Could the Internet Be Taken Down In 30 Minutes?

GhostX9 writes "Tom's Hardware recently interviewed Dino A. Dai Zovi, a former member of Sandia National Labs' IDART (the guys who test the security of national agencies). Although most of the interview is focused on personal computer security, they asked him about L0pht's claim in 1998 if the Internet could still be taken down in 30 minutes given the advances on both the security and threat sides. He said that the risk was still true."

Yes

[2.7182]

By a nuclear war for example.

Re:Yes

[Chris+Burke]

By a nuclear war for example.

Why go to such extremes?

root@internet# shutdown -h +30 "Teh Intarwebs are going down!"

Re:Yes

[ElizabethGreene]

To break the "whole" internet takes some doing. That said, a large scale distributed dns reflection attack or any number of other attacks can turn off large chunks of the internet more or less at will. Thirty minutes seems very optimistic, if the zombies are in place prior to the attack.

Re:Yes

[rpmayhem]

root@internet# shutdown -c "I'm still reading slashdot you insensitive clod!"

All it needs is a giant Slashdotting

Just visit url://internet

Re:All it needs is a giant Slashdotting

[Chris+Mattern]

Firefox tells me it doesn't understand URLs. I'd better just stick to HTTPs.

Internet Backbone DDOS in 2002

[eldavojohn]

In 2002 4 or 5 of the 13 root servers were big news ... although we've come a long way since then, I think the integrity of the internet still depends on these things.

Every so often we get reports that the internet is a rickety old jalopy on it's last leg.

Given this impression and add to it the fact that the botnets seem to grow in tandem with the internet, I wouldn't be surprised to see an attack take her down in 30 minutes although I'm no expert. I think 30 minutes is a generous amount of time if one of the larger botnets turned its attention on the root servers for a DDOS attack. You'd have some fail overs and some courageous engineer might save the day but I'd put my money on the bad guys.

I would be surprised if it was down for more than 24 hours following that though.

Re:Internet Backbone DDOS in 2002

[afidel]

The way to fix it would be egress filtering where all consumer class lines were barred from directly querying the root servers. Would suck greatly for anyone who wanted or needed to run their own resolver, and would break the original end to end design of the internet, but it would be the most likely response to the threat. The ISP's would love it too since it would allow them to have a captive audience for their ad laden DNS servers.

Re:Internet Backbone DDOS in 2002

[Shakrai]

I think 30 minutes is a generous amount of time if one of the larger botnets turned its attention on the root servers for a DDOS attack

I think you are overlooking a two things:

1) There's a lot more than 13 root servers nowadays. Many of the servers are mirrored using anycast. Wikipedia had a total of 123 in 2006 so it's a safe assumption that there are even more today.

2) Even if you could render the root servers inaccessible, this doesn't "take down" the internet. Many sites would still be accessible until their DNS cache entires timed out in the nameserver that you use (likely your ISP). A lot of sites set short timeouts on the www 'A' record (for load balancing purposes) but long timeouts on the 'NS' records for the domain. In this scenario your nameserver would still know where to go to get the 'A' record and wouldn't need to consult with the root servers.

Those caches wouldn't last forever but it would seem to offer enough time to deal with the DDOS. The internet would have limited functionality for awhile but it wouldn't "go down". Many operations (site to site VPNs for example) might not even notice.

Re:Internet Backbone DDOS in 2002

[six]

root DNS != Backbone

You can DDOS a server, a network, even big routers, but you can't DDOS the internet.

Cutting random cables here and there won't work either, at most you're going to isolate parts of the net.

The only way to take down the internet in 30 minutes is to exploit vulnerabilities in the BGP core routing protocol and announce netblocks that somehow (that's where something has to be exploited, bypassing filters, smaller blocks and routing costs considerations) takes the priority over other routes for every router that receives the announce.

Not saying that's impossible, but still tough ...

Re:Internet Backbone DDOS in 2002

[Shakrai]

I'm not rude enough to run my own nameserver at home.

Out of curiosity, why is that 'rude'? Are the root servers overloaded or something? I've always run my own nameserver and aside from a few times when I messed around with linking it to work, I've usually had it going directly to the source. Should I re-evaluate this practice?

It can be taken down much faster now.

http://www.networkworld.com/news/2009/040209-obama-cybersecurity-bill.html

A federally enabled Internet kill switch will place an Internet Off Button in the White House which can be used to instantly deactivate the Internet in case of an emergency, such as the plebes getting riled up. This bill, introduced to the Senate on April Fools, is expected to pass.

Re:It can be taken down much faster now.

[Leafheart]

Your Internet maybe, not mine. At least, not because of that.

Re:true

In 30 minutes?

You're doing it wrong.

Re:nah.

[canajin56]

Not true! ARPANET was designed as it was because there were only a few super computing sites at the time, and they were separated by quite a bit. The redundancy comes in to play only because they didn't want to lose important access if a router broke somewhere, as they are wont to do. All it was designed for was to survive a single point of failure. But even that is distorted. Just because ARPANET was designed that way decades ago, doesn't mean that large corporations decided to keep with that philosophy when they took over!

(Job) security

Guy who works in security testing wants people to believe that the state of internet security is OMGcritical? Shouldn't this be tagged "jobsecurity" rather than "security"?

30 mins might be optimistic

[Minupla]

Assuming a vulnerability is exploited in BGP, the internet would go bibi in a hurry. That's all our eggs in one basket, and it's a fairly rickety basket. There's still a lot of trust inherent in the BGP fabric and trust is a 4 letter word to anyone who deals with infrastructure security.

Min

Re:30 mins might be optimistic

[spacerog]

Actually if I remember correctly the specific flaw that we discovered waaay back in the olden days of 1999 (or was it 98?) was with the Border Gateway Protocol which would cause a cascade router failure. We estimated best case scenario that large chunks of the Internet could be unreachable for up to 12 hours and worst case could be down for several days.

The really funny thing about all this is that after Senator Thompson and the Government Affairs committee was finished pimpimg us out as media whores several unrelated people approached us and said "Hey, where you thinking of taking the net down this way..." And we would say "No, that's not what we thought of but your idea would probably work just as well."

The thing is many of those ideas are still valid. The global Internet network is a rickety piece of technology held together with bubble gum and bailing wire. If it wasn't for the fact that people are actively trying to keep it operational I fear it would fall apart under its own weight in a very short amount of time not to mention if someone actually wanted to take it down.

- Space Rogue
http://www.lopht.com
http://www.spacerog.net

Re:30 mins might be optimistic

[vlm]

BGP by design trusts in routing settings being honest... just program a router with can't-get-there-from-here routes, and you'll down the surrounding area's Internet speed, or even connections.

No, no one trusts their peers anymore and their configs reflect that. Not since at least the 90s. Since before I started doing BGP support, everyone has filtered their customers routes. WAY WAY too many people try to redistribute 10/8 from their IGP, or maybe try to send us a 0/0. And unscientifically, I'd say about 25% of newbie BGP admins think they own their previous ISPs IP space... so if old ISP gave them 1.2.3/24 they'd ask us to modify our filters to allow the /24, we'd check (have to check each and every customer every time) and see its part of their old ISP's /18, and we'd educate them.

Re:30 mins might be optimistic

[NeutronCowboy]

You seem to underestimate the blood, sweat and tears that goes into keeping networks alive. Yes, some assholes could take it down in a heartbeat if everyone would just let them. Fortunately, there are a good chunk of smart people who work tirelessly so that this doesn't happen. So far, so good. the problem: the good guys need to win every time to be seen as successful. The bad guys only need to win once.

Re:nah.

[interkin3tic]

Actually, this is exactly what it's supposed to survive.

Well, I'm reasonably certain my computer can't withstand a nuclear attack, and I don't think most porn stars are radiation-resistant, so it's really trivial to me whether or not there is still an internet after a nuclear war.

Depends on who you ask...

[imajinarie]

According to my parents and people in my office, the Internet is occasionally down for several hours at a time. Fortunately, they have the ability to reboot it when necessary.

Re:Is this news??

[myVarNamesAreTooLon]

All it would take is the right cables to be cut for the internet to go down. Perhaps with a rented backhoe even.

A single backhoe might have some trouble getting the entire internet in 30 minutes. What's the top speed on those things?

it was demonstrated last year

[Paralizer]

When Pakistan decided to block youtube they inadvertently caused a global routing blackhole. The internet is built with the BGP routing protocol, which is based on trust. You trust that your peers will advertise correct routes. If they don't then you get misinformation like in the Pakistan/Youtube situation and it spreads, pretty soon everyone thinks going through Pakistan is the best way to reach youtube so all traffic (or almost all) goes there, then Pakistan simply drops those packets.

Of course this was an accident, but a malicious attack could simply advertise lots of incorrect routes and hose up everything ... at least for a little while.

Re:nah.

[ParanoiaBOTS]

OK, then what about by a Cylon invasion? (Which of course, would begin with a nuclear strike.) I doubt that our toaster children would have any trouble with Mccafree or Norton products.

In my experience if we did have a Cylon invasion McAfee and Norton may be our ONLY defense. Upload it and watch as they can no longer function

CME

[rthille]

http://www.businessinsider.com/could-the-sun-destroy-the-earth-2009-3

Coronal Mass Ejection, a big enough one could wipe out all life on earth, and fry all the electronics.

NAH

[neo]

"A memorandum published by the DoD in March 1982 declared
that the adoption of TCP/IP as the DoD standard host-to-host
protocol was mandatory and would provide for "host-to-host
connectivity across network or subnetwork boundaries."

          Military requirements for interoperability, security,
          reliability and [b]survability[/b] are sufficiently pressing to
          have justified the development and adoption of TCP and IP in
          the absence of satisfactory nongovernment protocol
          standards."

Emphasis mine.
http://www.columbia.edu/~rh120/other/tcpdigest_paper.txt

Re:NAH

[iluvcapra]

The DoD also approved the Space Shuttle's final dimensions on the basis of $100/lb launch costs and a constant schedule of military payloads... I think if you were to hand the DoD a purchase order for a pallet load of marshmallow peeps, they'd only be to happy to certify their nuclear/chem/bio survivability and tactical necessity. They just like to buy toys, and nobody questions them about wether they really need something, and nobody ever tests them to make sure they really use it...

At least in this case we ended up with the Internet, and not the spaceplane-that-wouldn't-die-and-syphons-science-money.

Re:NAH

[BarryJacobsen]

If Family Guy has taught me anything, it's that everyone should go to the nearest Twinkie factory in the event of a nuclear holocaust.

If Family Guy has taught you anything, then may god have mercy on us all.

Re:nah.

[rcamans]

The stars may not survive, but their videos could in a datastore underground. And your computer could survive in a bomb shelter. Underground. You know, where you live. In your mama's basement.
Heh heh

I am ready for the DNS takedown!

[belloc1]

I have all my most important sites IP addresses written on Post It notes all over my wall.

Bring it!

Re:Is this news??

[ckaminski]

If you want a ride bouncier than the storm chasers in KC10s you can do about 22-25 mph in a Ford 555 (80's vintage backhoe). And that's on a decently paved street. You hit a decent pothole and you better have your feet on the posi button because when your steering wheels hit ground again, you're likely to zoom into traffic or onto the sidewalk.

It's why I only ever did over-street travel in ours at night. Then again, backhoe's are naturally overbalanced to the rear, I never did try to get our straight farm tractor up to speed on surface streets.

I've popped a wheelie in exactly two tractors in my day, one a backhoe, another a dozer. Sort of frightening when you do it for the first time and aren't expecting it.

Re:YES!!

[vlm]

Take BGP for example. Very little security in it.

Sounds like somebody not involved in actual BGP work and/or just scaremongering (worship me because I say scary things).

Nobody configures their peers using dns addresses. Doesn't everyone use md5 hashes? Doesn't everyone filter their customers routes?

I did "most of" the customer side BGP at an ISP for "years" with quite a few customers... if every time someone redistributed 0/0 or 10/8 to us we took down the internet, frankly, it would have been down most of the time. Not to mention people whom thought their old providers IP space was their own (as opposed to actual ARIN space)

Then there's the guys who prepend like a hundred times, always good for a laugh or two.

Folks whom think they can take down global BGP by flapping their routes a couple times and don't even know what route dampening is... well...

Now, yeah, one bad dude could take over one router and maybe temporarily down one ISP that is run by fools who don't follow the "rules", but one badly run ISP out of bazillions is not "the internet".

Overall, I'd say out of 30K AS, of which at least 50% don't really know what they're doing, yet they still can't take the sucker down, god knows I've seen everything tried at least once, so a couple black hats don't even have a chance.

Ask my girlfriend . . .

[PolygamousRanchKid+]

. . . she accuses me of "turning off" or "breaking the Internet" at least once a day.

That's the power that you get with 57 levels of Slashdot Achievements. A big switch labeled "Internet On/Off."

Re:nah.

[freyyr890]

OK, then what about by a Cylon invasion? (Which of course, would begin with a nuclear strike.) I doubt that our toaster children would have any trouble with Mccafree or Norton products.

In my experience if we did have a Cylon invasion McAfee and Norton may be our ONLY defense. Upload it and watch as they can no longer function

You're horrible. Not even the Cylons deserve Norton and McAfee.

Re:true

[mollymoo]

I think your're confusing your childhood with a "yo momma" joke.

Re:nah.

[peragrin]

I'm saving my copy of windows ME just for the cylon revolt.