Vulnerbilities of Interconnection

Thu Sep 5 19:50:04 UTC 2002

The thing is, the major cuts are not "attacks;" the backhoe operators
aren't gunning for our fiber (no matter how much it seems like they
are).  If I wanted to disrupt traffic, intentionally and maliciously,
I would not derail a train into a fiber path.  Doing so would be very
difficult, and the legal ramifications (murder, destruction of
property, etc, etc) are quite clear and severe.  However, if I
ping-bomb you from a thousand "0wn3d" PCs on cable modems, I never had
to leave my parents' basement, I'm harder to trace by normal police
methods, and the question of which laws that can be applied to me is
less clear. 

-Dave

On 9/5/2002 at 15:38:56 -0400, sgorman1 at gmu.edu said:
> 
> "Again, it seems more likely and more technically effective to attack 
> internally than physically. Focus again here on the cost/benefit 
> analysis from both the provider and disrupter perspective and you will 
> see what I mean."
> 
> Is there a general consensus that cyber/internal attacks are more 
> effective/dangerous than physical attacks.  Anecdotally it seems the 
> largest Internet downages have been from physical cuts or failures.
> 
> 2001 Baltimore train tunnel vs. code red worm (see keynote report)
> 1999 Mclean fiber cut - cement truck
> AT&T cascading switch failure
> Utah fiber cut (date??)
> Not sure where the MAI mess up at MAE east falls
> Utah fiber cut (date??)
> 
> Then again this is the biased perspetive of the facet I'm researching
> 
> Secondly it seems that problems arise from physical cuts not because 
> of a lack of redundant paths but a bottlneck in peering and transit -  
> resulting in ripple effects seen with the Baltimore incident.
> 
> 
> 
> ----- Original Message -----
> From: "William B. Norton" <wbn at equinix.com>
> Date: Thursday, September 5, 2002 3:04 pm
> Subject: Re: Vulnerbilities of Interconnection
> 
> > 
> > At 02:45 PM 9/5/2002 -0400, alex at yuriev.com wrote:
> > >This obviously would be a thesis of Equinix and other collo space 
> > providers,>since this is exactly the service that they provide. It 
> > won't, hower, be a
> > >thesis of any major network that either already has a lot of 
> > infrastructure>in place or has to be a network that is supposed to 
> > survive a physical
> > >attack.
> > 
> > Actually, the underlying assumption of this paper is that major 
> > networks 
> > already have a large global backbone that need to interconnect in 
> > n-regions. The choice between Direct Circuits and Colo-based cross 
> > connects 
> > is discussed and documented with costs and tradeoffs. Surviving a 
> > major 
> > attack was not the focus of the paper...but...
> > 
> > When I did this research I asked ISPs how many Exchange Points 
> > they felt 
> > were needed in a region. Many said one was sufficient, that they 
> > were 
> > resilient across multiple exchange points and transit 
> > relationships, and 
> > preferred to engineer their own diversity separate from regional 
> > exchanges. 
> > A bunch said that two was the right number, each with different 
> > operating 
> > procedures, geographic locations, providers of fiber, etc. , as 
> > different 
> > as possible. Folks seemed unanimous about there not being more 
> > than two 
> > IXes in a region, that to do so would splinter the peering 
> population.
> > 
> > Bill Woodcock was the exception to this last claim, positing 
> > (paraphrasing) 
> > that peering is an local routing optimization and that many 
> > inexpensive 
> > (relatively insecured) IXes are acceptable. The loss of any one 
> > simply 
> > removes the local  routing optimization and that transit is always 
> > an 
> > alternative for that traffic.
> > 
> > >
> > > > A couple physical security considerations came out of that 
> > research:> > 1) Consider that man holes are not always secured, 
> > providing access to
> > > > metro fiber runs, while there is generally greater security 
> within
> > > > colocation environments
> > >
> > >This is all great, except that the same metro fiber runs are used 
> > to get
> > >carriers into the super-secure facility, and, since neither those 
> who
> > >originate information, nor those who ultimately consume the 
> > information are
> > >located completely within facility, you still have the same 
> > problem.  If we
> > >add to it that the diverse fibers tend to aggregate in the 
> > basement of the
> > >building that houses the facility, multiple carriers use the same 
> > manholes>for their diverse fiber and so on.
> > 
> > Fine - we both agree that no transport provider is entirely 
> > protected from 
> > physical tampering if its fiber travels through insecure 
> > passageways. Note 
> > that some transport capacity into an IX doesn't necessarily travel 
> > along 
> > the same path as the metro providers, particularly those IXes 
> > located 
> > outside a metro region. There are also a multitude of paths, 
> > proportional 
> > to the # of providers still around in the metro area, that provide 
> > alternative paths into the IX. Within an IX therefore is a 
> > concentration of 
> > alternative providers,  and these alternative providers can be 
> > used as 
> > needed in the event of a path cut.
> > 
> > 
> > > > 2) It is faster to repair physical disruptions at fewer 
> > points, leveraging
> > > > cutovers to alternative providers present in the collocation 
> > IX model, as
> > > > opposed to the Direct Circuit model where provisioning additional
> > > > capacities to many end points may take days or months.
> > >
> > >This again is great in theory, unless you are talking about 
> > someone who
> > >is planning on taking out the IX not accidently, but 
> > deliberately. To
> > >illustrate this, one just needs to recall the infamous fiber cut 
> > in McLean
> > >in 1999 when a backhoe not just cut Worldcom and Level(3) 
> > circuits, but
> > >somehow let a cement truck to pour cement into Verizon's manhole 
> > that was
> > >used by Level(3) and Worldcom.
> > 
> > Terrorists in cement trucks?
> > 
> > Again, it seems more likely and more technically effective to 
> > attack 
> > internally than physically. Focus again here on the cost/benefit 
> > analysis 
> > from both the provider and disrupter perspective and you will see 
> > what I mean.
> > 
> > 
> > >Alex
> > 
> > 
> > 
> 

-- 
Dave Israel
Senior Manager, DNE SE