Slashdot Mirror
How To Crash the Internet
rudy_wayne writes "We know you can take down Web sites with Distributed Denial of Service (DDoS) attacks. We know that a government, like Egypt's, can shut down an entire country's Internet access. And, we thought we knew that you can't take down the entire Internet. It turns out we could be wrong. In a report from New Scientist, Max Schuchard, a computer science graduate student, and his buddies claim they've found a way to launch DDoS attacks on Border Gateway Protocol (BGP) network routers that could crash the Internet."
Where is he going to go brag afterwards? It's a self-defeating endeavor.
You're the reason we can't have nice things.
I remember a decade ago, somebody from l0pht was discussing how they could take down the entire internet and keep it down for a while. I'm sure many people have made a point of keeping up with advancing technology and continuing to find ways that they could take down the internet itself...
Still interesting to read about though.
How is this news?
we've know for years that BGP has problems.
it's broken big section of the net before.
http://en.wikipedia.org/wiki/AS_7007_incident
The big red button does it all.
No! Don't click the big red button - it's a trap! You'll be Rick Rolled!!
1. make sex home video with Jessica Alba 2. Internet crash
There's also one with people in cars floating in a flood. So trashing the net now creates floods. Neat.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Just unplug and replug the damn router.
Can nobody find the actual paper? Oh wait, here it is, free from the altering lens of the media.
Read this:
http://www-users.cs.umn.edu/~schuch/papers/lci-ndss.pdf
Then read this:
http://www.phdcomics.com/comics.php?f=1174
It's a simulation of the impact of a coordinated attack on BGP. We know since a long time back that BGP is vulnerable to a number of attacks, this being one of them. The researcher has done a good job with the simulations and putting numbers on it.
Nothing else to see here, move along. The writer of the news article has no idea what he/she is talking about. We have much larger stability issues (such as Network Neutrality, IPv6 swap over and government blocking) to deal with, and theoretical attacks by large scale bot nets on BGP Is not something that will keep me up at night.
and 20 minutes later your upstream provider will kill your links and stop taking BGP announcements from you and life will go one.
Seriously Taco? Did you take a timothy pill and get retarded too? Why the fuck are you posting these retarded stories about things we've known for literally 30 years and has probably come up at least 10 times on slashdot in the last 5 years.
Might as well just redirect slashdot.org to 4chan, the IQ seems to be about the same now days.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Everyone knows you just have to type google into Google. So please noone does that, even for fun!
Would it be worth doing just for one day to see how we all cope, or is the prospect of thousands of teenagers hanging themselves because they can't milk their cows in Farmville too much to deal with?
Summation 2
BGP updated between routers are sent with different QoS marking than normal traffic. So even on fully utilized links BGP updates will have priority and will be exchanged between routers.
Even worse is when they have a generic IT-related article, an put an image of a keyboard next to the story. The BBC does this a lot - I know that getting stock photos (that are not copyright) is a pain, but really ... a keyboard?
L0pht phoned from 1998, they want their story back.
http://www.schneier.com/essay-003.html
I mean, how long before some mafia or internet retard decides to launch a DDOS on BGP network routers and then demand $5 million in ransom paid to an off-shore account in the Caribbean. Wait a minute...
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
http://www.theonion.com/video/breaking-news-all-online-data-lost-after-internet,14148/
"An emergency meeting of Internet power players has been arranged. The group includes Steve Jobs, Bill Gates, and Craig of Craigslist."
And it's much easier to find than the little pink one (although, I keep insisting it doesn't exist but my wife says I'm just not trying hard enough).
Loading...
You won't crash the internet by crashing into the internet.
The dangers of knowledge trigger emotional distress in human beings.
I'll ask you since you're only of only a few people posting real info. Maybe the attack could be thwarted, but would someone get a nasty bill for damages? an acquaintance told me that they were afraid to host their small web service because someone DDOSed an entire data center, who promptly passed the blame for damages incurred. So forget the big sites, do we have an answer to random DDOS attacks all over the net, jsay 3 steps below the BGP level?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Hahaha yes, quite :)
You all forgot to put the #*D(@5&%h++ NO CARRIER
mod me funny
It's actually terrifyingly simple to break the internet, but please don't try it, even for a joke: http://www.youtube.com/watch?v=wrQUWUfmR_I
>#*D(@5&%h
WHAT? My mother was a saint! GET OUT!
Hey, don't get me wrong. I'm all for repetitive jokes. With suitable timing, they can be a good 'badum tisch'. But much as I always found this one funny, I was always amused more by the impossibility of its very nature (Unless you are using a live see-as-they-type app like ICQ used to have, remember the first time you used that with someone you were flirting with online?). I just felt the urge to call on that impossibility today.
Of course the AC that replied to said calling seemed to be on the defense, obviously assuming I was attacking the OP. That just made the whole little debacle even funnier (in my little mixed up world, that is).
Smitty, are you one of the Imagination Movers?
The paper making this madness appear on the news is apparently this one : http://www-users.cs.umn.edu/~schuch/papers/lci-ndss.pdf
It describes an attack on BGP routers. From its abstract (that could be the f***ing summary of an article of a "news for nerds" website)
Through simulations we show that botnets on the order of 250, 000 nodes can increase process- ing delays from orders of microseconds to orders of hours.
But also what sensationalist newspaper will NEVER publish short of death threaths :
We also propose and validate a defense against CXPST. Through simulation we demonstrate that current defenses are insufficient to stop CXPST. We propose an alternative, low cost, defense that is successful against CXPST, even if only the top 10% of Autonomous Systems by degree deploy it. Additionally, we consider more long term defenses that stop not only CXPST, but similar attacks as well.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
He knows how to do it.
Am I eval()? - http://www.monst3r.com.br
I gather that while one individual router is taken down by an ordinary DDoS (which is difficult to fend off), the global cascade effect results from BGP traffic generated by the attacked router. If the router just waited a while before announcing itself after reconnecting, it would strain the surrounding routers a lot less.
The neighboring routers could do the same - simply wait before propagating any changes, and suddenly out of a hundred BGP updates per minute coming in from the affected link, only a single one is passed on.
The infrastructure would be somewhat slower to respond to sudden changes, but those aren't supposed to happen regularly anyway.
I don't see why not. The internet going down would cause planes to fall from the sky, and (OMG) Facebook and (OMG) Twitter would stop working. So floods would be the least of our problems. Well, the least of your problems - I live on a hill/in a boat/something.
http://ihatehate.wordpress.com
"You must be new here."
"But this one goes to 11!"
"We know that a country, like Egypt, can shut down a country's entire Internet access."
You mean a country like United States of America. Thanks hypocrite Obama. You decry the squelching of free speech in Egypt, and then push forward with the same Internet kill switch measure here.
The Internet has no weight!
Breat Gritain Pounds
So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.
..unless, of course, the would-be attacker is some malevolent government. I don't think I need mention any names here, except that at least one of them starts with a 'C'.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Hate to break it to you. Your likely to see better results attacking the worlds root name servers. BGP implementations for all their faults do have countermeasures against propogation of frequent state changes as if they even need them. I don't know how many zombies you need to successfully attack a single ordinary 10GB link.. Just setting a basic CIR or priority queue for BGP sessions would prevent the success of any such attack. If you want to slow down the Internet why not just have your botnet army consume bandwidth..find a few thousand of the longest paths with the most hops (amplification) and pounce... You won't shut down the Internet but you may succeed in pissing off a lot of people especially if your attack favors International links. I'm afraid it takes a little more creativity than ddos to crash the Internet.
"In 2008, Verizon Communications, Time Warner Cable and Sprint Nextel signed an agreement with Attorney General of New York Andrew Cuomo to shut down access to sources of child pornography.[45] Time Warner Cable stopped offering access to Usenet. Verizon reduced its access to the "Big 8" hierarchies. Sprint stopped access to the alt.* hierarchies. AT&T stopped access to the alt.binaries.* hierarchies."
- wikipedia
Of course there are still plenty of other places to get Usenet. Like groups.google.com (formerly dejanews.com)
Information wants to be expensive AND wants to be free. So you have Value vs. Cheap distribution fighting each other.
... and (OMG) Facebook and (OMG) Twitter would stop working.
I wonder if these people would like any help. I have a couple of machines I could install XP on for that purpose...
I just create a loop back on my cable modem... Ha! Take that, no more tubes!
--- Relax, that mass muderer is just trying to reduce our carbon footprint, one fetus at a time...
Tips or GTFO
Isn't this exactly what route flap damping (RFC 2439) that is used on most BGProuters today is made to prevent? Wouldn't the routers just class the link as "flapping" and ignore updates for it for a while?
Ever tried Googling Google? Crashes the Internet every time.
I can also crash the Internet by unplugging my modem.
Who knows if it has crashed when my modem is unplugged, it is like if someone is not in the room with you, do they really exist? Or do they only exist only when you see them?
"For some reason a lot of people on Slashdot think", etc.
It's probably not "some" reason -- but rather a very specific reason, which you are kind enough not to spell out in all its embarrassing glory.
-kgj
perhaps 4 or 5 years ago, some wacks unknown DDoSed the top level DNS routers. iirc they managed to submerge 5 or 6 of the dozen. any poor ISP types who compensate for short memory and long router uptime by clearing cache had a most unpleasant day on the phone. lots of folks had inconsistent connectability.
it stabilized as the DNS masters did some domain blocking. with much wider use of firewall appliances, it should be easier to recover in the future.
and if the firewalling dynamically dumped offending sources of infinite requests for, say, an hour or so automatically, the impact of punks with VB or botnets can be taken care of with a call to the registered owner of the source address. "Hey, Superbits, clean up your house within the hour or you're off the web. I own your access. You're messing the nest."
if this is supposed to be a new economy, how come they still want my old fashioned money?
Not sure why inter-AS service provider links would lack proper QoS mechanisms to protect the control plane. Reserve ingress and egress bandwidth for TCP 179 destined to and from eBGP IPs on inter-AS facing interfaces. The link won't appear to "flap," BGP won't drop and the global routing table won't churn anymore than normal. Additionally, all of these links should be subject to traffic flow analysis for the purpose of tweaking BGP policy anyway. When your interface all of sudden spikes at 100% capacity, you'd easily be able to determine why, start null routing it, and then call your peering partners and have them do the same. The Internet isn't as a set of pipes isn't as 'dumb' as people think, BGP and these links are constantly monitored.
...about 18-20 years ago, when the WorldWideWeb consisted of about 50 sites - all text based - and things were a LOT looser, some yutz screwed up his router config and set his public IP to 127.0.0.1. It didn't really "crash" the internet but there was this incredible sucking sound as all those packets tried to go home.
Then there was the backhoe operator a couple of years later who was working near a railroad right of way and dug up a fiber bundle belonging to one of the major carriers of the time (MCI IIRC). He ended up blacking out most of the US Eastern Seaboard.
And then there was LDDS (sometimes knows as Larry, Darryl and Darryl Service) who reportedly placed a regional switch in a basement near The Point in Pittsburgh just in time for the 1996 flood.
Time's fun when you're having flies. - Kermit the Frog
I found it easily enough and she thanked me afterward!
Mr. Morris did that back in the 80's for a few hours. I was in a computer lab at college when a couple of the lab operators noticed that the Internet was going down. With a stupid little UNIX worm no less! You kids with your new-fangled routing protocols need to get off my lawn!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Except he can't do it, his idea isn't new, I actually DEALT with this exact type of problem in 96 due to my own ignorance and the solution is painfully simple, flapping route dampening. Done, game over, the Internet moves on and the DDoS kiddies have just added someone else to the list of people getting tired of their shit. Eventually it will end, its going to be a few years though.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
You forgot to give the link!
The Tao of math: The numbers you can count are not the real numbers.
Schroedingers Internet?
The big red button does it all.
No! Don't click the big red button - it's a trap! You'll be Rick Rolled!!
That's what they want you to think.
-----
1. There are three generally agreed-upon planes, not two - control, management, and data.
2. The described methodology isn't novel. Observing the effects of attacks is something attackers do routinely, as is attack selectivity in order to garner maximum impact. This goes back a couple of decades with regards to DDoS attacks in particular.
3. Routers will continue to forward and process priority 6/7 traffic - i.e., control-plane traffic like BGP - whilst dropping enough data-plane traffic to ensure sufficient link bandwidth & RP/LC CPU overhead to keep routing sessions up and process routing updates. This undercuts the central thesis of the paper.
4. Re-marking all priority 6/7 traffic at the edge is a best current practice (BCP) for network operators; this prevents attackers from sending floods of priority 6/7 traffic in order to force punts.
5. iACLs and GTSM, two more BCPs, protect BGP sessions against direct attack via SYN-flooding, et. al.
6. Control-plane policing (CoPP) is yet another BCP which indirectly limits the number of updates/sec via rate-limiting control-plane traffic exchanged between routers.
So, the assertions of novelty in the paper aren't really justified, nor are all the assumptions and assertions regarding the way routers work and the way they handle control-plane traffic. Also, standard BCPs to protect control-plane traffic aren't taken into account. Nor are routine defensive BCPs discussed and taken into account.
Finally, there are other mechanisms which are considerably more effective in disrupting control-plane communication due to high RP CPU which aren't touched upon in the paper, nor are they cited in references. Though there are defenses against those attack mechanisms, as well, they aren't as well-known.
It's generally a good idea for researchers to consult with members of the global operational security (opsec) community while looking for topics and methodologies which are truly unique. This saves a lot of time and effort in duplicating existing work and going down paths which don't lead to truly novel research and results.
It's also a good idea for researchers investigating routing resilience to launch real attacks (in a lab environment) on real routers, rather than just theorizing and simulating, in order to gain an understanding of how they actually behave under attack, and how the various BCPs and other defensive mechanisms come into play.
This .pdf presentation may be of interest, as well.