Forgot your password?
typodupeerror
The Internet Security

How To Crash the Internet 166

Posted by CmdrTaco
from the sound-of-a-millions-memes-melting dept.
rudy_wayne writes "We know you can take down Web sites with Distributed Denial of Service (DDoS) attacks. We know that a government, like Egypt's, can shut down an entire country's Internet access. And, we thought we knew that you can't take down the entire Internet. It turns out we could be wrong. In a report from New Scientist, Max Schuchard, a computer science graduate student, and his buddies claim they've found a way to launch DDoS attacks on Border Gateway Protocol (BGP) network routers that could crash the Internet."
This discussion has been archived. No new comments can be posted.

How To Crash the Internet

Comments Filter:
  • by Drakkenmensch (1255800) on Monday February 14, 2011 @10:28AM (#35199408)
    Where is he going to go brag afterwards? It's a self-defeating endeavor.
    • Who needs the Internet? He'll just call up the leaders of the free world and demand ONE MILLION DOLLARS!

      • Ah, screw it! We'll just do what we always do - steal a nuke and hold the world hostage. /doctorevilpinky
        • by t0p (1154575)

          Shouldn't that be "doctorevilthebrain"?

          Pinky: Gee, Brain, what do you want to do tonight?

          The Brain: The same thing we do every night, Pinky - try to take over the world!

          • by ivucica (1001089)
            Funny, I just read an old computer games magazine with a review of a Pinky/The Brain game...
      • by RockDoctor (15477)
        s/free/cheap/ FTFY
    • Where is he going to go brag afterwards? It's a self-defeating endeavor.

      Hey, some of us still have cradle modems and BBS software...

      • Some of us actually wrote the BBS software ;-)

        • And some of us built modems. Ah, fun times...

          • by jon3k (691256)
            Wow really? What exactly did you do?
            • Nothing noteworthy, I just made boxes for friends in the late 70's/early 80's. Ready-built modems were rare and expensive, parts were relatively cheap and plentiful, so I did what any nerdy kid with a soldering iron would for a bit of extra money. We're talking 200/300 baud with no internal compression, so it wasn't rocket surgery.

      • by puhuri (701880)

        Hey, some of us still have cradle modems and BBS software...

        But do you have telephone network to connect modems and does to network extend beyond local central office?

  • by Anonymous Coward

    You're the reason we can't have nice things.

  • by djlemma (1053860) on Monday February 14, 2011 @10:29AM (#35199420)
    I remember a decade ago, somebody from l0pht was discussing how they could take down the entire internet and keep it down for a while. I'm sure many people have made a point of keeping up with advancing technology and continuing to find ways that they could take down the internet itself...

    Still interesting to read about though.
    • by Anonymous Coward

      BGP route poisoning has been around since BGP was invented. Every few years we get a story about how China or someone blackholed a huge swath of the 'net with a bad advertisement. This is nothing new, blah blah, internet is tied together with bubblegum and shoelaces. However there's almost always a way to "fix" routers on different networks since they're mostly independently managed, so you're looking at downtime of a few days to a week max. Nothing that's going to destroy the fabric of society.

      • by ArhcAngel (247594)

        Nothing that's going to destroy the fabric of society.

        One Word:

        Strategically placed EMP devices.

        OK that's four words but you get the picture.

      • by D Ninja (825055)

        However there's almost always a way to "fix" routers on different networks since they're mostly independently managed, so you're looking at downtime of a few days to a week max. Nothing that's going to destroy the fabric of society.

        I think you underestimate society's use of the internet and networks. It is far more than being able to browse Slashdot and play Farmville. The internet is responsible for financial transactions, shipping management (particularly food sources, oil, etc), power management, etc. If the internet went down, would it be the end of the world? I don't particularly think so. Would there be a whole heap (and I mean A LOT) of problems from the result? You better believe it.

        • Yea, all those food orders will have to be done by phone. Oh noes, the horror.
          • by ivucica (1001089)
            Perhaps a portion of voice traffic spends some time as VOIP traffic nowadays? I don't claim that it does, but it wouldn't surprise me.
          • by sirsnork (530512)

            Can you be sure one of the upstream phone carriers doesn't use a VoIP link between countries?

            • Having worked for telecommunications companies on and off for the last 15 years. I assure you that a attack on BGP will not even take down the internet for long, let alone the core backbone telecommunication networks that internet and phone calls run over. Also a significant number of companies lease their own "links" for their own networks. Yes its all moving over to IP these days, but IP runs on top of real hardware that is not going to fall over that easily and still has leased "subnets".
      • BGP route poisoning has been around since BGP was invented. Every few years we get a story about how China or someone blackholed a huge swath of the 'net with a bad advertisement. This is nothing new, blah blah, internet is tied together with bubblegum and shoelaces. However there's almost always a way to "fix" routers on different networks since they're mostly independently managed, so you're looking at downtime of a few days to a week max. Nothing that's going to destroy the fabric of society.

        I knew statically managing all the routes in my router would pay off some day!
        Just like my 6 GB hosts file when people started poisoning DNS!

    • Bob Metcalfe (former Xerox PARC researcher, founder of 3Com, co-inventor of Ethernet) predicted exactly this scenario 15 years ago. His timetable might have been off, but this just shows that either his theory is sound, or these grad students aren't nearly as original as they thought.

      Note: Metcalfe has also "predicted" some rather stupid and amazingly incorrect things, but they usually didn't have much to do with networking.

  • How is this news? (Score:5, Interesting)

    by HungryHobo (1314109) on Monday February 14, 2011 @10:30AM (#35199432)

    How is this news?
    we've know for years that BGP has problems.
    it's broken big section of the net before.

    http://en.wikipedia.org/wiki/AS_7007_incident [wikipedia.org]

      • Re:How is this news? (Score:5, Interesting)

        by sseshan (258488) on Monday February 14, 2011 @11:02AM (#35199830)

        This is not the same type of attack -- the AS7007 problem was a route hijack attack.

        The sigcomm paper describes a more basic route convergence issue with path vector protocols

        The paper describes the use of packet loss to create a BGP session failure and the impact of repeated announce/withdraw traffic to slow other routers. This is also not new. However, the appropriate point of reference is "RFC 1266 - Experience with the BGP Protocol" (http://www.faqs.org/rfcs/rfc1266.html). Read section 9 -- this points to how packet loss results in BGP failures and points to how ensuring BGP packets have priority fixes this. This was published in 1991 :-) and is generally well known.

        Similarly, I haven't read the referenced NDSS paper (http://www-users.cs.umn.edu/~hopper/lci-ndss.pdf) but I am also surprised that BGP holddown timers don't prevent some of the related route churn problems.

        • by iserlohn (49556)

          BGP dampening is designed to stop this. I don't know why this is getting any press at all.

        • by skids (119237)

          Problem being a lot of places do not even apply control plane policing, much less prioritization of signaling traffic.

          IIRC Cisco started to do a bit of by-default signaling prioritization, at least on the ethernet/STP level, but nowadays it's hard to get a straight answer out of Cisco about such things -- whether they are in there, and whether they will still be there in the next code release. Though I have to say, they at least have their feature support matrix, which can sometimes yield answers but alway

    • Re:How is this news? (Score:4, Informative)

      by bjourne (1034822) on Monday February 14, 2011 @11:00AM (#35199802) Homepage Journal

      Because, as described in TFA, the method used to exploit BGP is totally different from previous known methods. This one is about DDoS-ing a single high-traffic link between two routes so that neighbouring routers will send BGP updates telling listening parties to route their traffic elsewhere. The DDoS-ing would then stop, traffic resume on the link and new BGP updates being sent. Then another DDoS on the same link and so on. Eventually the amount of BGP updates would build up a huge backlog overloading every router in the world.

      The attack is possible in theory. In reality, you would need a huge botnet concentrating on a single vulnerable link to be able to pull off the attack. Generally high traffic links are also high capacity links, so the botnets size would have to be gigantic to disrupt a major link.

      • by TubeSteak (669689)

        Generally high traffic links are also high capacity links, so the botnets size would have to be gigantic to disrupt a major link.

        It sounds like you RTFA, so you know they call for a botnet that is 250,000 strong. That is not gigantic.
        Maybe a few years ago that would have been considered one of the world's largest botnets.

        Off the top of my head, the now decapitated Mariposa botnet was 12+ million strong.
        Currently bagel and rustock are the top two with a couple million bots each.

        What troubles me more is that one person could do the exact same attack just by standing next to the BGP router.
        China doesn't need to DDOS the world, they just

      • by skids (119237)

        Seeing as the OP and source do not link to the article itself, I have to go on what's described there, which is actually crashing BGP sessions by causing them packet loss (or where applied, causing the BFD feature packet loss.)

        It's not news at all to anyone who actually bothers to think "gee, if you put the signaling in-band it could get congested" and those people have tools available to them to deal with the situation (like not running BFD, conservative hold-down timers and flap-protection, and QoS for si

  • Image (Score:1, Offtopic)

    by tom17 (659054)

    The stock photo in the article says "Where's the internet gone?" but it's just a picture of a couple of people using old computers.

    I often see things like this where they feel they HAVE to put a photo in, a meaningful photo to help get the point across. To help get this point across they put in captions to make it clear, but half the time they put ZERO effort in to actually finding a suitable image. For this one, they could have at least found a picture with someone with their arms up in despair at the inte

    • There's also one with people in cars floating in a flood. So trashing the net now creates floods. Neat.

      • by tom17 (659054)

        Hahaha yes, quite :)

      • by t0p (1154575)
        I don't see why not. The internet going down would cause planes to fall from the sky, and (OMG) Facebook and (OMG) Twitter would stop working. So floods would be the least of our problems. Well, the least of your problems - I live on a hill/in a boat/something.
    • by gilleain (1310105)
      Even worse is when they have a generic IT-related article, an put an image of a keyboard next to the story. The BBC does this a lot - I know that getting stock photos (that are not copyright) is a pain, but really ... a keyboard?
  • 1. make sex home video with Jessica Alba 2. Internet crash
    • by mysidia (191772)

      Obligatory South Park reference. Involving video with kid unplugging and replugging a giant LinkSys-like router to fix the internet.

      Unfortunately the 60 second clip was taken down due to copyright issues, so there is no link for me to back up this reference with.

  • Sigh... (Score:5, Informative)

    by chemicaldave (1776600) on Monday February 14, 2011 @10:43AM (#35199592)
    Can nobody find the actual paper? Oh wait, here [umn.edu] it is, free from the altering lens of the media.
  • Read this:
    http://www-users.cs.umn.edu/~schuch/papers/lci-ndss.pdf [umn.edu]

    Then read this:
    http://www.phdcomics.com/comics.php?f=1174 [phdcomics.com]

    It's a simulation of the impact of a coordinated attack on BGP. We know since a long time back that BGP is vulnerable to a number of attacks, this being one of them. The researcher has done a good job with the simulations and putting numbers on it.

    Nothing else to see here, move along. The writer of the news article has no idea what he/she is talking about. We have much larger stability i

  • and 20 minutes later your upstream provider will kill your links and stop taking BGP announcements from you and life will go one.

    Seriously Taco? Did you take a timothy pill and get retarded too? Why the fuck are you posting these retarded stories about things we've known for literally 30 years and has probably come up at least 10 times on slashdot in the last 5 years.

    Might as well just redirect slashdot.org to 4chan, the IQ seems to be about the same now days.

    • by BitZtream (692029)

      If you'd like to stop the specific retarded 'attack' posted in the actual story ... turn on route flap dampening on your router ... which is probably already on, which will stop his 'attack' cold.

      Its not even a BGP attack, its just a DDoS that some how is mysteriously going to work better because of BGP route flapping ... which won't happen since the route will just get dampened into oblivion more and more each time it bounces.

    • by Bengie (1121981)

      I agree. At my previous job, we lost internet once. Called up the ISP and they had no idea at first. Ten minutes later, they called and said there was road construction on the interstate about 50 miles south of us and someone cut the line.

      In under 2 hours, they had us running again.

      If they can fix a physical break in that amount of time, I should think they could block a bad BGP.

  • by Anonymous Coward

    Everyone knows you just have to type google into Google. So please noone does that, even for fun!

    • by Thud457 (234763)
      weird, if you google search engine, internet search or even just search on google, the first result isn't even google. What's up with that?
  • Would it be worth doing just for one day to see how we all cope, or is the prospect of thousands of teenagers hanging themselves because they can't milk their cows in Farmville too much to deal with?

  • by Anonymous Coward

    BGP updated between routers are sent with different QoS marking than normal traffic. So even on fully utilized links BGP updates will have priority and will be exchanged between routers.

    • by skids (119237)

      That's the solution. The problem is it isn't quite true. Lots of routers are not properly configured for QoS, and the authors note (now that I can actually read the paper) that some "high end" routers are even sold without the computational facilities to classify ingress traffic by QoS markings at line rate. Neither of which surprises me, which is why I always recommend overbuying for your link speed (buy a router that can take an interface faster than the one you intend to use, or at least twice as many

  • by nitsew (991812)
    L0pht phoned from 1998, they want their story back.

    http://www.schneier.com/essay-003.html [schneier.com]
  • Don't Panic! (Score:5, Interesting)

    by Fzz (153115) on Monday February 14, 2011 @10:52AM (#35199706)
    I was quoted briefly in the New Scientist article. Here's the longer version of what I said to the reporter.

    I've taken a quick look at this paper, and at the paper describing the actual attack on BGP sessions that this paper depends on (Zhang, Mao and Wang, 2007 (reference 74 in the paper).

    For many years a number of us have speculated that it might be possible to bring down large parts of the Internet by inducing sufficient churn in BGP routing. In principle, it seems it might be possible, but doing it in practice is very different. The closest we've seen in the real world was Jan 25th 2003, when the SQL Slammer worm spread worldwide in a matter on minutes. It affected about 75,000 computers, and then each constantly tried to infect more victims. This causes widespread congestion, and the worldwide BGP routing table decreased in size from about 127,000 routes to 123,000. Some of this was probably due to congestion disrupting routing sessions, and some might have been due to people deliberately disconnecting to avoid further damage. In any event, the Internet backbone survived the event unscathed, but quite a few edge sites fell off the Internet.

    The attack described in the paper supposes a larger number of compromised computers (250,000), but the Internet has got bigger and routers have got faster since 2003, so likely the relative traffic levels would be similar. The attack also proposes using the targetted attack described in Zhang, Mao and Wang, and targetting specific links to create maximum effect. So it's reasonable to suppose that if such an attack were successful, the impact would be greater than the Slammer event.

    So, there are two questions:

    • 1. could you disrupt routing associations in the way described.
    • 2. if you could, would the effects be as described in the paper.

    In answer to 1: Zhang, Mao and Wang describe in their paper how to defend against such attacks - by simply enabling prioritization of routing traffic - something that is possible on most commercial routers. If ISPs do this, then it seems that the attack in the paper would be thwarted. I don't know how many ISPs do enable this, but if such an attack were seen in the wild, I'm certain most of them would.

    On 2: even if you could disrupt routing associations as described, I doubt the Internet would behave as described. The simulations in the paper make a lot of simplifying assumptions, which is necessary to simulate on this scale. But in hiding all the internal topology of ISP networks, they also hide bottlenecks that would make the attack less effective. And the way they model routers queuing routes internally is simply wrong - no router has a large enough queue size to delay processing by 100 minutes, as described in the paper. As a result I have no confidence in the predictions of how the global routing system responds to this attack.

    To be clear: nobody knows if it's possible to bring down the global Internet routing system. The attack in the paper probably could cause significant disruption, at least until ISPs reconfigured their routers. But I doubt the attack would be successful in the way described in the paper.

    • I'll ask you since you're only of only a few people posting real info. Maybe the attack could be thwarted, but would someone get a nasty bill for damages? an acquaintance told me that they were afraid to host their small web service because someone DDOSed an entire data center, who promptly passed the blame for damages incurred. So forget the big sites, do we have an answer to random DDOS attacks all over the net, jsay 3 steps below the BGP level?

  • I mean, how long before some mafia or internet retard decides to launch a DDOS on BGP network routers and then demand $5 million in ransom paid to an off-shore account in the Caribbean. Wait a minute...
  • http://www.theonion.com/video/breaking-news-all-online-data-lost-after-internet,14148/ [theonion.com]

    "An emergency meeting of Internet power players has been arranged. The group includes Steve Jobs, Bill Gates, and Craig of Craigslist."

  • have conjectured for quite some time as to the brevity of this issue, only now have we seen the issue successfully coupled with a graduate students attempt to secure gainful employment after his inevitable entry into real society.

    observing scientists have calculated this graduate students chances of employment were, until this papers introduction, low enough to ensure he spend the rest of his adult life in his parents basement working on mechanical turk projects and azeroth raids. Only now have scientists
  • It's actually terrifyingly simple to break the internet, but please don't try it, even for a joke: http://www.youtube.com/watch?v=wrQUWUfmR_I [youtube.com]
  • by Yvanhoe (564877) on Monday February 14, 2011 @11:32AM (#35200172) Journal
    You can stop reading at "cyberweapon". Interestingly, the author onhis webpage mentions that he is a victim of this : http://www.phdcomics.com/comics.php?f=1174 [phdcomics.com]

    The paper making this madness appear on the news is apparently this one : http://www-users.cs.umn.edu/~schuch/papers/lci-ndss.pdf [umn.edu]

    It describes an attack on BGP routers. From its abstract (that could be the f***ing summary of an article of a "news for nerds" website) :

    Through simulations we show that botnets on the order of 250, 000 nodes can increase process- ing delays from orders of microseconds to orders of hours.

    But also what sensationalist newspaper will NEVER publish short of death threaths :

    We also propose and validate a defense against CXPST. Through simulation we demonstrate that current defenses are insufficient to stop CXPST. We propose an alternative, low cost, defense that is successful against CXPST, even if only the top 10% of Autonomous Systems by degree deploy it. Additionally, we consider more long term defenses that stop not only CXPST, but similar attacks as well.

  • He knows how to do it.
  • I gather that while one individual router is taken down by an ordinary DDoS (which is difficult to fend off), the global cascade effect results from BGP traffic generated by the attacked router. If the router just waited a while before announcing itself after reconnecting, it would strain the surrounding routers a lot less.
    The neighboring routers could do the same - simply wait before propagating any changes, and suddenly out of a hundred BGP updates per minute coming in from the affected link, only a single one is passed on.

    The infrastructure would be somewhat slower to respond to sudden changes, but those aren't supposed to happen regularly anyway.

  • "We know that a country, like Egypt, can shut down a country's entire Internet access."

    You mean a country like United States of America. Thanks hypocrite Obama. You decry the squelching of free speech in Egypt, and then push forward with the same Internet kill switch measure here.

  • by kheldan (1460303) on Monday February 14, 2011 @12:18PM (#35200678) Journal
    From TFA:

    So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.

    ..unless, of course, the would-be attacker is some malevolent government. I don't think I need mention any names here, except that at least one of them starts with a 'C'.

    • by mcrbids (148650)

      .. and has the last 5 letters of "China" ?

    • North Corea?

  • Hate to break it to you. Your likely to see better results attacking the worlds root name servers. BGP implementations for all their faults do have countermeasures against propogation of frequent state changes as if they even need them. I don't know how many zombies you need to successfully attack a single ordinary 10GB link.. Just setting a basic CIR or priority queue for BGP sessions would prevent the success of any such attack. If you want to slow down the Internet why not just have your botnet army
  • Isn't this exactly what route flap damping (RFC 2439) that is used on most BGProuters today is made to prevent? Wouldn't the routers just class the link as "flapping" and ignore updates for it for a while?
  • perhaps 4 or 5 years ago, some wacks unknown DDoSed the top level DNS routers. iirc they managed to submerge 5 or 6 of the dozen. any poor ISP types who compensate for short memory and long router uptime by clearing cache had a most unpleasant day on the phone. lots of folks had inconsistent connectability.

    it stabilized as the DNS masters did some domain blocking. with much wider use of firewall appliances, it should be easier to recover in the future.

    and if the firewalling dynamically dumped offending

  • ...about 18-20 years ago, when the WorldWideWeb consisted of about 50 sites - all text based - and things were a LOT looser, some yutz screwed up his router config and set his public IP to 127.0.0.1. It didn't really "crash" the internet but there was this incredible sucking sound as all those packets tried to go home.

    Then there was the backhoe operator a couple of years later who was working near a railroad right of way and dug up a fiber bundle belonging to one of the major carriers of the time (MCI IIRC

  • by Greyfox (87712) on Monday February 14, 2011 @04:10PM (#35203144) Homepage Journal
    Mr. Morris did that back in the 80's for a few hours. I was in a computer lab at college when a couple of the lab operators noticed that the Internet was going down. With a stupid little UNIX worm no less! You kids with your new-fangled routing protocols need to get off my lawn!
  • by Mordant (138460) on Tuesday February 15, 2011 @12:36AM (#35206834)

    -----

    1. There are three generally agreed-upon planes, not two - control, management, and data.

    2. The described methodology isn't novel. Observing the effects of attacks is something attackers do routinely, as is attack selectivity in order to garner maximum impact. This goes back a couple of decades with regards to DDoS attacks in particular.

    3. Routers will continue to forward and process priority 6/7 traffic - i.e., control-plane traffic like BGP - whilst dropping enough data-plane traffic to ensure sufficient link bandwidth & RP/LC CPU overhead to keep routing sessions up and process routing updates. This undercuts the central thesis of the paper.

    4. Re-marking all priority 6/7 traffic at the edge is a best current practice (BCP) for network operators; this prevents attackers from sending floods of priority 6/7 traffic in order to force punts.

    5. iACLs and GTSM, two more BCPs, protect BGP sessions against direct attack via SYN-flooding, et. al.

    6. Control-plane policing (CoPP) is yet another BCP which indirectly limits the number of updates/sec via rate-limiting control-plane traffic exchanged between routers.

    So, the assertions of novelty in the paper aren't really justified, nor are all the assumptions and assertions regarding the way routers work and the way they handle control-plane traffic. Also, standard BCPs to protect control-plane traffic aren't taken into account. Nor are routine defensive BCPs discussed and taken into account.

    Finally, there are other mechanisms which are considerably more effective in disrupting control-plane communication due to high RP CPU which aren't touched upon in the paper, nor are they cited in references. Though there are defenses against those attack mechanisms, as well, they aren't as well-known.

    It's generally a good idea for researchers to consult with members of the global operational security (opsec) community while looking for topics and methodologies which are truly unique. This saves a lot of time and effort in duplicating existing work and going down paths which don't lead to truly novel research and results.

    It's also a good idea for researchers investigating routing resilience to launch real attacks (in a lab environment) on real routers, rather than just theorizing and simulating, in order to gain an understanding of how they actually behave under attack, and how the various BCPs and other defensive mechanisms come into play.

    This .pdf presentation [me.com] may be of interest, as well.

Hackers of the world, unite!

Working...