Internet vulnerabilities

Fri Jul 5 08:26:53 UTC 2002

I think the worm problem is because theres no research data to suggest what a
perfect worm is... its all trial and error.

But you have to admit, as each new major worm comes out it gets better at better
at timing and deployment, so perhaps eventually someone will figure out the
perfect timing and do some real nasty damage,

Steve

On Thu, 4 Jul 2002, Deepak Jain wrote:

> 
> 
> Coordinated infrastructure attacks are scary for that reason. They are
> scary. :) Netcraft will provide you the information on every web
> server/server OS just for the asking -- you don't need an OC3 or even nmap.
> 
> Historically, wide spreading worms have had a flaw in the program that
> prevented how much damage they could cause. (i.e., either too virulent or
> too patient). I suspect even in your dd solution, the attacker would leave a
> delay to allow some additional CPU power devoted to attacking other
> destinations. If the timeout is too short and interesting machines go down
> fast, the spread takes longer. If its too long, it can be stopped before it
> gets as far. The nastier you make it, the less far it spreads.
> 
> In some paranoid networks, within 20 minutes of the content disappearing
> they would probably pull all or many of their most significant machines off
> line while they are figuring out what attack is occuring. The least
> responsive networks are going to be the most vulnerable to a scenario like
> this.
> 
> Rate limiting ICMP (or your favorite attack packet) isn't as difficult as it
> used to be (even at the border), and since most large networks use automatic
> configuration generators -- no matter how cumbersome -- it is concievable
> that the brute force attack could be killed on the largest networks at a
> mean of 10-12 hrs. Server damage would take longer depending on how
> available/recent backups are.
> 
> The best part of multilevel NOCs (level 1-2 open tickets 3+ solve problems)
> is that under large, cascading attacks of this sort, those who actually
> solve the problem are not as bogged down by frantic customers calling.
> 
> ----
> 
> Risers (inside) a building aren't even that big a deal. Most manholes around
> these carrier hotels are not welded shut, and most of the POEs (no matter
> how many there are) have a man hole or two on the street for splicing
> purposes.
> 
> A few bad guys could drop a <explosive, incendiary, acid, etc> in each of
> these around each major carrier hotel and disable the hotel in about 20
> minutes from start-to-finish. (4 men teams at each major infrastructure
> location in the U.S. -- say 10?) could disable everything in less than 5
> minutes from start to finish and be making a quick exit before the first
> fiber goes down.
> 
> If you simultaneously melt/explode/destroy every POE to every major cable
> landing/telecom hotel in the U.S., you will have problems (sky links MIGHT
> be excepted if you are especially clever). And >24 hr repair times, assuming
> you can get the repair call out in the first place.
> 
> Lets not forget that manholes are almost always in public right of way, or
> similarly accessible. Opening them quickly/publicly won't even freak out too
> many people. Worst case 2-3 blocks away you triple the number of manholes to
> open/disable, and have no tech-savvy types or building-security types have
> the chance to even see it go down -- better, no welded manholes to worry
> about whatsoever.
> 
> ---
> 
> Its almost ridiculous to worry about protecting carrier-buildings from
> deliberate mischief because they are far more vulnerable outside than
> inside. Security guards inside are (IMO) to keep large pieces of equipment
> from walking out without getting a good look at the guy(s) doing it. Even
> then, most misunderstand their role and rely on the basic honesty of the
> visitors to maintain anything...
> 
> I could just be grumpy though.
> 
> Deepak Jain
> AiNET
> 
> 
> > -----Original Message-----
> > From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
> > Phil Rosenthal
> > Sent: Thursday, July 04, 2002 2:17 PM
> > To: jlewis at packetnexus.com; nanog at merit.edu
> > Subject: RE: Internet vulnerabilities
> >
> >
> >
> > Thinking about a physical threat...
> > If you go to 111 8th ave, NYC.  They have added security since 9-11-01
> > which now requires either building ID, or showing a driver's license
> > before entering building (because terrorists don't have driver's
> > licenses).
> >
> > On some floors (eg the 7th).  The building risers and conduits are
> > completely exposed. I can't help but wonder how much damage a terrorist
> > attack to that would do.
> >
> > Also, say someone from a moderately fast internet connection (OC-3) ran
> > nmap across the entire internet on ports like 21,22,53,80,443,3306.  In
> > one day, they can probably have a list of every server answering those
> > ports, and the versions of the daemons on them.
> >
> > Next, just wait for an wide enough exploit to come out, and then write a
> > Trojan that has a list of every other server vulnerable, and on every
> > hack, it splits the list in 2, and roots another box and gives it the
> > 2nd half of the list.
> >
> > I estimate that with a wide enough exploit (eg apache or openssh), you
> > could probably compromise 20% of the servers on the net within 1 hour,
> > and then have them all begin a ping flood of something "far away"
> > network wise (meaning a box in NYC would flood a box in SJC, a box in
> > SJC would flood a box in Japan, etc... Trying to have as much bit
> > distance as possible).
> >
> > Damn scary, but I believe if someone was determined enough, they could
> > take down the whole 'net within one hour of pressing "enter".
> >
> > I suppose there really isn't anything that can be done at this point to
> > make that scenario impossible.
> >
> > --Phil
> >
> > -----Original Message-----
> > From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> > Jason Lewis
> > Sent: Thursday, July 04, 2002 1:57 PM
> > To: nanog at merit.edu
> > Subject: Internet vulnerabilities
> >
> >
> >
> > There is a lot of news lately about terrorist groups doing recon on
> > potential targets.  The stories got me thinking.
> >
> > What are the real threats to the global Internet?
> >
> > I am looking for anything that might be a potential attack point.  I
> > don't want to start a flame war, but any interesting or even way out
> > there idea is welcome.
> >
> > Is it feasible that a coordinated attack could shutdown the entire net?
> > I am not talking DDoS.  What if someone actually had the skills to
> > disrupt BGP on a widescale?
> >
> > jas
> >
> >
> >
> >
> >
> >
> 
> 