for related projects to be developed. Sure, it is bad news for the ag seed libraries, but even these have benefited from our ridiculously expensive space program.

On a related note, I really like orange tang and appreciate the early space program.

Re:NAH

[BarryJacobsen]

If Family Guy has taught me anything, it's that everyone should go to the nearest Twinkie factory in the event of a nuclear holocaust.

If Family Guy has taught you anything, then may god have mercy on us all.

Re:NAH

[Verdatum]

I always thought...that dogs...laid eggs!...and I learned something!

Re:NAH

[Bearhouse]

They just like to buy toys, and nobody questions them about wether they really need something, and nobody ever tests them to make sure they really use it...

Well, in the case of nukes, I guess we're all pretty glad that they're using supercomputers to test them now, and that they never 'really used' them...

Re:NAH

[Bearhouse]

Sorry to reply to my own post - of course they sued them. How could I forget Hiroshima & Nagasaki. Apologies.

Re:NAH

... you're going to sue a nuke?

But how can you sue that that does not exist?

Re:NAH

[Obfuscant]

Yes, they used them in Japan, and many tests in the South Pacific and Nevada.

Unfortunately, those uses were then, and this is now. The hardware we are counting on now hasn't been through real testing, only simulations. Make the right assumptions and a simulated twinkie can destroy a simulated continent.

Re:NAH

[CarpetShark]

The DoD also approved the Space Shuttle's final dimensions on the basis of [stuff]... and a constant schedule of military payloads...

And how many military satellites has the shuttle been used to launch, I wonder? All of the GPS satellites to begin with, I'd guess. Maybe the DoD got exactly what they wanted out of the shuttle.

Re:NAH

[Anonymous+Cowpat]

Is the twinkie made of antimatter?

Re:NAH

[Verdatum]

"Well, let's say this Twinkie represents the normal amount of psychokinetic energy in the New York area. Based on this morning's reading, it would be a Twinkie thirty-five feet long, weighing approximately six hundred pounds."

"That's a big Twinkie."

Re:NAH

[killmenow]

The only thing Family Guy taught me is that all jokes start with "like that time I..."

Re:NAH

[linzeal]

It is the vulgar comedy of the day. It is fun to watch but just because they have people on their like Stewie and Brian on there waxing intellectual does not mean it is.

Re:NAH

[RsG]

Or maybe moving at close to the speed of light relative to the Earth's surface?

Hell, both put together, and you've got a delicious, hyper-kinetic anti-Twinkie with enough potential energy to punch a hole in the crust.

Plus, we don't have to assume it's snack sized; a Twinkie large enough to feed a small family for a few years is still a Twinkie. (This assumes that the small family in question is likewise made of antimatter of course.) I'm pretty sure Twinkieness is a question of composition and shape, not mass. It only needs to be small enough not to change shape into something untwinkie by way of self-gravitation.

Assuming a three ton rest mass Twinkie comprised of antiparticles moving at 0.9 c, and we get exactly the sort of simulated sugary Twinkopalypse the GP warned us about.

Re:NAH

[mR.bRiGhTsId3]

Congratulations. You, sir, have made me laugh far harder than I ever have before while reading an online posting.

Re:NAH

[Matt_R]

AFAIK, all the GPS satellites were launched on Atlas or Delta rockets.

Re:NAH

That reminds me of the time Ron Perlman taught my economic 101 class while high on meth.

Re:NAH

Epic. Beautiful. I laughed, I cried, I bookmmarked this post.

Re:NAH

[SJ2000]

United State of America v. $124,700 05-3295

Re:NAH

[iluvcapra]

We coulda built three superconducting supercolliders with the money spent on one ISS, and I don't think the ISS will ever deliver the science of the SSC. At least that's what Steven Weinberg thought, and he's better situated to know than either of us.

Re:NAH

[Ginger+Unicorn]

NASA didn't invent Tang. They just drank it. In fact the space program didn't invent any of the things people think it did. There is however a long list of things it has has done for us.

Re:NAH

[Verdatum]

Sue a nuke? Ah yes, you mean a snuke? I once had one up my snizz.

Re:NAH

[black_lbi]

It's nucular you dummy! The s is silent

Re:NAH

[Anonymous+Cowpat]

... I don't even know what a twinkie is

Yes, it can

[DirkBalognapantz]

With the Anti-Life Equation.

summing up

[godrik]

the only two statement of the interview:

-"I can not say anything"

-"macs are great"

...

I am ready for the DNS takedown!

[belloc1]

I have all my most important sites IP addresses written on Post It notes all over my wall.

Bring it!

Re:I am ready for the DNS takedown!

[noidentity]

I have all my most important sites IP addresses written on Post It notes all over my wall. Bring it!

This guy has the entire DNS namespace cached in post-it notes. We have nothing to fear!

Re:I am ready for the DNS takedown!

[robbrit]

That porn site must have a lot of servers to take up that many Post-it notes!

30 minutes?

London would like a word with you...

All it takes is some retard cutting undersea lines or cutting a bunch of underground wires.

I find his lack of faith disturbing

[RiotingPacifist]

Are jail/chroot/other sandboxes so ineffective the only way he can securely browse the web is in a virtual machine?

I know VMs are all the rage nowadays but it seams pretty dumb to rely on them for secuirty instead of designing secure systems.

30 won't do at all

[Captain+Spam]

30 minutes? Hm, nah, that won't do. Better make it 45. Gotta save all my work first.

Ask my girlfriend . . .

[PolygamousRanchKid+]

. . . she accuses me of "turning off" or "breaking the Internet" at least once a day.

That's the power that you get with 57 levels of Slashdot Achievements. A big switch labeled "Internet On/Off."

Re:Ask my girlfriend . . .

Lies... lvl 57 Slashdotters don't have girlfriends.

DNS?

[rickb928]

And would a determined botnet herder be able to 'take down' the Internet by launching a worldwide DNS cache poisoning attack and redirecting to a botnet-based DNS server farm? How much of the Internet would die?

Probably much easier to coordinate multiple botnets to DDOS the root servers, and also nail a few prominent servers at larger ISPs.

Naww. That's been pretty much fixed. Attacking BGP is so much more effecient. Nevermind.

October 27, 1980 ...

One word: RFC789.

"On October 27, 1980, there was an unusual occurrence on the ARPANET. For a period of several hours, the network appeared to be unusable, due to what was later diagnosed as a high priority software process running out of control. [...]"

I have a raid!

[red90tsi]

I sure hope the internet doesn't go down, all those poor souls in Northrend will die if I cant stop Kel' Thuzad and Malygos.

Re:I have a raid!

[DrgnDancer]

Again.

YAH!!

[Fungii]

Survivability.. so maybe

All it was designed for was to survive a single point of failure.

(note that I'm quoting canajin here in case there is any confusion)

What makes you think survivability implies the ability to survive nuclear war? The fact that you've heard as much parroted anecdotally countless times in the past?

Re:YAH!!

[644bd346996]

What else would survivability have meant to the DoD in 1982?

Re:YAH!!

[Fungii]

Oh, I don't know.. maybe it could have meant the ability to survive a single point of failure?

Re:YAH!!

[644bd346996]

I'm pretty sure that not having a single point of failure was considered part of "reliability" even back then.

Yes, but...

[BitwizeGHC]

Yes, but no one will believe that it can be until a crazed ex-federal agent stages a "fire sale" in order to prove it. And then disaster will be narrowly averted because Bruce Willis kicks his ass.

Hell yes you can!

[bazonkers]

All I have to do is unplug this little wire and the internet completely goes offli{#`%${%&`+'${`%&NO CARRIER

Do not underestimate the power of the darknet.

[Maintenance+Goof]

Fine they take thirty minutes to shut down the internet for ten minutes. Some areas stay down because they remain infected or untrustworthy. Some areas loose phone service and the ability to contact the machines they need to contact to make a repair. Tons of technicians have to actually visit remote servers clean up and reboot them. At the end of the week, we have a stronger network and Rush blames Al Gore for not making a stronger series of pipes in the first place.

Re:Do not underestimate the power of the darknet.

[DanJ_UK]

Series of tubes.

Re:Do not underestimate the power of the darknet.

[Maintenance+Goof]

Are you predicting that Rush will quote Stevens correctly? Before you answer, keep in mind that OxyContin is a powerful drug.

Mutant Porn!

[Pearson]

But just think of all the possibilities of Mutant Porn!

Re:Mutant Porn!

[neo]

Isn't this called Hentai?

Could? should.

The real question is should the internet be brought down in 30 min.

A: probably so.

Typing google into google will break the internet.

Here's the proof:

http://www.youtube.com/watch?v=wrQUWUfmR_I

Never happen!!

[dontmakemethink]

Porn will always survive.

Re:Never happen!!

[xgr3gx]

What loser would want to take down the whole internet?
Here is what would happen shortly after...
Hey guys, I rule, I just took down the internet in less than 30mins!
Wow, you're a l33t h@xor! We love you!
Now what do we do?
Lets play some Counter-Strike - oh wait, no internet..hmm.
Oh - I'll post this on my Twitter and Facebook page - crap, can't do that either.
Well, I'll treat myself to a new MP3 player from amazon.com ... damn.
At least I can start downloading some music...crap again.
I'll watch some Family Guy on Hulu - damn!
I can waste some time on YouTube - damn!
Ok - I'll dl some new pron and go to bed...oh crap what have I done!
What the hell am I supposed to do now! I'll have to leave the house, and worst of all pay for pron!

Re:Never happen!!

[vlm]

UUCP, fidonet, and WWIV BBS back from the grave!

Dare I suggest DECnet?

Yes.

[w0mprat]

By a Cylon virus. I still think we shouldn't have networked our computers.

Nobody can kill the internet

[hviniciusg]

It has got self aware!!!. its everywhere

Sugar and air.

[PinchDuck]

I just unplug the phone line into my DSL modem and blow into it. Then, for good measure, I pour in some powdered sugar. Then I blow into it again. The sugar and air hit the pneumatic pumps. The air acts like an embolism, forcing the pumps to work like mad. The sugar gets stuck in the compression rings, shredding them and dropping the bit pressure to the rest of the internet. *Poof*, there goes the network.

Comment removed

[account_deleted]

Comment removed based on user account deletion

shutdown

When I type :
shutdown -h now
the whole internet goes down in about 5 seconds.

Even more of a reason to resurrect guerilla.net

[pongo000]

Someone needs to get guerilla.net going again, now that l0pht has abandoned it. There is something attractive about being able to maintain communications even under government or terroristic attacks...

Protect intranets.

[w0mprat]

My method is to put a clamp around my ethernet cable. I figure this reduces the diameter of the pipes restricting flow of negative electrons used by hackers coming down the international pipes, this stops the electron buffers in windows from overflowing.

The other way is I wire up my mains postive to the DSL socket negative because the positive electrons neutralise the negative electrons used to inject codes. Proof that it works is in the shower of sparks.

breaking the internet

[hldn]

i have it on good authority, that if you type google into google, you can actually break the internet.

Re:nah. - his porn will survive but sadly he won't

As there is a flaw in your logic:
Underground. You know, where you live. In your mama's basement.

The porn archive may well survive underground, his computer being underground will also survey, as will he initially. Unfortunately however his mum will be above ground, she won't survive and therefore he won't survive as there will be non-one to cook for him, provide clothes and maybe even wash him! Sorry moral of the story if you want to survive with a collection of porn get yourself a job as Hugh Hefner archivist and survive with a few of his serving wenches to look after you !

Or in other words

[wsanders]

The DoD doesn't like losing their pr0n anymore than anyone else does.

What do you expect, they slap themselves on the forehead in 1990-something, saying "Oh s***! We forgot to design it to survive a war!"

Re:Ask my girlfriend . . . TYPO!!!

"Ask my MOM . . ." . . . she accuses me of "turning off" or "breaking the Internet" at least once a day.

There fixed that for you!

less than 30 min

Okay guys we need a lot of boats with pionty anchors.

Hang on.

[PhxBlue]

You're posting on SlashDot, and you expect us to believe you have a girlfriend?

A wife, maybe. Possibly two or three, if your username is any indication. But a girlfriend? Inconceivable!

The threat is real - fight the power

[Torodung]

All it would take is to lengthen Twitter messages to 616 characters. That would bring the whole thing down.

The truth is "out there."

--
Toro

Learning from Family Guy

[bartwol]

I think we all have a duty to learn from Family Guy.

There. I've said it.

Re:Learning from Family Guy

[Raenex]

Too bad Family Guy has run out of funny jokes, and has taken to showing complete songs of Conway Twitty. A short clip might have been funny once, but the whole damn song? Come on.

Re:Learning from Family Guy

[Verdatum]

It's Andy Kaufman funny. It's funny precisely because it annoys people like you.

Re:Learning from Family Guy

[Raenex]

Which shows exactly why Andy Kaufman wasn't really funny. Funny in the abstract, not in the execution. It's funny to hear the story of the joke being played on it's audience. It's absolutely painful to watch.

Happened here.

[Sasayaki]

Happened just now in the Northern Territory, Australia. All phones and Internet out of the state were cut from 3:00am till 11:52am (just got back about 7 minutes ago).

No problem

[AtomG]

Just unplug the internet for 10 seconds and then plug it back in. Problem solved.

BGP

[highonv8splash]

Anyone work for a major ISP?

It takes me an 30 mins to figure out it is down.

[cenc]

I have been working and living in developing countries for over 10 years now. Long ago I learned to keep an DNS cache and a squid cache locally just to speed my normal connections.

A couple of weeks ago I lost my internet connection, but I was still getting web pages only somethings where missing. After running around checking routers and such, I finally realized my connection had been AWOL for a good while. I was being served out of my local cache in my office, and simply had forgot it was there.

My point is, I think the World would just route around it (i.e. the whole internet).

No, I suspect not.

Because I'm anonymous, it's not likely that many people will see this... BUT...

Yes, lots of people are kind of right when they mention BGP and route flapping, but that isn't what he L0pht problem was about.

It was about being able to disrupt the connections between the BGP servers themselves through ICMP and TCP packets being forged.

People haven't being twiddling their thumbs and I suspect the interviewee isn't that clued in on what's happened since.

There's this obscure feature called TCP-MD5:
http://www.ietf.org/rfc/rfc2385.txt
Protection of BGP Sessions via the TCP MD5 Signature Option

This effectively disarms the attack that L0pht were thinking about when Mudge went to see the President back in the day.

What would an attacker need to do today? I'm not sure... could a DDoS attack cause a similar problem by targetting a particular router's interface with lots of packets? That's hard to imagine. If it were possible then why don't DDoS attacks cause something like that today when someone decides a web host needs 1GB/s or 10GB/s of junk traffic? Today the infrastructure remains functional and its the tails where the customers are that run into problems.

But otherwise, to launch the same attack that was being talked about back then would require not only guessing IP#'s, port numbers and sequence numbers but also MD5 secret passwords. That plus the dampening of route flapping is likely to defeat the current attacks.

RTFM

[MrKaos]

isn't that what the nslockup command is for?

NSLOCKUP(1) BOUND9 NSLOCKUP(1)

NAME
nslockup - totally fuck Internet name servers indefinitely

SYNOPSIS
nslockup [-option] [name | -] [server]

DESCRIPTION
Nslockup is a program to totally fuck up Internet domain name servers. Nslockup has two modes: fun and
blackmail. Fun mode allows the user to fuck up name servers for entertainment. In blackmail mode nslockup
can fry organisations, countries or the entire fucking internet. Blackmail mode is the 3.???? before
4.Profit.

...

Don't any of you guy's rtfm

Re:No need nuclear

Skynet can take down the internet in less than 30 minutes.

kad

Internet is allready down all we are working on are mirrors ... of mirrors ... of mirrors ...
welcome to the matrix :D

internet security

[matthegamer555]

well it only really takes a group of really determined black hats who have been burned by something. the thing about cyber security is that it is in essesence the same as a real world security in that you can designe hundreds of ways to prevent crime but the criminal only has to find one way to commit it, if someone has the right plan of action and is creative then there is literaly no limit to what he can do