Security Experts:

Attacking the Internet's Core

While the Internet has no Center, Some Pieces of Infrastructure are More Important to Smooth Global Functioning Than Others.

There's a commonly held belief that the Internet's predecessor — ARPANET — was originally designed, during the Cold War, to withstand a nuclear attack. While apocryphal, the story illustrates a design goal that has proven invaluable to this day. The Internet is heavily resilient to damage. Due to its decentralized topology, the loss of individual networks, even core pieces of infrastructure, should not bring down the Internet as a whole. Attacks may cause some users to lose connectivity or disrupt the path between two sets of users, but, on the whole, the network survives.

Attacking Internet's CoreBut what if there were a way to "kill" the Internet, even temporarily? While the network has no center, some pieces of infrastructure are more important to smooth global functioning than others. The links running into Google's data centers are more important than your home cable modem; the Internet's core utilities, such as Domain Name System root servers and core routers, are more critical still. Over the last decade, we've seen a number of major distributed denial-of-service (DDoS) attacks against the DNS root – a potential Internet choke point – as an example of attempts to disrupt the global flow of IP traffic. And every couple of years, a new vulnerability is found in a core Internet protocol, or piece of ubiquitously deployed router firmware, which reminds us how vulnerable the network can be.

Recently, a new such attack was devised. Security researchers from the University of Minnesota came up with what they called Coordinated Cross Plane Session Termination (CXPST), a form of DDoS attack designed to cause wide-scale disruption to Internet traffic. CXPST targets core routers, which are the main super-high-end devices responsible for pumping data around the Internet. Building upon earlier findings, the researchers designed an attack that could be classified as an "Internet Killer" using a botnet of only 250,000 nodes and overcoming traditional defenses. While the attack was successfully simulated in the lab, the fact that you are able to read these words online today suggests that it has yet to be seen in the wild.

Because it’s a network of networks, the Internet is resilient to damage. In networking terms, each independently operated network is known as an Autonomous System. Where two or more Autonomous Systems meet to exchange traffic, powerful core routers use a method known as BGP, for Border Gateway Protocol, to determine the best route to forward data packets they receive. A phenomenon known as BGP "flapping" occurs when poor configuration mean routes alternate between availability and unavailability in BGP tables. What the Minnesota researchers claim to have discovered is a way to carefully time and target attacks precisely to induce massive-scale route flapping, overloading routers' computational resources as tables are repeatedly recalculated and re-advertised, leading to a cascading failure that could render most of the Internet's traffic unrouteable.

This is difficult to accomplish for several reasons. First, the attack can only be executed by a sizable botnet, and the typical bot – such as a compromised Windows PC – does not speak BGP. The CXPST attack relies entirely on the Internet's "data plane" used in normal everyday Internet usage, not the "control plane" that is used behind the scenes by core routers to talk to each other and keep the Internet ticking. In fact, the title of the paper by the Minnesota researchers is, "Losing Control of the Internet: Using the Data Plane to Attack the Control Plane." The researchers met this crossover challenge simply by using a previously published attack method that can be used to tear down individual BGP sessions between routers.

The new research is novel in how the attack is managed to cause maximum destruction. If an attacker is trying to take down the Internet, using the Internet to do so, he needs to make sure he doesn't sever the links between his bots and his targets before he's accomplished his mission. And because the CXPST attack actively changes the routing topography of the Internet — by tearing down BGP links — attackers need to adjust their attack patterns to route around the damage they cause. They also need to avoid accidentally crashing intermediate routers before hitting their intended targets. The CXPST method therefore requires the botnet to conduct a type of reconnaissance, using a custom algorithm, to draw a rudimentary "map" of the Internet's key routes, before the first attack packets are even fired.

Running a simulated attack, the researchers found they could "cause significant disruption to the core Internet infrastructure, potentially disabling the entire network," requiring no more than 250,000 bots, which is small change compared to some of the botnets that have been discovered in recent years. Core routes could be kept offline for hours or longer. They offer some short-term workarounds for the CXPST attack, but concluded that "long-term architectural changes," namely the decoupling of the data and control planes through fundamental changes to the core router hardware infrastructure, would be the best way to ensure this kind of attack fails.

So does this spell doom for the Internet? Probably not. It's still a largely theoretical threat, and there is also the question of potential attackers: who would do such a thing? While botnets of the required size can be fairly cheaply obtained, the attack itself is beyond the sophistication of the average script-using “angry teenager.” The researchers who devised the attack did not publish code that could be used by such villains. Any well-financed cyber-criminal enterprise is primarily concerned with stealing money one way or another, and therefore has a vested interest in having the Internet function as normal.

Such an attack launched by a state would probably be considered "cyber war" and would be self-defeating in economic terms.

Meltdowns require the confluence of extraordinary events. The Internet’s core is still solid, and is likely to remain so for a long time to come. Vigilance and innovation are necessary to ensure it maintains its integrity in the face of new and varied threats.

Related Reading: Routing on the Internet: A Disaster Waiting to Happen?

Related Reading: Do Recent BGP Anomalies Shed a Light on What's to Come?

Related Reading: Trouble Ahead - The Implementation Challenges for DNSSEC

Related Reading: Deploying DNSSEC - Four Ways to Prepare Your Enterprise for DNSSEC

Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover

Related Reading: The Missing Ingredients for DNSSEC Success

view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.