Internet vulnerabilities

Thu Jul 4 18:51:03 UTC 2002

Coordinated infrastructure attacks are scary for that reason. They are
scary. :) Netcraft will provide you the information on every web
server/server OS just for the asking -- you don't need an OC3 or even nmap.

Historically, wide spreading worms have had a flaw in the program that
prevented how much damage they could cause. (i.e., either too virulent or
too patient). I suspect even in your dd solution, the attacker would leave a
delay to allow some additional CPU power devoted to attacking other
destinations. If the timeout is too short and interesting machines go down
fast, the spread takes longer. If its too long, it can be stopped before it
gets as far. The nastier you make it, the less far it spreads.

In some paranoid networks, within 20 minutes of the content disappearing
they would probably pull all or many of their most significant machines off
line while they are figuring out what attack is occuring. The least
responsive networks are going to be the most vulnerable to a scenario like
this.

Rate limiting ICMP (or your favorite attack packet) isn't as difficult as it
used to be (even at the border), and since most large networks use automatic
configuration generators -- no matter how cumbersome -- it is concievable
that the brute force attack could be killed on the largest networks at a
mean of 10-12 hrs. Server damage would take longer depending on how
available/recent backups are.

The best part of multilevel NOCs (level 1-2 open tickets 3+ solve problems)
is that under large, cascading attacks of this sort, those who actually
solve the problem are not as bogged down by frantic customers calling.

----

Risers (inside) a building aren't even that big a deal. Most manholes around
these carrier hotels are not welded shut, and most of the POEs (no matter
how many there are) have a man hole or two on the street for splicing
purposes.

A few bad guys could drop a <explosive, incendiary, acid, etc> in each of
these around each major carrier hotel and disable the hotel in about 20
minutes from start-to-finish. (4 men teams at each major infrastructure
location in the U.S. -- say 10?) could disable everything in less than 5
minutes from start to finish and be making a quick exit before the first
fiber goes down.

If you simultaneously melt/explode/destroy every POE to every major cable
landing/telecom hotel in the U.S., you will have problems (sky links MIGHT
be excepted if you are especially clever). And >24 hr repair times, assuming
you can get the repair call out in the first place.

Lets not forget that manholes are almost always in public right of way, or
similarly accessible. Opening them quickly/publicly won't even freak out too
many people. Worst case 2-3 blocks away you triple the number of manholes to
open/disable, and have no tech-savvy types or building-security types have
the chance to even see it go down -- better, no welded manholes to worry
about whatsoever.

---

Its almost ridiculous to worry about protecting carrier-buildings from
deliberate mischief because they are far more vulnerable outside than
inside. Security guards inside are (IMO) to keep large pieces of equipment
from walking out without getting a good look at the guy(s) doing it. Even
then, most misunderstand their role and rely on the basic honesty of the
visitors to maintain anything...

I could just be grumpy though.

Deepak Jain
AiNET

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
> Phil Rosenthal
> Sent: Thursday, July 04, 2002 2:17 PM
> To: jlewis at packetnexus.com; nanog at merit.edu
> Subject: RE: Internet vulnerabilities
>
>
>
> Thinking about a physical threat...
> If you go to 111 8th ave, NYC.  They have added security since 9-11-01
> which now requires either building ID, or showing a driver's license
> before entering building (because terrorists don't have driver's
> licenses).
>
> On some floors (eg the 7th).  The building risers and conduits are
> completely exposed. I can't help but wonder how much damage a terrorist
> attack to that would do.
>
> Also, say someone from a moderately fast internet connection (OC-3) ran
> nmap across the entire internet on ports like 21,22,53,80,443,3306.  In
> one day, they can probably have a list of every server answering those
> ports, and the versions of the daemons on them.
>
> Next, just wait for an wide enough exploit to come out, and then write a
> Trojan that has a list of every other server vulnerable, and on every
> hack, it splits the list in 2, and roots another box and gives it the
> 2nd half of the list.
>
> I estimate that with a wide enough exploit (eg apache or openssh), you
> could probably compromise 20% of the servers on the net within 1 hour,
> and then have them all begin a ping flood of something "far away"
> network wise (meaning a box in NYC would flood a box in SJC, a box in
> SJC would flood a box in Japan, etc... Trying to have as much bit
> distance as possible).
>
> Damn scary, but I believe if someone was determined enough, they could
> take down the whole 'net within one hour of pressing "enter".
>
> I suppose there really isn't anything that can be done at this point to
> make that scenario impossible.
>
> --Phil
>
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Jason Lewis
> Sent: Thursday, July 04, 2002 1:57 PM
> To: nanog at merit.edu
> Subject: Internet vulnerabilities
>
>
>
> There is a lot of news lately about terrorist groups doing recon on
> potential targets.  The stories got me thinking.
>
> What are the real threats to the global Internet?
>
> I am looking for anything that might be a potential attack point.  I
> don't want to start a flame war, but any interesting or even way out
> there idea is welcome.
>
> Is it feasible that a coordinated attack could shutdown the entire net?
> I am not talking DDoS.  What if someone actually had the skills to
> disrupt BGP on a widescale?
>
> jas
>
>
>
>
>
>