Vulnerbilities of Interconnection

sgorman1 at gmu.edu sgorman1 at gmu.edu
Thu Sep 5 19:55:26 UTC 2002 

The question is what if someone was gunning for your fiber.  To date 
cuts have been unintentional.  Obviously the risk level is much higher 
doing a phyisical attack, but the bad guys in this scenario are not 
teenage hackers in the parents basement.  

There is a good foundation of knowledge on the implications of cyber 
attacks, but the what-if of an intentional physical attack is an 
important question I believe.  The context in this discussion has been 
very valuable and many thanks to everyone that has offered opinions.

----- Original Message -----
From: Dave Israel <davei at algx.net>
Date: Thursday, September 5, 2002 3:50 pm
Subject: Re: Vulnerbilities of Interconnection

> 
> The thing is, the major cuts are not "attacks;" the backhoe operators
> aren't gunning for our fiber (no matter how much it seems like they
> are).  If I wanted to disrupt traffic, intentionally and maliciously,
> I would not derail a train into a fiber path.  Doing so would be very
> difficult, and the legal ramifications (murder, destruction of
> property, etc, etc) are quite clear and severe.  However, if I
> ping-bomb you from a thousand "0wn3d" PCs on cable modems, I never 
had
> to leave my parents' basement, I'm harder to trace by normal police
> methods, and the question of which laws that can be applied to me is
> less clear. 
> 
> -Dave
> 
> On 9/5/2002 at 15:38:56 -0400, sgorman1 at gmu.edu said:
> > 
> > "Again, it seems more likely and more technically effective to 
> attack 
> > internally than physically. Focus again here on the cost/benefit 
> > analysis from both the provider and disrupter perspective and 
> you will 
> > see what I mean."
> > 
> > Is there a general consensus that cyber/internal attacks are 
> more 
> > effective/dangerous than physical attacks.  Anecdotally it seems 
> the 
> > largest Internet downages have been from physical cuts or failures.
> > 
> > 2001 Baltimore train tunnel vs. code red worm (see keynote report)
> > 1999 Mclean fiber cut - cement truck
> > AT&T cascading switch failure
> > Utah fiber cut (date??)
> > Not sure where the MAI mess up at MAE east falls
> > Utah fiber cut (date??)
> > 
> > Then again this is the biased perspetive of the facet I'm 
> researching> 
> > Secondly it seems that problems arise from physical cuts not 
> because 
> > of a lack of redundant paths but a bottlneck in peering and 
> transit -  
> > resulting in ripple effects seen with the Baltimore incident.
> > 
> > 
> > 
> > ----- Original Message -----
> > From: "William B. Norton" <wbn at equinix.com>
> > Date: Thursday, September 5, 2002 3:04 pm
> > Subject: Re: Vulnerbilities of Interconnection
> > 
> > > 
> > > At 02:45 PM 9/5/2002 -0400, alex at yuriev.com wrote:
> > > >This obviously would be a thesis of Equinix and other collo 
> space 
> > > providers,>since this is exactly the service that they 
> provide. It 
> > > won't, hower, be a
> > > >thesis of any major network that either already has a lot of 
> > > infrastructure>in place or has to be a network that is 
> supposed to 
> > > survive a physical
> > > >attack.
> > > 
> > > Actually, the underlying assumption of this paper is that 
> major 
> > > networks 
> > > already have a large global backbone that need to interconnect 
> in 
> > > n-regions. The choice between Direct Circuits and Colo-based 
> cross 
> > > connects 
> > > is discussed and documented with costs and tradeoffs. 
> Surviving a 
> > > major 
> > > attack was not the focus of the paper...but...
> > > 
> > > When I did this research I asked ISPs how many Exchange Points 
> > > they felt 
> > > were needed in a region. Many said one was sufficient, that 
> they 
> > > were 
> > > resilient across multiple exchange points and transit 
> > > relationships, and 
> > > preferred to engineer their own diversity separate from 
> regional 
> > > exchanges. 
> > > A bunch said that two was the right number, each with 
> different 
> > > operating 
> > > procedures, geographic locations, providers of fiber, etc. , 
> as 
> > > different 
> > > as possible. Folks seemed unanimous about there not being more 
> > > than two 
> > > IXes in a region, that to do so would splinter the peering 
> > population.
> > > 
> > > Bill Woodcock was the exception to this last claim, positing 
> > > (paraphrasing) 
> > > that peering is an local routing optimization and that many 
> > > inexpensive 
> > > (relatively insecured) IXes are acceptable. The loss of any 
> one 
> > > simply 
> > > removes the local  routing optimization and that transit is 
> always 
> > > an 
> > > alternative for that traffic.
> > > 
> > > >
> > > > > A couple physical security considerations came out of that 
> > > research:> > 1) Consider that man holes are not always 
> secured, 
> > > providing access to
> > > > > metro fiber runs, while there is generally greater 
> security 
> > within
> > > > > colocation environments
> > > >
> > > >This is all great, except that the same metro fiber runs are 
> used 
> > > to get
> > > >carriers into the super-secure facility, and, since neither 
> those 
> > who
> > > >originate information, nor those who ultimately consume the 
> > > information are
> > > >located completely within facility, you still have the same 
> > > problem.  If we
> > > >add to it that the diverse fibers tend to aggregate in the 
> > > basement of the
> > > >building that houses the facility, multiple carriers use the 
> same 
> > > manholes>for their diverse fiber and so on.
> > > 
> > > Fine - we both agree that no transport provider is entirely 
> > > protected from 
> > > physical tampering if its fiber travels through insecure 
> > > passageways. Note 
> > > that some transport capacity into an IX doesn't necessarily 
> travel 
> > > along 
> > > the same path as the metro providers, particularly those IXes 
> > > located 
> > > outside a metro region. There are also a multitude of paths, 
> > > proportional 
> > > to the # of providers still around in the metro area, that 
> provide 
> > > alternative paths into the IX. Within an IX therefore is a 
> > > concentration of 
> > > alternative providers,  and these alternative providers can be 
> > > used as 
> > > needed in the event of a path cut.
> > > 
> > > 
> > > > > 2) It is faster to repair physical disruptions at fewer 
> > > points, leveraging
> > > > > cutovers to alternative providers present in the 
> collocation 
> > > IX model, as
> > > > > opposed to the Direct Circuit model where provisioning 
> additional> > > > capacities to many end points may take days or 
> months.> > >
> > > >This again is great in theory, unless you are talking about 
> > > someone who
> > > >is planning on taking out the IX not accidently, but 
> > > deliberately. To
> > > >illustrate this, one just needs to recall the infamous fiber 
> cut 
> > > in McLean
> > > >in 1999 when a backhoe not just cut Worldcom and Level(3) 
> > > circuits, but
> > > >somehow let a cement truck to pour cement into Verizon's 
> manhole 
> > > that was
> > > >used by Level(3) and Worldcom.
> > > 
> > > Terrorists in cement trucks?
> > > 
> > > Again, it seems more likely and more technically effective to 
> > > attack 
> > > internally than physically. Focus again here on the 
> cost/benefit 
> > > analysis 
> > > from both the provider and disrupter perspective and you will 
> see 
> > > what I mean.
> > > 
> > > 
> > > >Alex
> > > 
> > > 
> > > 
> > 
> 
> -- 
> Dave Israel
> Senior Manager, DNE SE
> 
>

More information about the NANOG mailing list