The Internet infrastructure has been having a bad month. Not as bad as, say, the world’s aviation infrastructure, but bad enough.
First, Chinese Internet censorship leaked out to a few massively unlucky users of the I root server. Then China Telecom failed to filter someone who leaked thousands of hijacked routes to other people’s networks through them, probably by accident.
At first, this irritated me. Journalists and bloggers and blogger-journalists are fanning the flames of US unease about the growing role of China in world affairs. But then I realized that I could probably make tens of thousands of people read my blog, too, by jumping on the bandwagon. By all means, then, grab an MRE and hunker down in your Internet bomb shelter while I try to answer some of the obvious questions that came our way in the wake of the Forbes article:
- How would anyone build a cybernuke? What is that?
- Could a single actor, state-sponsored or otherwise, actually take down the global or regional Internet infrastructure of 2010, disrupt financial markets, throw civilization into chaos?
- How do I get my cybernuke movie screenplay optioned by Jerry Bruckheimer? His people won’t return my calls.
What is a cybernuke?
Let’s start by distinguishing carefully between an attack designed to take a single organization off the Internet, and a cybernuke. The former takes place every day, and nobody is entirely immune. If you get the wrong kind of people angry, you can be thrown off the Internet in very short order, using unsubtle distributed denial of service attacks that you can readily rent for cash at the prevailing market rates. No controversy there.
We’re talking instead about designing a cybernuke: an infrastructure attack that would allow you to shut down (or centrally subvert, or control) a large part of the Internet, not a single organization. That’s a different class of beast.
There are three broad schools of thought here.
Option 1: Hijack Everything
This is the cybernuke that Forbes saw lurking in the dark shadows. Using the Border Gateway Protocol, inject just the right kinds of false traffic into the global routing network, so that all the packets go to the wrong places. Game over, man!
There are a few problems with this scenario. To make it work, you have to inject your false routes in such a way that a substantial part of the planet will hear them and believe them. Because of the way the BGP routing protocol works, that means that your ersatz paths to other people’s networks have to look more attractive than the real thing (meaning: short and direct, or more specific).
Many of the routes you’ll be attacking are already about as specific as they can get and still be globally propagated, so you have to compete on directness; for the rest, you’re going to have to advertise more than one more-specific network for every network you’re trying to attack (300,000 make up the whole Internet, more or less). That’s a lot of routes. If you’re injecting enough different paths to take down large swaths of the Internet, you’ll therefore need to enlist a partner who already advertises tens of thousands of routes, so that the massive increase in routes they propagate on your behalf won’t raise an eyebrow.
Together, those requirements mean that you almost certainly need to convince one of the dozen-or-so largest worldwide Internet carriers to act as your agent. Anyone smaller is too far from the Internet’s core, and since the average packet on the Internet only changes hands three or four times en route, even one extra handoff is going to make your fake routes look sleazy and unattractive.
Moreover, most of these carriers are very clueful about the possibility of being used as an unwitting agent of evil. They have procedures and filters and circuit-breakers in place to prevent exactly such an embarrassment. That doesn’t mean it can’t happen, although it happens more and more rarely as the years go by.
(It did just happen to China Telecom; however, because of the bad press it received, I would wager that this is the last time it will happen to China Telecom.)
Even if you manage to get your fifty thousand fake network routes announced by a major carrier, and the rest of the world believes them, and your routes are selected as “best” by some significant percentage of the Internet, will the world’s traffic actually be impacted? Not yet.
It’s almost certain that the immediate neighborhood of each victim network (all of their Internet service provider’s customers, and all of their providers’ customers, and so forth) will blithely ignore the cybernuke, and continue sending traffic to the correct destination, as usual. The parts of the Internet that are close to the attacker’s point of injection may change their mind, so the victims may well lose visibility to the attacker’s networks. Do you care? It becomes more of a local censorship issue, an attack on the attacker’s network, if you will, rather than a major irritation to the supposed victims.
The final indignity, of course, is that an attacker who deploys such a cybernuke will probably blow themselves off the Internet by accident. If you successfully manage to subvert BGP to publish a large number of attractive routes to places that matter, you will shortly be on the receiving end of many, many gigabits per second of traffic that are trying in vain to find their rightful home. This flood of misrouted traffic will crush your network, and your launching zone will disappear beneath the waves, like Atlantis. Look on my works, ye Mighty, and despair!
Option 2: Cut the Cord
I hope I’ve convinced you that option 1, while a perfectly plausible way of wreaking mysterious small-scale damage, isn’t going to move you down the road toward cyber-world domination.
Option 2 is physical damage to the infrastructure: classically, cutting the cables that hold the Internet together. There have actually been very decent studies of this recently, highlighting both the vulnerability of the infrastructure, and the frightening dependence of the world economy on good communications.
The hard part about this cybernuke option is that it’s precisely the scenario that the Internet has evolved to avoid. With every month that passes, the Internet becomes better and better connected to itself. Remember, the Internet consists of tens of thousands of independent infrastructure service providers and content delivery companies, all working to keep the traffic flowing to billions of paying customers.
When submarine cable cuts happen, as they have over and over in history, these providers take notice. New cables get laid and lit. New contracts get signed that create alternative paths for traffic to take. Companies that have a global footprint no longer trust the Internet to “just work” — they take provider diversity seriously as a core element of a due diligence strategy. They seek out providers who are well-connected and can speak the language of risk management.
There’s no doubt that physical damage at one of the Internet’s pinch points, whether that be in the Red Sea or in the Straits of Malacca or at one of a number of windowless buildings throughout the world, would cause some serious disruption. But our data and experience suggest that each cable cut causes less serious impact than comparable ones that preceded it. Human networks are more resistant to point-source damage than you’d think, and the Internet is a human network.
Option 3: Inject and Amplify
That leaves option 3, which is more of a “Cyber-Bioweapon” than a Cybernuke. The challenge would be to design an injectible routing message that would cause a large fraction of the world’s routing infrastructure to fail, while going unnoticed by the rest. The idea is to have the immune population propagate your attack to all the vulnerable machines, which fail and take down the Internet with them (at least until they can be individually patched, and brought back into service).
Who would think of such a thing? The scary part is that no one had to think of it — it has happened naturally more than once as a byproduct of the complexity of the Internet ecosystem. A design defect in one kind of router will create malformed routing traffic, which gets passed obliviously to the four corners of the earth, where vulnerable routers encounter the bad messages, and die noisy deaths. We’ve documented mild outbreaks of this sort before — three times just last year, in fact: in February and May and August 2009.
Unfortunately, unlike the previous two options, this one actually scares me. Known threats, like bogus routes that exploit trust relationships within the definition of the routing protocols, we can defend against. Point source damage to buildings and cables, we can defend against. But the Internet’s routing hardware and software diversity is actually pretty poor, compared to its topological richness.
Think of it this way: two hardware vendors (Cisco and Juniper) probably represent something like 60%+ of all the infrastructure routers in the world. Craft a vulnerability that passes one and crashes the other, and you could do some serious damage. The size and decentralization of the Internet work against us here: you can’t just go out and patch hundreds of thousands of routers on demand, even in the face of a material threat. Vulnerable machines will litter the ecosystem for months or years to come. The Internet can catch the same flu over and over.
The good news here, if there is any, is that stiff price competition, particularly in emerging markets, is driving a healthy trend toward hardware diversification: as recently as 2005, vendors C and J probably controlled more than 90% of the market, instead of 60%. Welcome to the neighborhood, Huawei!
Conclusion: Busted .. or Plausible?
As much as I’d like to say that the myth of the Cybernuke is busted .. option 3 gives me pause and makes me reluctantly conclude that it’s just barely Plausible (although not along the lines everyone expects, and not necessarily in a form that could be targeted at anyone smaller than The Whole Planet).
Just to get the last of the sensationalist metaphorical Bruckheimer-bait out of the way, what stands between us and the impact of an Internet Dinosaur-Killer? The same three advantages that have stood the Internet in good stead throughout its incredible 40-year evolution:
- Awareness of the dangers of centralized controls and hardware/software monocultures that can be exploited by bad guys
- Acceptance of the frustrations that come with decentralization and diversity, and a willingness to do whatever it takes to buy an acceptable level of redundancy for key services
- Communities like NANOG and RIPE and APRICOT and MENOG, where network operators reach rough consensus about the kinds of security and operational best practices that keep everything from blowing up. Have you thanked a network engineer today?
And Jerry, if you’re reading this: Call my people. Seriously. This cybernuke screenplay will be MONSTER BOX OFFICE.