Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, April 18, 2005

How vulnerable is the ‘Net?

Security upgrades ongoing, but some argue more needs to be done.  The unusual activity began two weeks before the attack.  Officials from the Cooperative Association for Internet Data Analysis, which had begun monitoring Internet nameserver behavior at the start of 2002, noticed varying levels of performance degradation in early October of that year.  Little did they realize that on Oct. 21 they would witness a flood of ping messages on the Internet’s 13 DNS root nameservers that would cause the most notorious denial-of-service attack on the Internet to this date.

“It was an attempt to make a massive problem,” says KC Claffy, principal investigator at CAIDA.  “They certainly made a blip on a graph.”  But the Internet and its users got off easy.  The barrage lasted only an hour, and no end users were affected.  The attack did, however, serve as a wake-up call, as network operators and others have taken steps to better secure the Internet since then.

But some still question whether the Internet is susceptible to attack and needs more authoritative oversight.  “If somebody was to do a real concerted, knowledgeable attack, it wouldn’t be very difficult to have a catastrophic impact on a huge component of commerce,” says Larry Jarvis, vice president of network engineering at Fidelity Investments.  “It would be huge to the U.S. economy and to a lot of companies that now view the Internet as the equivalent to a dedicated circuit to all these entities.”

Clif Triplett, global technology information officer at General Motors, says he is worried mostly about router and host software bugs, as well as broadcast storms such as distributed DoS (DoS) attacks bringing down the ‘Net.  “I’m highly concerned about it,” Triplett says.  “If that network is a core piece of your business, I think you’re at a risk.”

Two-thirds of the 1,300 “technology leaders, scholars and analysts” surveyed recently by the Pew Internet & American Life Project said they “expect a major attack on the Internet or the U.S. power grid within the next 10 years.”

The 13 DNS root servers resolve Internet naming and addressing.  If they were knocked out, Internet sites would become inaccessible.  The servers repel distributed DoS attacks every day, operators say.

CAIDA research shows that up to 85% of the queries against the DNS servers are “bogus” or repeated from the same host.

The system has been bolstered since the 2002 attack, with root servers now consisting of 50 to 100 physically distributed, highly redundant boxes in 80 locations across 34 countries.  In 2002, far fewer servers were located in 13 sites across four countries.  This level of distribution and redundancy makes a complete shutdown of the DNS system unlikely, says Paul Mockapetris, chairman and chief scientist of IP address management vendor Nominum and the inventor of DNS.

The physical servers use Anycast, a routing technique that heightens resiliency by multiplying the number of servers with the same IP address and balancing the load across an army of geographically dispersed systems.

“If I was going to try and arrange a DNS 9/11, it’s a very bad target to try and attack because it’s so distributed - you’d have to take [the servers] out everywhere,” Mockapetris says.  “If you took out one root server today, nobody would notice.”

But the more distributed a system is, the more difficult it is to defend, notes Stephen Cobb, an independent security consultant who was recently quoted in a Network World column stating a belief that the ‘Net can be brought down and kept down for 10 days or more.

“The reason it hasn’t gone down for days so far is that the people who know how to do it aren’t so inclined.”  However, the good guys are inclined to implement security best practices, like those outlined in an IETF informational document on root server operation called RFC 2870, says Jose Nazario, security researcher and senior software engineer at Arbor Networks, which makes products carriers use to protect their networks from cyberattacks.  Originally drafted in 2000, RFC 2870 has been extended over the past couple of years.

Cisco, the leading provider of Internet routers, regularly issues bug alerts.  And BGP, which distributes routing information between networks on the Internet, is susceptible to IP address spoofing.  “BGP peering has some security problems,” says Sam Hartman, area director for the IETF’s Security Area working group.

Posted on 04/18
Motor IndustryWarningsPermalink