How to crash the Internet

How to crash the Internet

Summary: The Internet was designed to survive a nuclear war, but researchers claim they've found a way to take down the Internet.

SHARE:
64

We know you can take down Web sites with Distributed Denial of Service (DDoS) attacks. We know that a country, like Egypt, can knock down a country's entire Internet infrastructure. And, we thought we knew that you couldn't take down the entire Internet. It turns out we could be wrong.

In a report from New Scientist, Max Schuchard a computer science graduate student and his buddies claim they've found a way to launch DDoS attacks on Border Gateway Protocol (BGP) network routers that could crash the Internet.

BGP is an essential Internet protocol. It's the routing protocol used to exchange routing information across the Internet. Without it ISPs couldn't connect to each other and you couldn't connect Web sites and services outside of your local intranet. Because network connections and routers are constantly changing, BGP routers and switches are constantly working to keep current route maps of the Internet. In short, you don't want to mess it.

In an Association for Computing Machinery (ACM) paper, Losing control of the Internet: using the data plane to attack the control plane, Schuchard describes the theoretical assault as "the Coordinated Cross Plane Session Termination, or CXPST, attack, a distributed denial of service attack that attacks the control plane of the Internet. CXPST extends previous work that demonstrates a vulnerability in routers that allows an adversary to disconnect a pair of routers using only data plane traffic. By carefully choosing BGP sessions to terminate, CXPST generates a surge of BGP updates that are seen by nearly all core routers on the Internet. This surge of updates surpasses the computational capacity of affected routers, crippling their ability to make routing decisions"

Here's how it would work. The CXPST attack would use approximately 250,000 PCs in a botnet to launch the attack. Does that sound unreasonably large number of computers to you? It shouldn't. Thanks to Windows' built-in insecurity, its easy to create huge Windows botnets. We know for a fact that the Mariposa botnet alone was made up of 12.7-Million Windows PCs. The 250,000 PCs that a CXPST-style attack would require is nothing in botnet terms.

Once a CXPST botnet was set-up, it would use what Schuchard calls, ZMW, after its authors, Zhang, Mao and Wang. This trio of researchers described their attack in the paper: A Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing (PDF Link).

They found that "BGP routing sessions on the current commercial routers are susceptible to such low-rate attacks launched remotely, leading to session resets and delayed routing convergence, seriously impacting routing stability and network reachability." They also discovered that "low-rate TCP attacks can severely degrade TCP throughput by sending pulses of traffic leading to repeated TCP retransmission timeout." So far, this was just a new, but rather ordinary, DDoS technique.

The researchers also found though that "Aside from the potential impact is whether such attacks are powerful enough to reset BGP's routing session as a result of a sufficiently large number of consecutive packet drops. If the session is reset, it can have serious impact on the Internet in the form of routing in- stability, unreachable destinations, and traffic performance degradation." OK, now we were officially into "this is bad news" territory. Such an attack would be hard to spot and if could easily knock out a corporate, school, or even a national intranet.

Page 2: [Breaking the Internet] »

Breaking the Internet

Schuchard and company pointed out that with a botnet though you can take ZMW to the next level of nasty. First, the botnet would analyze the current state of BGP connections using traceroute. This is a common computer network tool that's used for measuring routes and transit times of packets across the Internet as traffic hops from one router to another. Then, armed with this information, the botnet would simultaneously launch ZMW attacks against critical BGP routers.

This would cause what's known in network circles as route flapping. BGP routers have several self-defense mechanisms against route flapping such as BGP Graceful Restart and Minimum Route Advertisement Intervals. To use them though has the effect of taking the BGP router briefly off-line. The CXPST attack is designed to recognize when a BGP router is resetting and move on to attack other BGP routers. By the time the first BGP routers are back others are going down, and the attack ends up crashing BGP routes faster than they can automatically reset themselves.

What all this means, if Schuchard and company's calculations are correct. is that "in the case of the 250,000-node botnet, the median load on nearly half of the core routers increased by a factor of 20 or more. ... This increased median load shows that routers will not have a chance to recover from the previous bursts of updates. "

In other words, the Internet, yes pretty much all of it, falls down and goes boom.

So, how would you fix it? It's not like you can just reboot it. Actually, that's pretty much exactly what you'd need to do. Schuchard told New Scientist, "Once this attack got launched, it wouldn't be solved by technical means, but by network operators actually talking to each other." Every BGP router would need to be re-booted manually.

Ordinary botnet owners would never launch such an attack. They're making far too money from spam and reaping malware's credit-card number fruits to want to kill the Internet. It is conceivable though that a rogue nation could attempt to wreck the Internet in a cyberwar.

In the long run, a CXPST attack would be stopped, but for a few hours to a day or two the Internet could conceivably be knocked out.

There are ways to defend against such an attack. Some, such as SAP (Shrew Attack Protection) (PDF Link), are designed to put an end to the low-rate TCP attack method itself. Schuchard has proposed that there be changes made to BGP itself or how BGP is managed to make it more robust. The bad news is that none of these methods are widely implemented today. So, yes, today we do face the real possibility of the entire Internet crashing. Wonderful news eh?

Topics: Networking, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

64 comments
Log in or register to join the discussion
  • The authors ignore one problem.

    When the routers cannot route traffic, they also cannot route the packets that implement the attack.
    Anne Nonymous
    • RE: How to crash the Internet

      ...
      mike2k
    • RE: How to crash the Internet

      @Anne Nonymous When the net is no longer routing traffic, I think we can safely say that the attack has accomplished its mission. <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy"><br><br>Steven
      sjvn
    • Re: Routing and BotNets

      @Anne Nonymous
      Um - if you're able to manage 250K machines at a whim, I am pretty sure you can *plan*which part of the fabric you attack, and when. Make a list of targets, once it's unavailable, move to the next in the list. Check back every once in a while to the top of the list, if it's awake, start over at the top.
      briank@...
    • Authors ignore more than one problem

      Which is the problem when you get a bunch of academics together....

      You could most assuredly knock a router offline, but not crash it. Between rate limiting and preferential routes in BGP, the attacks could play some havoc, but this scenario doesn't pass the smell test.

      Besides, try to do a trace lately? Since it's based on ICMP and older DDOS are also ICMP based, many routers now ignore this traffic. So much for the "traceroute" analysis.

      Look, you can easily knock my edge routers off the internet, but you can't crash them. They're hardened, as most routers are these days are.

      Interesting idea though.
      Takalok
  • Windows insecurity?

    You're a legend in your own mind right?<br><br>Now we get trolls actually doing the blog.

    Windows insecurity as compared to what? Linking to your own previous blogs doesn't count I'm afraid.
    tonymcs@...
    • agree

      @tonymcs@...
      FADS_z
    • RE: How to crash the Internet

      @tonymcs@...

      I agree. The fact is that Windows is no more 'insecure' than OSX or Linux are, when it comes down to brass tacks.

      The real issue is that this idiot assumes that Windows is insecure if you can run ANY code whatsoever on the machine.

      He shouldn't even be a ZDNet blogger or paid analyist, he is too hung up on the deficiencies of Windows (yes, it has them... especially Windows XP!) and not looking at the deficiencies of other operating systems.
      Lerianis10
      • Exactly

        @Lerianis10

        Windows is insecure but it isn't the only OS that is easily hacked.

        http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254.html

        Charlie Miller's own words referring to Macs:

        "I like them and they also happen to be pretty easy to break!"

        Three years in a row of breaking Macs in the Pwn2own contest.

        Seems like OSX is just as insecure by design.
        dragosani
      • ...Said as you use AV.

        @Lerianis10 ---> Why is it so difficult to ask yourself?

        If you have to use AV on your "Secure" system, it is NOT secure.

        I've never used AV and I am secure, where's the problem?

        Run your system every day for 8 years without AV.
        Joe.Smetona
      • RE: How to crash the Internet

        @Lerianis10 Windows comprises the botnets. The article is about how a botnet could take down the internet. it's not about the insecurities in other operating systems. Why do they need to mention other operating systems if they have nothing to do with that? I guess to not hurt the feelings of windows and their astroturfers.
        Brian David
      • RE: How to crash the Internet

        @Lerianis10
        The real issue is that this entire thread is about one, single line, written by the author.

        Get over your Windows love and realize that's not what this is about. He mentioned one line, with an article to back it up, and that makes him hung up? I've seen your name on more Linux articles than I care to count. In all of them, you're attempting to bash Linux or praising Windows. He's not hung up on anything, you are.
        tmsbrdrs
    • RE: How to crash the Internet

      @tonymcs@...
      Tony, when dealing with any M$ bias simply point out the overwhelming target share. Any MAC cheerleader is far more familiar and capable of wielding their bitterness than you will ever be. As I mentioned in another comment botnets generally target Windows because it's the majority of what's connected to the internet... I've seen a good share of *nix zombies - aaaaaand the first case of international espionage involved a GNU EMACs vulnerability. Generally it takes longer to convince a non Windows user they have a problem than it does to fix it...
      ITSamurai
    • Some truth to it, with qualification.

      @tonymcs@...

      The issue addressed (but inaccurately explained) in the links is the level of system access allowed for applications in the Win32 APIs up to and including XP. It was, frankly, a horrendous design decision to allow software to run as administrator by default just like in the DOS days. The same article gives short shrift to the significance of UAC, i.e. restricting system access for user space processes per TCI standards. But acknowledging the significance of changes in Windows security since Vista would make Windows bashing much less fun.
      Lester Young
    • Right, there's no problem

      Steven writes:
      "Thanks to Windows? built-in insecurity, its easy to create huge Windows botnets."

      How could anyone disagree with the comment? Millions of infected windows computers is his evidence.

      The statement doesn't mean other desktops are perfect. Mac OS X security could be much improved for example. However denying windows desktops are the backbone of today's botnet is delusional (hmmm tonymcs).
      Richard Flude
  • Steve, how about a picture?

    Maybe that will help the n'er do wells who are taking notes, yes? :/
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • Sometimes I wish we could rate posts

      @Dietrich T. Schmitz, Your Linux Advocate

      This is a great one.
      LiquidLearner
  • RE: How to crash the Internet

    I think if this research is true, unless the antidote has been created why has this research been made public ... sounds extremely weird that fear driven goverments have allowed this research to come out....
    Infiniteeee
  • Tell the whole storey please Steve

    From the New Scientist Article you linked to:

    "Nobody knows if it's possible to bring down the global internet routing system," says Mark Handley, an expert in networked systems at University College London. He suggests that the attack could cause "significant disruption" to the internet, with an effect greater than the Slammer worm of 2003, but it is unlikely to bring the whole thing down.

    "The simulations in the paper make a lot of simplifying assumptions, which is necessary to simulate on this scale," he explains. "I doubt the internet would behave as described."
    AndyPagin
    • RE: How to crash the Internet

      @AndyPagin The question is why he said "I doubt the internet would behave as described" or "it is unlikely to bring the whole thing down". That may be true, but is sounds like Handley is saying something like "Well, you may be right, but just to be on the safe side I won't say that your conclusions are correct". It could have been more useful to know which of the simplifying assumptions make the conclusion invalid (not worthless, just invalid).
      nomorebs