The cyberweapon that could take down the internet

A new cyberweapon could take down the entire internet – and there’s not much that current defences can do to stop it. So say Max Schuchard at the University of Minnesota in Minneapolis and his colleagues, the masterminds who have created the digital ordnance. But thankfully they have no intention of destroying the net just yet. Instead, they are suggesting improvements to its defences.

Schuchard’s new attack pits the structure of the internet against itself. Hundreds of connection points in the net fall offline every minute, but we don’t notice because the net routes around them. It can do this because the smaller networks that make up the internet, known as autonomous systems, communicate with each other through routers. When a communication path changes, nearby routers inform their neighbours through a system known as the border gateway protocol (BGP). These routers inform other neighbours in turn, eventually spreading knowledge of the new path throughout the internet.

A previously discovered method of attack, dubbed ZMW – after its three creators Zhang, Mao and Wang, researchers in the US who came up with their version four years ago – disrupts the connection between two routers by interfering with BGP to make it appear that the link is offline. Schuchard and colleagues worked out how to spread this disruption to the entire internet and simulated its effects.

Surgical strike

The attack requires a large botnet – a network of computers infected with software that allows them to be externally controlled: Schuchard reckons 250,000 such machines would be enough to take down the internet. Botnets are often used to perform distributed denial-of-service (DDoS) attacks, which bring web servers down by overloading them with traffic, but this new line of attack is different.

“Normal DDoS is a hammer; this is more of a scalpel,” says Schuchard. “If you cut in the wrong places then the attack won’t work.”

An attacker deploying the Schuchard cyberweapon would send traffic between computers in their botnet to build a map of the paths between them. Then they would identify a link common to many different paths and launch a ZMW attack to bring it down. Neighbouring routers would respond by sending out BGP updates to reroute traffic elsewhere. A short time later, the two sundered routers would reconnect and send out their own BGP updates, upon which attack traffic would start flowing in again, causing them to disconnect once more. This cycle would repeat, with the single breaking and reforming link sending out waves of BGP updates to every router on the internet. Eventually each router in the world would be receiving more updates than it could handle – after 20 minutes of attacking, a queue requiring 100 minutes of processing would have built up.

Clearly, that’s a problem. “Routers under extreme computational load tend to do funny things,” says Schuchard. With every router in the world preoccupied, natural routing outages wouldn’t be fixed, and eventually the internet would be so full of holes that communication would become impossible. Shuchard thinks it would take days to recover.

“Once this attack got launched, it wouldn’t be solved by technical means, but by network operators actually talking to each other,” he says. Each autonomous system would have to be taken down and rebooted to clear the BGP backlog.

Meltdown not expected

So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.

An alternative scenario would be the nuclear option in a full-blown cyberwar – the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the internet while preserving the attacking nation’s internal network.

Sitting duck

Whoever launched the attack, there’s little we could do about it. Schuchard’s simulation shows that existing fail-safes built into BGP do little to protect against his attack – they weren’t designed to. One solution is to send BGP updates via a separate network from other data, but this is impractical as it would essentially involve building a shadow internet.

Another is to alter the BGP system to assume that links never go down, but this change would have to be made by at least 10 per cent of all autonomous systems on the internet, according to the researchers’ model, and would require network operators to monitor the health of connections in other ways. Schuchard says that convincing enough independent operators to make the change could be difficult.

“Nobody knows if it’s possible to bring down the global internet routing system,” says Mark Handley, an expert in networked systems at University College London. He suggests that the attack could cause “significant disruption” to the internet, with an effect greater than the Slammer worm of 2003, but it is unlikely to bring the whole thing down.

“The simulations in the paper make a lot of simplifying assumptions, which is necessary to simulate on this scale,” he explains. “I doubt the internet would behave as described.”

Schuchard and colleagues presented their findings at the Network and Distributed System Security Symposium in San Diego, California, on Tuesday.


Crescendo Networks’ AppBeat DC deployed by HumanConcepts

The visualisation of human resources data at Sausalito-based workforce modelling specialist HumanConcepts is now being handled by the Crescendo Networks AppBeat DC application delivery controller.

AppBeat DC is specifically designed to maintain the availability of web-based resources in the face of unpredictable traffic loads, preventing outages during peaks of legitimate user traffic or in the case of distributed denial of service attacks that simulate high visitation numbers.

Crescendo Networks’ chief executive officer Adoram Gaash reveals that 50,000 clients rely on the continued functionality of HumanConcepts’ online services to plot their workforce hierarchy and plan for future hiring or staff movements.

“AppBeat DC’s dedicated hardware architecture uniquely enables parallel processing which can easily support the volume, load and user surges that often occur with highly utilised and complex applications,” he adds.

The device is not only helping to ensure accessibility is maintained on an ongoing basis, it is also helping HumanConcepts to predict how its infrastructure will function in the future and plan for continued strong performance.

Freedom of Online Speech in a Post-Wikileaks World

The furor surrounding Wikileaks has raised questions about the true limits of free speech in what is perhaps the most unregulated medium in the world. “Free speech online is under fire, but it has always been under fire to some degree,” said Syracuse University’s Milton Mueller. “What’s new is that governments are developing new institutional mechanisms to control Internet expression.”

In the wake of Cablegate, the massive release of sensitive documents released online by WikiLeaks and the subsequent DDoS (distributed denial of service) attacks by pro- and anti-WikiLeaks factions on each others’ websites, a fact long-known to only a few cognoscenti became public — free speech online is very much endangered.

Both sides claimed they were following a higher calling. The pro-WikiLeaks hackers stated they were supporting free speech, and their opponents painted themselves as patriots.

That concept of patriotism apparently struck a chord in the ears of some U.S. leaders. Senator Joe Lieberman, who’s chairman of the Senate Homeland Security Committee, suggested that the Feds investigate The New York Times for publishing classified diplomatic cables released during Cablegate.

He reportedly told Fox News that the Times had committed at least an act of bad citizenship and said that whether the newspaper had committed a crime warrants an inquiry by the Justice Department.

David Sanger, the Times’ chief Washington correspondent, responded by saying that, in essence, the material was already public and ignoring it would have been irresponsible.

Lieberman wasn’t alone; other lawmakers used adjectives such as “spies” and “cyber-terrorists” in referring to the media. Some suggested Americans didn’t have the right to download and read such sensitive documents. That, in turn, resulted in some government departments banning their staff from downloading or reading the documents at work.

Lawmaker outbursts led a coalition of advocacy organizations spearheaded by the Electronic Frontier Foundation (EFF) to publish an open letter calling on government officials to respect freedom of expression in the debate over Cablegate.
Freedom’s Just Another Word

The EFF’s letter described legislation proposed by American lawmakers in response to Cablegate as “rash” and warned it could, in effect, muzzle the free press. Government officials’ statements have created an atmosphere of fear and uncertainty among the general public, leading them to question their rights with regard to the documents posted by Wikileaks, the EFF’s letter charged.

Those opposed to the lawmakers’ reactions were concerned that their statements were a throwback to the McCarthy era and heard echoes of the House UnAmerican Activities Committee in their words.

The Air Force reportedly barred its staff from using their computers at work to view the websites of publications, including blogs, that posted documents released by WikiLeaks.

The Obama administration apparently directed federal employees and contractors not to read the documents issued during Cablegate unless they have the appropriate security clearance or authorization.

In keeping with the Administration directive, the Library of Congress blocked access from all its computers to the WikiLeaks website.

How these edicts would prevent those affected from watching TV or accessing the banned websites from home or other locations didn’t seem to be a concern.
Hush Your Mouf’

American lawmakers and government officials justified their reactions to Cablegate by stating that Cablegate endangered people abroad who worked with the U.S. government and would make it more difficult for America in international relations and diplomacy.

However, within days, WikiLeaks supporters set up hundreds of mirrored sites around the world so that the documents would continue to be available online.

So, were American lawmakers and government officials overreacting? A report conducted by Harvard University’s Berkman Center for Internet and Society may help answer that question.

This report found that cyberattacks against independent media and human rights sites are common. Some attacks were apparently launched by governments, within and outside their borders. However, the researchers did not find governments taking responsibility for DDoS attacks.

In other words, governments generally aren’t comfortable with free speech, even online; they may try to suppress it; and they won’t ‘fess up when they do.

From that point of view, perhaps U.S. lawmakers and officials’ reaction to Cablegate was par for the course.
The First Amendment

“Online speech is only as strong as its weakest link,” Rebecca Jeschke of the EFF told TechNewsWorld. “If hosting providers cave quickly when challenged about hosting politically volatile or controversial content, then they will be challenged more often, and we might not have an Internet that works the way we’d like it to.”

Jeschke was referring to (Nasdaq: AMZN) and other Web hosting sites that kicked WikiLeaks off their servers once the Cablegate controversy erupted.

Most importantly, refusing to host controversial content means Americans lose out on their First Amendment right to read the controversial information, Jeschke asserted. “The First Amendment strongly protects the right of publishers to distribute truthful political information, and Internet users have a fundamental right to read and debate it,” she added.

In the wake of Cablegate, some Americans began exercising those rights. Some people identifying themselves as librarians condemned the Library of Congress’ ban on accessing the WikiLeaks website from its computers, for instance.
Fighting the Good Fight

Whether Americans and Netizens from other parts of the world can exercise their right to read and debate information on the Web is another matter altogether. Increasingly, people are creating ad hoc groups online to go after websites they either don’t like or with whose messages they don’t agree.

This practice is called “hacktivism,” and the ZScaler Research Team predicts in it 2011 security report that the phenomenon is going to grow.

“What we observe now is cyber-retaliation,” Ron Meyran, director of security products at Radware, told TechNewsWorld.

It’s almost impossible to defend against such attacks — but they’re insignificant compared to government attempts to suppress free speech because governmental acts implicitly have legitimacy.

Put another way, it’s assault when you kick down a neighbor’s door and thump him because you think he might one day thump you, but it’s a pre-emptive strike when a government does it.
Gub’mint Hates the Global Village

Along the lines of pre-emptive attacks, governments are using new technology to control online discourse in ways that are invisible except to experts. Some of their actions, such as Internet filtering, are overt. Others are covert, such as influencing ICANN, the Internet Corporation for Assigned Names and Numbers, which allocates top-level domain (TLD) name spaces.

Apparently ICANN has clauses in the proposed final version of its TLD applicant guidebook that let objectors anonymously protest the allocation of TLDs on the grounds of public interest, morality and public order, according to Ben Wagner’s post in the Global Voices Online blog.

“Free speech online is under fire, but it has always been under fire to some degree,” Milton Mueller, a professor at Syracuse University, who went through the ICANN handbook, told TechNewsWorld. “What’s new is that governments are developing new institutional mechanisms to control Internet expression.”

The new ICANN TLD process “can be considered the first truly globally coordinated attempt to restrict Internet expression indirectly,” Mueller pointed out.

The invocation of morality and public order are “an attempt by governments to impose a very vague standard of suppression,” Mueller added. “Surprisingly, the strongest pressure to do this has come from the U.S. government, which ostensibly must uphold a constitutional commitment to free expression.”


Movie Group Will DDoS The Courts To Have File-Sharing Laws Weakened

A movie interests association has just announced an interesting new strategy. Having previously focused on having The Pirate Bay blocked in their home country, ACAPOR – which recently had its emails leaked by Operation Payback – says it will now make legal history by reporting unprecedented numbers of file-sharers to the authorities. Their aim? To have the law for infringements made less severe.

In September this year, movie rental association ACAPOR filed a complaint against The Pirate Bay with the General Inspection of Cultural Activities, a department of the Portuguese Ministry of Culture.

Blaming the site for 15 million illegal downloads in Portugal every year, ACAPOR demanded that the country’s ISPs should take similiar action to that taken in Italy, and block The Pirate Bay.

In a parallel action, a complaint was also made against, a file-sharing site which has proven extremely popular among their countrymen, also blamed for millions of downloads. In this case a criminal investigation was requested.

But having taken action against the sites that facilitate the transfers undertaken by file-sharers, ACAPOR – which recently had its email database hacked as part of Operation Payback – is now widening its approach somewhat. Starting in January 2011, the movie interests group will begin reporting thousands of file-sharers to the authorities.

Their aim? To have punishments for file-sharing made less severe.

According to ACAPOR president Nuno Pereira, only one case has been brought against a Portuguese file-sharer. He believes that this restrained approach is down to the justice system being afraid of the 3 year jail sentences currently on the books for the offense.

Calling the current system “outdated”, Pereira is calling for Portuguese law to be changed to follow the French lead of a graduated response.

“It would be better to replace the prison sentence, which is never enforced and that is excessive, for a breach or a cut in Internet access, like they do in France,” he explained.

Pereira also says that if the current law was applied as required, the criminal courts would become inundated with case of illegal file-sharing.

So, in order to ‘help’ the situation, Pereira has announced a new ACAPOR strategy of – wait for it – inundating the criminal courts with cases of illegal file-sharing.

Starting January 5th 2011, ACAPOR will begin filing “the largest collection of criminal complaints submitted simultaneously in the history of Portuguese Justice” against individuals alleged to have shared movies online.

“From that day on, every month we will file 1,000 new complaints,” said Pereira, adding that although file-sharing is a crime in Portugal, ACAPOR is being forced to act privately because their complaints to the government have come to nothing.

Will the justice system be able to keep up with what is in effect a Denial of Service attack on the courts? Almost certainly not. But this stunt appears to be less about justice and more about pressuring the government and generating publicity to scare potential file-sharers.


Bredolab Botnet Suspect Busted in Takedown

Dutch authorities revealed details of their offensive against the Bredolab botnet, which culminated in the arrest of a 27-year-old man in Armenia.

Law enforcement officials in Armenia arrested a man Oct. 26 accused of masterminding a massive botnet operation.

According to reports, the 27-year-old suspect was arrested on suspicions of running the Bredolab botnet. Bredolab is a popular Trojan downloader used by cyber-criminals to infect Windows machines via drive-by downloads and spam e-mails.

In a takedown operation, the Dutch National Crime Squad’s High Tech Crime Team (THTC) worked in collaboration with a Dutch Web hosting company, the Dutch Forensic Institute, Internet security company Fox-IT and the Dutch Computer Emergency Response Team (CERT) to seize control of 143 malicious servers tied to the botnet.

According to the THTC, the botnet network used servers in the Netherlands from a reseller of LeaseWeb, the largest hosting provider in the country. LeaseWeb fully cooperated with the takedown effort, authorities said. During the investigation, the THTC found the network was capable of infecting 3 million computers a month. At the end of 2009, it was estimated that 3.6 billion e-mails with Bredolab payloads were being spammed out daily, the THTC reported.

During the takedown, the suspect made several attempts to take back control of the botnet, according to the Dutch authorities. When this failed, police say he launched a massive distributed denial-of-service attack on LeaseWeb with 220,000 infected computers. This attack was stopped after three computer servers he was using in Paris were disconnected from the Internet, authorities said.

A Symantec advisory on Bredolab noted many of the e-mails carrying the Trojan have the following themes: Western Union free money, UPS delivery failure and Facebook password changes.

“The suspect is believed by the computer crime authorities to have rented access to infected bot computers to other cybercriminals,” blogged Graham Cluley, senior technology consultant at Sophos. “No doubt the police will be interested to find out if the man has any information about others who may have exploited the botnet, and more arrests may follow.”

The 27-year-old was arrested at the international airport in Yerevan, authorities said.


Cisco Patches Denial of Service Vulnerabilities in IOS

Cisco has released its semiannual batch of security updates for the IOS and Unified Communications Manager software, which address a total of twelve DoS vulnerabilities covered in six advisories.

IOS is the operating system powering most of the Cisco’s routers and network switches, while the Unified Communications Manager is the call-processing software used in the company’s VoIP products.

Two Denial of Service (DoS) vulnerabilities, CVE-2010-2828 and CVE-2010-2829, have been identified and patched in the IOS H.323 implementation.

An attacker can exploit them by sending specially crafted packets to the voice services in order crash them and cause the devices to reload.

Another weakness (CVE-2010-2830), which can also be leveraged to trigger a Denial of Service condition, was addressed in the IOS and IOS XE Internet Group Management Protocol (IGMP).

Three more DoS bugs, CVE-2010-2834, CVE-2010-2835, CVE-2009-2051, were found and fixed in the Session Initiation Protocol (SIP).

Remote attackers can exploit these by sending crafted messages to cause SIP-enabled devices to crash. “There are no workarounds for devices that must run SIP,” the company warns.

The IOS Network Address Translation (NAT) functionality also contains three DoS flaws, CVE-2010-2831, CVE-2010-2832 and CVE-2010-2833, which affect the translation of SIP, H.323 and H.225.0 call signaling packets.

Meanwhile, the IOS Software’s SSL VPN feature is vulnerable to Denial of Service attacks when configured with an HTTP redirect.

A remote attacker can exploit the bug (CVE-2010-2836) to cause a memory exhaustion condition and force the device to reload.

The last two DoS vulnerabilities, CVE-2010-2834 and CVE-2010-2835, affect the processing of SIP messages on Cisco’s Unified Communications Manager. Successful exploitation can lead to voice services suffering interruptions.

Cisco publishes IOS security advisories twice a year, on the fourth Wednesday of March and September. However, in cases of extremely critical or actively exploited vulnerabilities, the company can release out-of-band patches.


Tektronix Buys Into Security

Tektronix Communications has strengthened its position in the mobile network and service assurance market with an agreement to buy Arbor Networks Inc. , the security and deep packet inspection (DPI) vendor, for an undisclosed sum. (See Tektronix Secures Arbor Networks and Arbor & Ellacoya Team Up.)

Tektronix Communications, which was spun off as a separate company from Tektronix Inc. by parent Danaher Corp. (NYSE: DHR) in early 2008, is already a major player in the mobile network test-and-measurement and service assurance sectors, but this move gives it something extra . (See Tektronix Monitors LTE Core, Tektronix Monitors Femtocells, and Danaher to Buy Tektronix.)

It’s Arbor’s Peakflow Distributed Denial of Service (DDoS) prevention platform, which is used for IP network security and analysis, that appears to have attracted Tektronix Communications, and with good reason, notes Heavy Reading senior analyst Patrick Donegan, who is currently working on a communications network equipment security report. (See Arbor Intros 40-Gig DDoS Defense and Arbor Watches the Net.)

He notes that there is “a real issue about the security of mobile networks. As you get more data in the networks, the security threats grow. The shift towards IP is heralding a shift in the security fundamentals.”

He adds: “The testing business is fundamental to network security, and I can see why a company such as Tektronix would make a play for a company like Arbor. It’s logical for a test vendor to expand its portfolio with a bespoke security acquisition,” not least because “much of the network infrastructure deployed in communications networks have security flaws, which in turn creates a business opportunity for the bespoke security vendors.”

Donegan also says that what Tektronix and Arbor have in their portfolios “speak to the bread-and-butter of mobile network security. There’s a lot of brouhaha at the moment about security concerns linked to BlackBerry services. That’s a distraction. That’s not where the real security issues are at.” (See RIM Reprieve .)

And Arbor’s DDoS technology looks well suited as an additional element that can be integrated into Tektronix’s GeoProbe platform (acquired in 2004) that monitors IP network traffic, giving Tektronix an extra, and increasingly important, weapon in its Service Provider Information Technology (SPIT) arsenal. (See The SPIT Manifesto and Tektronix Acquires Inet for $325M.)

Tektronix’s parent company, Danaher, has plenty of practice integrating other companies into its test-and-measurement businesses (Tektronix, Tektronix Communications, and Fluke Networks), as it’s made a number of acquisitions during the past few years to bolster its video monitoring, VoIP assurance, and customer experience management capabilities. (See Tektronix Mixes In Some M&A , OSS News: Tektronix Strikes Again!, and Tektronix Buys VOIP Test Firm.)


Virgin Media to Notify Owners of Infected Computers

Virgin Media, one of the biggest Internet service providers in UK, plans to start sending warning letters to customers if their computers are infected and are generating botnet-related traffic.

The Register reports that Virgin will start scanning lists of compromised hosts maintained by the Shadowserver Foundation and other botnet tracking organizations for IP addresses assigned to its customers.

Botnets are armies of computers infected with malware, which hackers can control remotely via command and control (C&C) servers or distributed peer-2-peer networks, depending on their infrastructure.

Botnets are very versatile and provide their runners with many economic prospects, like selling Distributed Denial of Service (DDoS), spam or pay-per-install services to other cybercriminals.

Virgin Media plans to begin its campaign by sending several hundred letters per week to see how customers react and then scale their effort as needed.

The letters will contain links to download free anti-malware software and instructions for customers to attempt cleaning their computers on their own.

However, if this proves too much for their level of computer knowledge they can opt for the already existent £6/month Digital Home Support service offered by the company.

According to Virgin a significant number of people who already use the helpline are calling to deal with malware infections, so the technicians working there are used with such cases.

Security experts have long argued that ISPs should take a more active role in helping customers deal with computer threats, since they are uniquely positioned to identify the origin of bad traffic on their networks.

In October last year, Comcast, the largest residential cable and Internet service provider in the United States, began testing a system to alert its customers of malware infections via in-browser notifications.

The German government is also working with the country’s Internet industry association (eco) to have all ISPs begin identifying infected computers and direct their owners to resources that would help them deal with the problem.

The plan also involves creating a government-funded call center where forty IT specialists will be available to assist Internet users who can’t clean their computers on their own.