Slashdot Mirror
How To Crash the Internet
rudy_wayne writes "We know you can take down Web sites with Distributed Denial of Service (DDoS) attacks. We know that a government, like Egypt's, can shut down an entire country's Internet access. And, we thought we knew that you can't take down the entire Internet. It turns out we could be wrong. In a report from New Scientist, Max Schuchard, a computer science graduate student, and his buddies claim they've found a way to launch DDoS attacks on Border Gateway Protocol (BGP) network routers that could crash the Internet."
I've got much better ways to cra
The big red button does it all.
Where is he going to go brag afterwards? It's a self-defeating endeavor.
You're the reason we can't have nice things.
I remember a decade ago, somebody from l0pht was discussing how they could take down the entire internet and keep it down for a while. I'm sure many people have made a point of keeping up with advancing technology and continuing to find ways that they could take down the internet itself...
Still interesting to read about though.
How is this news?
we've know for years that BGP has problems.
it's broken big section of the net before.
http://en.wikipedia.org/wiki/AS_7007_incident
The stock photo in the article says "Where's the internet gone?" but it's just a picture of a couple of people using old computers.
I often see things like this where they feel they HAVE to put a photo in, a meaningful photo to help get the point across. To help get this point across they put in captions to make it clear, but half the time they put ZERO effort in to actually finding a suitable image. For this one, they could have at least found a picture with someone with their arms up in despair at the interwebs being down. But no, just people playing games or something on flickery old CRT monitors, or something.
You know what? This REALLY GRINDS MY GEARS. Back to you Tom.
1. make sex home video with Jessica Alba 2. Internet crash
Just unplug and replug the damn router.
Can nobody find the actual paper? Oh wait, here it is, free from the altering lens of the media.
Read this:
http://www-users.cs.umn.edu/~schuch/papers/lci-ndss.pdf
Then read this:
http://www.phdcomics.com/comics.php?f=1174
It's a simulation of the impact of a coordinated attack on BGP. We know since a long time back that BGP is vulnerable to a number of attacks, this being one of them. The researcher has done a good job with the simulations and putting numbers on it.
Nothing else to see here, move along. The writer of the news article has no idea what he/she is talking about. We have much larger stability issues (such as Network Neutrality, IPv6 swap over and government blocking) to deal with, and theoretical attacks by large scale bot nets on BGP Is not something that will keep me up at night.
and 20 minutes later your upstream provider will kill your links and stop taking BGP announcements from you and life will go one.
Seriously Taco? Did you take a timothy pill and get retarded too? Why the fuck are you posting these retarded stories about things we've known for literally 30 years and has probably come up at least 10 times on slashdot in the last 5 years.
Might as well just redirect slashdot.org to 4chan, the IQ seems to be about the same now days.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Everyone knows you just have to type google into Google. So please noone does that, even for fun!
Would it be worth doing just for one day to see how we all cope, or is the prospect of thousands of teenagers hanging themselves because they can't milk their cows in Farmville too much to deal with?
Summation 2
Oh c'mon, everybody knows all you have to do is type "Google" into Google. I really don't know what's happening to kid's education nowadays. Meh.
BGP updated between routers are sent with different QoS marking than normal traffic. So even on fully utilized links BGP updates will have priority and will be exchanged between routers.
L0pht phoned from 1998, they want their story back.
http://www.schneier.com/essay-003.html
So they can crash the internet. Big whoop! I found the END of it last week. Had to go back.
who finds out what BGP stands for.
I mean, how long before some mafia or internet retard decides to launch a DDOS on BGP network routers and then demand $5 million in ransom paid to an off-shore account in the Caribbean. Wait a minute...
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
http://www.theonion.com/video/breaking-news-all-online-data-lost-after-internet,14148/
"An emergency meeting of Internet power players has been arranged. The group includes Steve Jobs, Bill Gates, and Craig of Craigslist."
... that if you type "Google" into Google, you can break the Internet.
have conjectured for quite some time as to the brevity of this issue, only now have we seen the issue successfully coupled with a graduate students attempt to secure gainful employment after his inevitable entry into real society.
observing scientists have calculated this graduate students chances of employment were, until this papers introduction, low enough to ensure he spend the rest of his adult life in his parents basement working on mechanical turk projects and azeroth raids. Only now have scientists been confident enough to conclude this paper, if carefully and properly handled, could propel this graduate student from the ranks of a perpetual computer science education directly toward a rewarding career as a dominos pizza delivery driver, or even a cable television installation technician.
Good people go to bed earlier.
You won't crash the internet by crashing into the internet.
The dangers of knowledge trigger emotional distress in human beings.
I'll ask you since you're only of only a few people posting real info. Maybe the attack could be thwarted, but would someone get a nasty bill for damages? an acquaintance told me that they were afraid to host their small web service because someone DDOSed an entire data center, who promptly passed the blame for damages incurred. So forget the big sites, do we have an answer to random DDOS attacks all over the net, jsay 3 steps below the BGP level?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
It's actually terrifyingly simple to break the internet, but please don't try it, even for a joke: http://www.youtube.com/watch?v=wrQUWUfmR_I
Users call in and say "the Internet is down" so I'm guessing this happens more than this article is letting on!
The paper making this madness appear on the news is apparently this one : http://www-users.cs.umn.edu/~schuch/papers/lci-ndss.pdf
It describes an attack on BGP routers. From its abstract (that could be the f***ing summary of an article of a "news for nerds" website)
Through simulations we show that botnets on the order of 250, 000 nodes can increase process- ing delays from orders of microseconds to orders of hours.
But also what sensationalist newspaper will NEVER publish short of death threaths :
We also propose and validate a defense against CXPST. Through simulation we demonstrate that current defenses are insufficient to stop CXPST. We propose an alternative, low cost, defense that is successful against CXPST, even if only the top 10% of Autonomous Systems by degree deploy it. Additionally, we consider more long term defenses that stop not only CXPST, but similar attacks as well.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
He knows how to do it.
Am I eval()? - http://www.monst3r.com.br
I gather that while one individual router is taken down by an ordinary DDoS (which is difficult to fend off), the global cascade effect results from BGP traffic generated by the attacked router. If the router just waited a while before announcing itself after reconnecting, it would strain the surrounding routers a lot less.
The neighboring routers could do the same - simply wait before propagating any changes, and suddenly out of a hundred BGP updates per minute coming in from the affected link, only a single one is passed on.
The infrastructure would be somewhat slower to respond to sudden changes, but those aren't supposed to happen regularly anyway.
Tips or GTFO
"We know that a country, like Egypt, can shut down a country's entire Internet access."
You mean a country like United States of America. Thanks hypocrite Obama. You decry the squelching of free speech in Egypt, and then push forward with the same Internet kill switch measure here.
So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.
..unless, of course, the would-be attacker is some malevolent government. I don't think I need mention any names here, except that at least one of them starts with a 'C'.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Hate to break it to you. Your likely to see better results attacking the worlds root name servers. BGP implementations for all their faults do have countermeasures against propogation of frequent state changes as if they even need them. I don't know how many zombies you need to successfully attack a single ordinary 10GB link.. Just setting a basic CIR or priority queue for BGP sessions would prevent the success of any such attack. If you want to slow down the Internet why not just have your botnet army consume bandwidth..find a few thousand of the longest paths with the most hops (amplification) and pounce... You won't shut down the Internet but you may succeed in pissing off a lot of people especially if your attack favors International links. I'm afraid it takes a little more creativity than ddos to crash the Internet.
Prove it!
As a player for one of the biggies, I can assure you between CoPP and other measures like MD5 between peers, this attack vector is old news.
Tips or GTFO
everybody knows at this point that if you type "google" into google, you can break the Internet ;)
Isn't this exactly what route flap damping (RFC 2439) that is used on most BGProuters today is made to prevent? Wouldn't the routers just class the link as "flapping" and ignore updates for it for a while?
the guy needs to do it, and brag about it afterward. Maybe it will make american ceo's stand up and take notice.
"For some reason a lot of people on Slashdot think", etc.
It's probably not "some" reason -- but rather a very specific reason, which you are kind enough not to spell out in all its embarrassing glory.
-kgj
perhaps 4 or 5 years ago, some wacks unknown DDoSed the top level DNS routers. iirc they managed to submerge 5 or 6 of the dozen. any poor ISP types who compensate for short memory and long router uptime by clearing cache had a most unpleasant day on the phone. lots of folks had inconsistent connectability.
it stabilized as the DNS masters did some domain blocking. with much wider use of firewall appliances, it should be easier to recover in the future.
and if the firewalling dynamically dumped offending sources of infinite requests for, say, an hour or so automatically, the impact of punks with VB or botnets can be taken care of with a call to the registered owner of the source address. "Hey, Superbits, clean up your house within the hour or you're off the web. I own your access. You're messing the nest."
if this is supposed to be a new economy, how come they still want my old fashioned money?
Not sure why inter-AS service provider links would lack proper QoS mechanisms to protect the control plane. Reserve ingress and egress bandwidth for TCP 179 destined to and from eBGP IPs on inter-AS facing interfaces. The link won't appear to "flap," BGP won't drop and the global routing table won't churn anymore than normal. Additionally, all of these links should be subject to traffic flow analysis for the purpose of tweaking BGP policy anyway. When your interface all of sudden spikes at 100% capacity, you'd easily be able to determine why, start null routing it, and then call your peering partners and have them do the same. The Internet isn't as a set of pipes isn't as 'dumb' as people think, BGP and these links are constantly monitored.
...about 18-20 years ago, when the WorldWideWeb consisted of about 50 sites - all text based - and things were a LOT looser, some yutz screwed up his router config and set his public IP to 127.0.0.1. It didn't really "crash" the internet but there was this incredible sucking sound as all those packets tried to go home.
Then there was the backhoe operator a couple of years later who was working near a railroad right of way and dug up a fiber bundle belonging to one of the major carriers of the time (MCI IIRC). He ended up blacking out most of the US Eastern Seaboard.
And then there was LDDS (sometimes knows as Larry, Darryl and Darryl Service) who reportedly placed a regional switch in a basement near The Point in Pittsburgh just in time for the 1996 flood.
Time's fun when you're having flies. - Kermit the Frog
what would 500 million + users do without facebook if this happend
Mr. Morris did that back in the 80's for a few hours. I was in a computer lab at college when a couple of the lab operators noticed that the Internet was going down. With a stupid little UNIX worm no less! You kids with your new-fangled routing protocols need to get off my lawn!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
-----
1. There are three generally agreed-upon planes, not two - control, management, and data.
2. The described methodology isn't novel. Observing the effects of attacks is something attackers do routinely, as is attack selectivity in order to garner maximum impact. This goes back a couple of decades with regards to DDoS attacks in particular.
3. Routers will continue to forward and process priority 6/7 traffic - i.e., control-plane traffic like BGP - whilst dropping enough data-plane traffic to ensure sufficient link bandwidth & RP/LC CPU overhead to keep routing sessions up and process routing updates. This undercuts the central thesis of the paper.
4. Re-marking all priority 6/7 traffic at the edge is a best current practice (BCP) for network operators; this prevents attackers from sending floods of priority 6/7 traffic in order to force punts.
5. iACLs and GTSM, two more BCPs, protect BGP sessions against direct attack via SYN-flooding, et. al.
6. Control-plane policing (CoPP) is yet another BCP which indirectly limits the number of updates/sec via rate-limiting control-plane traffic exchanged between routers.
So, the assertions of novelty in the paper aren't really justified, nor are all the assumptions and assertions regarding the way routers work and the way they handle control-plane traffic. Also, standard BCPs to protect control-plane traffic aren't taken into account. Nor are routine defensive BCPs discussed and taken into account.
Finally, there are other mechanisms which are considerably more effective in disrupting control-plane communication due to high RP CPU which aren't touched upon in the paper, nor are they cited in references. Though there are defenses against those attack mechanisms, as well, they aren't as well-known.
It's generally a good idea for researchers to consult with members of the global operational security (opsec) community while looking for topics and methodologies which are truly unique. This saves a lot of time and effort in duplicating existing work and going down paths which don't lead to truly novel research and results.
It's also a good idea for researchers investigating routing resilience to launch real attacks (in a lab environment) on real routers, rather than just theorizing and simulating, in order to gain an understanding of how they actually behave under attack, and how the various BCPs and other defensive mechanisms come into play.
This .pdf presentation may be of interest, as well.