Vulnerbilities of Interconnection

Fri Sep 6 13:11:35 UTC 2002

Hi,

sgorman1 at gmu.edu wrote:
> 
> "Again, it seems more likely and more technically effective to attack
> internally than physically. Focus again here on the cost/benefit
> analysis from both the provider and disrupter perspective and you will
> see what I mean."
> 
> Is there a general consensus that cyber/internal attacks are more
> effective/dangerous than physical attacks.  Anecdotally it seems the
> largest Internet downages have been from physical cuts or failures.

It depends on what you consider and internet outage. Or how you define
that. IMHO.

Jane
> 
> 2001 Baltimore train tunnel vs. code red worm (see keynote report)
> 1999 Mclean fiber cut - cement truck
> AT&T cascading switch failure
> Utah fiber cut (date??)
> Not sure where the MAI mess up at MAE east falls
> Utah fiber cut (date??)
> 
> Then again this is the biased perspetive of the facet I'm researching
> 
> Secondly it seems that problems arise from physical cuts not because
> of a lack of redundant paths but a bottlneck in peering and transit -
> resulting in ripple effects seen with the Baltimore incident.
> 
> ----- Original Message -----
> From: "William B. Norton" <wbn at equinix.com>
> Date: Thursday, September 5, 2002 3:04 pm
> Subject: Re: Vulnerbilities of Interconnection
> 
> >
> > At 02:45 PM 9/5/2002 -0400, alex at yuriev.com wrote:
> > >This obviously would be a thesis of Equinix and other collo space
> > providers,>since this is exactly the service that they provide. It
> > won't, hower, be a
> > >thesis of any major network that either already has a lot of
> > infrastructure>in place or has to be a network that is supposed to
> > survive a physical
> > >attack.
> >
> > Actually, the underlying assumption of this paper is that major
> > networks
> > already have a large global backbone that need to interconnect in
> > n-regions. The choice between Direct Circuits and Colo-based cross
> > connects
> > is discussed and documented with costs and tradeoffs. Surviving a
> > major
> > attack was not the focus of the paper...but...
> >
> > When I did this research I asked ISPs how many Exchange Points
> > they felt
> > were needed in a region. Many said one was sufficient, that they
> > were
> > resilient across multiple exchange points and transit
> > relationships, and
> > preferred to engineer their own diversity separate from regional
> > exchanges.
> > A bunch said that two was the right number, each with different
> > operating
> > procedures, geographic locations, providers of fiber, etc. , as
> > different
> > as possible. Folks seemed unanimous about there not being more
> > than two
> > IXes in a region, that to do so would splinter the peering
> population.
> >
> > Bill Woodcock was the exception to this last claim, positing
> > (paraphrasing)
> > that peering is an local routing optimization and that many
> > inexpensive
> > (relatively insecured) IXes are acceptable. The loss of any one
> > simply
> > removes the local  routing optimization and that transit is always
> > an
> > alternative for that traffic.
> >
> > >
> > > > A couple physical security considerations came out of that
> > research:> > 1) Consider that man holes are not always secured,
> > providing access to
> > > > metro fiber runs, while there is generally greater security
> within
> > > > colocation environments
> > >
> > >This is all great, except that the same metro fiber runs are used
> > to get
> > >carriers into the super-secure facility, and, since neither those
> who
> > >originate information, nor those who ultimately consume the
> > information are
> > >located completely within facility, you still have the same
> > problem.  If we
> > >add to it that the diverse fibers tend to aggregate in the
> > basement of the
> > >building that houses the facility, multiple carriers use the same
> > manholes>for their diverse fiber and so on.
> >
> > Fine - we both agree that no transport provider is entirely
> > protected from
> > physical tampering if its fiber travels through insecure
> > passageways. Note
> > that some transport capacity into an IX doesn't necessarily travel
> > along
> > the same path as the metro providers, particularly those IXes
> > located
> > outside a metro region. There are also a multitude of paths,
> > proportional
> > to the # of providers still around in the metro area, that provide
> > alternative paths into the IX. Within an IX therefore is a
> > concentration of
> > alternative providers,  and these alternative providers can be
> > used as
> > needed in the event of a path cut.
> >
> >
> > > > 2) It is faster to repair physical disruptions at fewer
> > points, leveraging
> > > > cutovers to alternative providers present in the collocation
> > IX model, as
> > > > opposed to the Direct Circuit model where provisioning additional
> > > > capacities to many end points may take days or months.
> > >
> > >This again is great in theory, unless you are talking about
> > someone who
> > >is planning on taking out the IX not accidently, but
> > deliberately. To
> > >illustrate this, one just needs to recall the infamous fiber cut
> > in McLean
> > >in 1999 when a backhoe not just cut Worldcom and Level(3)
> > circuits, but
> > >somehow let a cement truck to pour cement into Verizon's manhole
> > that was
> > >used by Level(3) and Worldcom.
> >
> > Terrorists in cement trucks?
> >
> > Again, it seems more likely and more technically effective to
> > attack
> > internally than physically. Focus again here on the cost/benefit
> > analysis
> > from both the provider and disrupter perspective and you will see
> > what I mean.
> >
> >
> > >Alex
> >
> >
> >