North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Network operation security forums

  • From: Iljitsch van Beijnum
  • Date: Tue Nov 13 05:48:42 2001

On Mon, 12 Nov 2001, Sean Donelan wrote:

> The public discussions I know about have focused on "popular"
> subjects such as root servers, ddos, viruses.  While interesting,
> and challanging topics, are they really the biggest security
> problems facing Internet operators?  I don't think so.  But
> that's just my opinion.

> What are the biggest security risks Internet operaters need to
> manage?

> I'm concerned about route integrity, multi-provider facility risks,
> and multi-provider restoration deadlock.  Why do I worry about them,
> because they are risks no single provider can manage alone.

These are by no means trivial concerns, but if we want to look at
intentional disruption of a large portion of the internet I think we have
to look elsewhere. By its nature the internet is very distributed so
taking out a single location won't do all that much damage to the whole.
Also, if a really big network starts to intentionally disrupt BGP
stability, it is only a matter of hours (hopefully) or days
(realistically) before this network is isolated and the problem is
contained.

A physical attack on the root nameservers would probably be very effective
for a short time: without root servers pretty much nothing works anymore.
But a physical attack on 13 facilities on 4 coasts of 3 continents isn't
easy and as long as not all master databases and all recent copies of the
tld zone files are destroyed, root service would probably be repaired in
no more than a couple of days.

I think a physical attack on the major fiber bundles between the US coasts
would disrupt both the internet and many other services very effectively.
Obviously it won't be possible to take out every single fiber, but
experience shows there are places where huge amounts of bandwidth are
present in the same ditch and they run through large uninhabited
(unsupervised) areas such as mountains and deserts. If the five most
important of those paths are out of service, I'm pretty sure the remaining
paths can't handle the extra bandwidth. The northern paths are especially
vulnerable in the winter because snow and ice make it very hard to repair
the fibers. There are also other possibilities to prohibit repair.

As for attacks over the network itself: the Nimda worm already had an
impact on BGP stability (http://www.renesys.com/projects/bgp_instability/),
without even trying. I'm hesitant to discuss particulars here, but try to
imagine a worm with some knowledge of routing infrastructure
vulnerabilities.