Vulnerbilities of Interconnection
sgorman1 at gmu.edu
sgorman1 at gmu.edu
Thu Sep 5 19:55:26 UTC 2002
The question is what if someone was gunning for your fiber. To date
cuts have been unintentional. Obviously the risk level is much higher
doing a phyisical attack, but the bad guys in this scenario are not
teenage hackers in the parents basement.
There is a good foundation of knowledge on the implications of cyber
attacks, but the what-if of an intentional physical attack is an
important question I believe. The context in this discussion has been
very valuable and many thanks to everyone that has offered opinions.
----- Original Message -----
From: Dave Israel <davei at algx.net>
Date: Thursday, September 5, 2002 3:50 pm
Subject: Re: Vulnerbilities of Interconnection
>
> The thing is, the major cuts are not "attacks;" the backhoe operators
> aren't gunning for our fiber (no matter how much it seems like they
> are). If I wanted to disrupt traffic, intentionally and maliciously,
> I would not derail a train into a fiber path. Doing so would be very
> difficult, and the legal ramifications (murder, destruction of
> property, etc, etc) are quite clear and severe. However, if I
> ping-bomb you from a thousand "0wn3d" PCs on cable modems, I never
had
> to leave my parents' basement, I'm harder to trace by normal police
> methods, and the question of which laws that can be applied to me is
> less clear.
>
> -Dave
>
> On 9/5/2002 at 15:38:56 -0400, sgorman1 at gmu.edu said:
> >
> > "Again, it seems more likely and more technically effective to
> attack
> > internally than physically. Focus again here on the cost/benefit
> > analysis from both the provider and disrupter perspective and
> you will
> > see what I mean."
> >
> > Is there a general consensus that cyber/internal attacks are
> more
> > effective/dangerous than physical attacks. Anecdotally it seems
> the
> > largest Internet downages have been from physical cuts or failures.
> >
> > 2001 Baltimore train tunnel vs. code red worm (see keynote report)
> > 1999 Mclean fiber cut - cement truck
> > AT&T cascading switch failure
> > Utah fiber cut (date??)
> > Not sure where the MAI mess up at MAE east falls
> > Utah fiber cut (date??)
> >
> > Then again this is the biased perspetive of the facet I'm
> researching>
> > Secondly it seems that problems arise from physical cuts not
> because
> > of a lack of redundant paths but a bottlneck in peering and
> transit -
> > resulting in ripple effects seen with the Baltimore incident.
> >
> >
> >
> > ----- Original Message -----
> > From: "William B. Norton" <wbn at equinix.com>
> > Date: Thursday, September 5, 2002 3:04 pm
> > Subject: Re: Vulnerbilities of Interconnection
> >
> > >
> > > At 02:45 PM 9/5/2002 -0400, alex at yuriev.com wrote:
> > > >This obviously would be a thesis of Equinix and other collo
> space
> > > providers,>since this is exactly the service that they
> provide. It
> > > won't, hower, be a
> > > >thesis of any major network that either already has a lot of
> > > infrastructure>in place or has to be a network that is
> supposed to
> > > survive a physical
> > > >attack.
> > >
> > > Actually, the underlying assumption of this paper is that
> major
> > > networks
> > > already have a large global backbone that need to interconnect
> in
> > > n-regions. The choice between Direct Circuits and Colo-based
> cross
> > > connects
> > > is discussed and documented with costs and tradeoffs.
> Surviving a
> > > major
> > > attack was not the focus of the paper...but...
> > >
> > > When I did this research I asked ISPs how many Exchange Points
> > > they felt
> > > were needed in a region. Many said one was sufficient, that
> they
> > > were
> > > resilient across multiple exchange points and transit
> > > relationships, and
> > > preferred to engineer their own diversity separate from
> regional
> > > exchanges.
> > > A bunch said that two was the right number, each with
> different
> > > operating
> > > procedures, geographic locations, providers of fiber, etc. ,
> as
> > > different
> > > as possible. Folks seemed unanimous about there not being more
> > > than two
> > > IXes in a region, that to do so would splinter the peering
> > population.
> > >
> > > Bill Woodcock was the exception to this last claim, positing
> > > (paraphrasing)
> > > that peering is an local routing optimization and that many
> > > inexpensive
> > > (relatively insecured) IXes are acceptable. The loss of any
> one
> > > simply
> > > removes the local routing optimization and that transit is
> always
> > > an
> > > alternative for that traffic.
> > >
> > > >
> > > > > A couple physical security considerations came out of that
> > > research:> > 1) Consider that man holes are not always
> secured,
> > > providing access to
> > > > > metro fiber runs, while there is generally greater
> security
> > within
> > > > > colocation environments
> > > >
> > > >This is all great, except that the same metro fiber runs are
> used
> > > to get
> > > >carriers into the super-secure facility, and, since neither
> those
> > who
> > > >originate information, nor those who ultimately consume the
> > > information are
> > > >located completely within facility, you still have the same
> > > problem. If we
> > > >add to it that the diverse fibers tend to aggregate in the
> > > basement of the
> > > >building that houses the facility, multiple carriers use the
> same
> > > manholes>for their diverse fiber and so on.
> > >
> > > Fine - we both agree that no transport provider is entirely
> > > protected from
> > > physical tampering if its fiber travels through insecure
> > > passageways. Note
> > > that some transport capacity into an IX doesn't necessarily
> travel
> > > along
> > > the same path as the metro providers, particularly those IXes
> > > located
> > > outside a metro region. There are also a multitude of paths,
> > > proportional
> > > to the # of providers still around in the metro area, that
> provide
> > > alternative paths into the IX. Within an IX therefore is a
> > > concentration of
> > > alternative providers, and these alternative providers can be
> > > used as
> > > needed in the event of a path cut.
> > >
> > >
> > > > > 2) It is faster to repair physical disruptions at fewer
> > > points, leveraging
> > > > > cutovers to alternative providers present in the
> collocation
> > > IX model, as
> > > > > opposed to the Direct Circuit model where provisioning
> additional> > > > capacities to many end points may take days or
> months.> > >
> > > >This again is great in theory, unless you are talking about
> > > someone who
> > > >is planning on taking out the IX not accidently, but
> > > deliberately. To
> > > >illustrate this, one just needs to recall the infamous fiber
> cut
> > > in McLean
> > > >in 1999 when a backhoe not just cut Worldcom and Level(3)
> > > circuits, but
> > > >somehow let a cement truck to pour cement into Verizon's
> manhole
> > > that was
> > > >used by Level(3) and Worldcom.
> > >
> > > Terrorists in cement trucks?
> > >
> > > Again, it seems more likely and more technically effective to
> > > attack
> > > internally than physically. Focus again here on the
> cost/benefit
> > > analysis
> > > from both the provider and disrupter perspective and you will
> see
> > > what I mean.
> > >
> > >
> > > >Alex
> > >
> > >
> > >
> >
>
> --
> Dave Israel
> Senior Manager, DNE SE
>
>
More information about the NANOG
mailing list