We know you can take down Web sites with Distributed Denial of Service (DDoS) attacks. We know that a country, like Egypt, can knock down a country's entire Internet infrastructure. And, we thought we knew that you couldn't take down the entire Internet. It turns out we could be wrong.
In a report from New Scientist, Max Schuchard a computer science graduate student and his buddies claim they've found a way to launch DDoS attacks on Border Gateway Protocol (BGP) network routers that could crash the Internet.
BGP is an essential Internet protocol. It's the routing protocol used to exchange routing information across the Internet. Without it ISPs couldn't connect to each other and you couldn't connect Web sites and services outside of your local intranet. Because network connections and routers are constantly changing, BGP routers and switches are constantly working to keep current route maps of the Internet. In short, you don't want to mess it.
In an Association for Computing Machinery (ACM) paper, Losing control of the Internet: using the data plane to attack the control plane, Schuchard describes the theoretical assault as "the Coordinated Cross Plane Session Termination, or CXPST, attack, a distributed denial of service attack that attacks the control plane of the Internet. CXPST extends previous work that demonstrates a vulnerability in routers that allows an adversary to disconnect a pair of routers using only data plane traffic. By carefully choosing BGP sessions to terminate, CXPST generates a surge of BGP updates that are seen by nearly all core routers on the Internet. This surge of updates surpasses the computational capacity of affected routers, crippling their ability to make routing decisions"
Here's how it would work. The CXPST attack would use approximately 250,000 PCs in a botnet to launch the attack. Does that sound unreasonably large number of computers to you? It shouldn't. Thanks to Windows' built-in insecurity, its easy to create huge Windows botnets. We know for a fact that the Mariposa botnet alone was made up of 12.7-Million Windows PCs. The 250,000 PCs that a CXPST-style attack would require is nothing in botnet terms.
Once a CXPST botnet was set-up, it would use what Schuchard calls, ZMW, after its authors, Zhang, Mao and Wang. This trio of researchers described their attack in the paper: A Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing (PDF Link).
They found that "BGP routing sessions on the current commercial routers are susceptible to such low-rate attacks launched remotely, leading to session resets and delayed routing convergence, seriously impacting routing stability and network reachability." They also discovered that "low-rate TCP attacks can severely degrade TCP throughput by sending pulses of traffic leading to repeated TCP retransmission timeout." So far, this was just a new, but rather ordinary, DDoS technique.
The researchers also found though that "Aside from the potential impact is whether such attacks are powerful enough to reset BGP's routing session as a result of a sufficiently large number of consecutive packet drops. If the session is reset, it can have serious impact on the Internet in the form of routing in- stability, unreachable destinations, and traffic performance degradation." OK, now we were officially into "this is bad news" territory. Such an attack would be hard to spot and if could easily knock out a corporate, school, or even a national intranet.
Breaking the Internet
Schuchard and company pointed out that with a botnet though you can take ZMW to the next level of nasty. First, the botnet would analyze the current state of BGP connections using traceroute. This is a common computer network tool that's used for measuring routes and transit times of packets across the Internet as traffic hops from one router to another. Then, armed with this information, the botnet would simultaneously launch ZMW attacks against critical BGP routers.
This would cause what's known in network circles as route flapping. BGP routers have several self-defense mechanisms against route flapping such as BGP Graceful Restart and Minimum Route Advertisement Intervals. To use them though has the effect of taking the BGP router briefly off-line. The CXPST attack is designed to recognize when a BGP router is resetting and move on to attack other BGP routers. By the time the first BGP routers are back others are going down, and the attack ends up crashing BGP routes faster than they can automatically reset themselves.
What all this means, if Schuchard and company's calculations are correct. is that "in the case of the 250,000-node botnet, the median load on nearly half of the core routers increased by a factor of 20 or more. ... This increased median load shows that routers will not have a chance to recover from the previous bursts of updates. "
In other words, the Internet, yes pretty much all of it, falls down and goes boom.
So, how would you fix it? It's not like you can just reboot it. Actually, that's pretty much exactly what you'd need to do. Schuchard told New Scientist, "Once this attack got launched, it wouldn't be solved by technical means, but by network operators actually talking to each other." Every BGP router would need to be re-booted manually.
Ordinary botnet owners would never launch such an attack. They're making far too money from spam and reaping malware's credit-card number fruits to want to kill the Internet. It is conceivable though that a rogue nation could attempt to wreck the Internet in a cyberwar.
In the long run, a CXPST attack would be stopped, but for a few hours to a day or two the Internet could conceivably be knocked out.
There are ways to defend against such an attack. Some, such as SAP (Shrew Attack Protection) (PDF Link), are designed to put an end to the low-rate TCP attack method itself. Schuchard has proposed that there be changes made to BGP itself or how BGP is managed to make it more robust. The bad news is that none of these methods are widely implemented today. So, yes, today we do face the real possibility of the entire Internet crashing. Wonderful news eh?