Thursday, April 13, 2006

On the Insecurities of the Internet

Among the most popular stereotypes related to Cyberterrorism, is that of terrorists shutting down the Internet, or to put it in another way, denying access to the desperse and decentralized Internet infrastructure by attacking the Internet's root servers the way it happened back in 2002 -- knowing Slashdot's IP in such a situation will come as a handy nerd's habit for sure. Outages like these would eventually result in a butterfly effect, such as direct monetary losses and confidence in the today's E-commerce world.



In my previous "How to secure the Internet" I commented on the U.S's National Strategy to Security Cyberspace, moreover, I pointed out some issues to consider in respect to the monoculture that's affecting the entire population. While today's threatscape is constantly changing, it still points out key points points such as :



- Improve the Security and Resilience of Key Internet Protocols
"The Internet is currently based on Internet Protocol version 4 (IPv4). Some organizations and countries are moving to an updated version of the protocol, version 6 (IPv6). IPv6 offers several advantages over IPv4. In addition to offering a vast amount of addresses, it provides for improved security features, including attribution and native IP security (IPSEC), as well as enabling new applications and capabilities. Some countries are moving aggressively to adopt IPv6. Japan has committed to a fully IPv6 based infrastructure by 2005. The European Union has initiated steps to move to IPv6. China is also considering early adoption of the protocol."



In my previous "The current state of IP Spoofing" post, I mentioned that if you can spoof there's no accoutability, and you can even get DDoSed by gary7.nsa.gov. But until then we would have to live with the current situation, or keep building awareness on the issue of course.



- Secure the Domain Name System
"DNS serves as the central database that helps route information throughout the Internet. The ability to route information can be disrupted when the databases cannot be accessed or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding the system with information or requests or by gaining access to the system and corrupting or destroying the information that it contains."



During March, Randal Vaughn and Gadi Evron released a practical study entitled "DNS Amplification Attacks" pointing out that :



"Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We study this data in order to further understand the basics of the reported recursive name server amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In addition to the increase in the response packet size, the large UDP packets create IP protocol fragments. Several other responses also contribute to the overall effectiveness of these attacks."



It feels like a deja vu moment compared to Mixter's release of his award-winning "Protecting against the unknown" research and the emergence of DDoS attacks(read the complete story, and keep in mind that it's wasn't iDefense, but PacketStormSecurity offering $10k rewards back in 2000). VeriSign indeed detailed massive denial-of service attack, and Slashdot also picked up the story. Most importantly, the event also attracted the U.S government's attention, but what you should also keep in mind is that :



"In order to create an 8Gbps attack using carefully crafted zones, you need no more than 200 home PCs on basic DSL lines," Joffe said. That math assumes about 200 bots eating up a full 512Kbps connection with lots of 60-byte DNS queries, each of which is amplified 70x into a 4,200-byte reply against the attacker's target. To put that in perspective, Russian hacking crews advertise that they will place the malware of your choice on 1,000 bots for a mere $25, according to the Internet Storm Center."



No 0day necessary, but DDoS on demand/hire, and renting botnets are the practices worth mentioning the way I pointed them out in my Future trends of malware research.



-Border Gateway Protocol
"Of the many routing protocols in use within the Internet, the Border Gateway Protocol (BGP) is at greatest risk of being the target of attacks designed to disrupt or degrade service on a large scale. BGP is used to interconnect the thousands of networks that make up the Internet. It allows routing information to be exchanged between networks that may have separate administrators, administrative policies, or protocols."



Interdomain routing communications are like empowering assembly line workers with the ability to stop the line at anytime, or have a claim on it, a tricky option sometimes. A recently released research(2005) "A Survey of BGP Security" points out the bottom line these days :



"We centrally note that no current solution has yet found an adequate balance between comprehensive security and deployment cost." Still, IETF's Routing Protocol Security Requirements (rpsec) are worth the read.



What I truly hope, is that any of these guidelines wouldn't end up on a paper tiger's desk for years to come, namely they would eventually get implemented and Internet2 would end up dealing with a more advanced set of security problems compared to the current ones.


My point is that, while only the paranoid survive, seeing ghosts here and there is like totally missing the big picture -- Richard Clarke for instance once said that "If there's a major devastating cyberspace security attack, the Congress will slam regulation on the industry faster than anything you can imagine. So, it's in the industry's best interest to get the job done right before something happens." But when, and how it would affect the commercial side of the question, that is how visionary are the vendors themselves to anticipate the future in here?



No one would want to shut down the Internet as terrorists are actively using it for propaganda, communication, and open source intelligence. Still, the deceptive PSYOPS initiated by terrorist sympathizers or wannabe such is what will continue to hit the deadlines -- just don't miss the big picture!



UPDATE : The post just appeared at LinuxSecurity.com "On the Insecurities of the Internet"



Technorati tags:
, , , , , , ,