Among the many security failures of the past few months there has been one notable success. The Internet proved that it was robust enough to withstand Papermag.com’s Break the Internet edition. It’s nice to know that while North Korea can take down Sony, and Lizard Squad can put major gaming sites out of business on Christmas Day, the Internet itself can handle any amount of undraped celebrity derrière. That episode set me to thinking, though. If Kim Kardashian and her photoshopped posterior can’t break the Internet, than who could?
The first place you might consider attacking would be the DNS root name servers. These control the very top level of DNS, and without them no server on the Internet would have a name. There are a limited number of them, and they are controlled by a committee, the DNS Root Server System Advisory Committee otherwise known as the Secret Masters of the Internet. However, the servers themselves are run on heavily protected highly redundant hardware, and are geographically distributed. They also run different software, so a single vulnerability could not be used to take down all the root servers. They are such an obvious place to attack that they are too well defended to be a good target.
The Internet can route around damage. That is a strength when dealing with minor damage or attacks but a problem when a major component is damaged. The network traffic that gets rerouted causes bottlenecks and slowdowns elsewhere in the network. Once you hit the dreaded Reload Threshold, when web pages are loading slowly enough that people start hitting the reload button and sending multiple requests for the same page, then large sections of the net would grind to a halt. This happened on July 18th, 2001 when a train accident in a tunnel in Baltimore severed an Internet backbone cable. That afternoon users all over the US had problems accessing web sites in other parts of the US, apparently randomly. A simple brute force DDoS attack against one or two key points in the Internet would be enough to make the rest unusable. Personally I would probably go after MAE-West in San Jose, partly because almost all the traffic to and from Silicon Valley goes through there but mostly because it has a cool name.
To make a serious dent in the bandwidth of one or more Internet Exchange Points you would need total bandwidth in the Terabits/second range, an order of magnitude larger than the Spamhaus attack. Who has access to that sort of bandwidth and the expertise to point it all at one place?
My first thought was Netflix. During prime viewing hours Netflix streaming videos account for about a third of all the bandwidth used in the US, and probably more when a new season of House of Cards comes out. In order to serve their fifty million plus viewers, Netflix probably uses between ten and twenty Terabits/second which is more than enough to take down several Internet Exchange Points. However, they don’t control all of the bandwidth directly. Much of it is either leased from content distribution networks (CDN) such as Limelight and Level 3, or sent from caching devices that are colocated in major ISPs. While Netflix could temporarily disable the Internet, pretty soon the CDNs and ISPs would pull the plug on their equipment, and things would be back to normal.
Next up in the bandwidth stakes is Google, whose YouTube video streaming takes up about half as much bandwidth as Netflix. That’s certainly enough to do serious damage, but there is a limited range of IP addresses from which the attack could originate. So, this attack could be blocked, though with significant collateral damage. Actually, if Google were just to take down Google Search, Gmail, Google Voice, Google Drive, and YouTube, the Internet would be broken for many people. On the bright side, nobody would miss Google+. Luckily large corporations have checks and balances built in to prevent this sort of corporate suicide.
I mentioned the CDNs earlier, and certainly the large ones likeLimelight, Level 3, Amazon AWS, and Akamai have enough bandwidth to be a significant threat. I would be especially concerned about Akamai, as they have a wide geographical distribution of their servers. Anyone surfing the Internet regularly downloads files from Akamai many times a day without noticing it. However, while these companies could do temporary damage in the long run they could simply be disconnected from the rest of the Internet. Things would be painful if they were offline for any period, though, as the content they are currently delivering would be unavailable. Once again, I don’t think corporate suicide is very likely.
For an attack on the Internet to be successful and sustained, it would have to come from many different sources. So the question is, who could get control of enough devices to take down not just a large corporation or a small country, but the entire Internet? Clearly any of the large software vendors that push out updates to millions of devices on a regular basis could do this: Microsoft, Apple, Adobe, Oracle, etc. Let’s hope they all have good enough quality assurance to prevent a rogue programmer from inserting a backdoor and enabling the launch of the Mother of All DDoS Attacks.
Are there any individuals or small groups that could launch a supermassive DDoS attack without having to go through large corporate QA? I came up with three good examples, and there are probably quite a few more out there.
The first place you might consider attacking would be the DNS root name servers. These control the very top level of DNS, and without them no server on the Internet would have a name. There are a limited number of them, and they are controlled by a committee, the DNS Root Server System Advisory Committee otherwise known as the Secret Masters of the Internet. However, the servers themselves are run on heavily protected highly redundant hardware, and are geographically distributed. They also run different software, so a single vulnerability could not be used to take down all the root servers. They are such an obvious place to attack that they are too well defended to be a good target.The Internet can route around damage. That is a strength when dealing with minor damage or attacks but a problem when a major component is damaged. The network traffic that gets rerouted causes bottlenecks and slowdowns elsewhere in the network. Once you hit the dreaded Reload Threshold, when web pages are loading slowly enough that people start hitting the reload button and sending multiple requests for the same page, then large sections of the net would grind to a halt. This happened on July 18th, 2001 when a train accident in a tunnel in Baltimore severed an Internet backbone cable. That afternoon users all over the US had problems accessing web sites in other parts of the US, apparently randomly. A simple brute force DDoS attack against one or two key points in the Internet would be enough to make the rest unusable. Personally I would probably go after MAE-West in San Jose, partly because almost all the traffic to and from Silicon Valley goes through there but mostly because it has a cool name.
To make a serious dent in the bandwidth of one or more Internet Exchange Points you would need total bandwidth in the Terabits/second range, an order of magnitude larger than the Spamhaus attack. Who has access to that sort of bandwidth and the expertise to point it all at one place?
My first thought was Netflix. During prime viewing hours Netflix streaming videos account for about a third of all the bandwidth used in the US, and probably more when a new season of House of Cards comes out. In order to serve their fifty million plus viewers, Netflix probably uses between ten and twenty Terabits/second which is more than enough to take down several Internet Exchange Points. However, they don’t control all of the bandwidth directly. Much of it is either leased from content distribution networks (CDN) such as Limelight and Level 3, or sent from caching devices that are colocated in major ISPs. While Netflix could temporarily disable the Internet, pretty soon the CDNs and ISPs would pull the plug on their equipment, and things would be back to normal.
Next up in the bandwidth stakes is Google, whose YouTube video streaming takes up about half as much bandwidth as Netflix. That’s certainly enough to do serious damage, but there is a limited range of IP addresses from which the attack could originate. So, this attack could be blocked, though with significant collateral damage. Actually, if Google were just to take down Google Search, Gmail, Google Voice, Google Drive, and YouTube, the Internet would be broken for many people. On the bright side, nobody would miss Google+. Luckily large corporations have checks and balances built in to prevent this sort of corporate suicide.
I mentioned the CDNs earlier, and certainly the large ones likeLimelight, Level 3, Amazon AWS, and Akamai have enough bandwidth to be a significant threat. I would be especially concerned about Akamai, as they have a wide geographical distribution of their servers. Anyone surfing the Internet regularly downloads files from Akamai many times a day without noticing it. However, while these companies could do temporary damage in the long run they could simply be disconnected from the rest of the Internet. Things would be painful if they were offline for any period, though, as the content they are currently delivering would be unavailable. Once again, I don’t think corporate suicide is very likely.
For an attack on the Internet to be successful and sustained, it would have to come from many different sources. So the question is, who could get control of enough devices to take down not just a large corporation or a small country, but the entire Internet? Clearly any of the large software vendors that push out updates to millions of devices on a regular basis could do this: Microsoft, Apple, Adobe, Oracle, etc. Let’s hope they all have good enough quality assurance to prevent a rogue programmer from inserting a backdoor and enabling the launch of the Mother of All DDoS Attacks.
Are there any individuals or small groups that could launch a supermassive DDoS attack without having to go through large corporate QA? I came up with three good examples, and there are probably quite a few more out there.
by Andrew Conway, Cloudmark Security Blog | Read more:
Image: via:
