Taking down the internet: possible but how probable?
By Taylor Armerding
Unknown players – probably a nation state – are probing the defenses of the core infrastructure of the internet. How worried should we be?
The hack of the Democratic National Committee this past summer, allegedly by Russia, prompted a political firestorm, but didn’t cause even a ripple in the US economy.
But imagine the economic firestorm that would result if online attackers brought the entire internet down, even temporarily.
You may not have to imagine it, according to Bruce Schneier, CTO of Resilient Systems, cryptography guru, blogger and international authority on internet security. In a recent post titled, "Someone is Learning How to Take Down the Internet,"he wrote that he had been told by multiple sources that, ““someone has been probing the defenses of … some of the major companies that provide the basic infrastructure that makes the Internet work.”
But according to some of his fellow security experts, you don’t really need to imagine it, since the chances of the internet really being taken down are remote. And even if it happens, it won’t cause catastrophic damage. Several commenters on Schneier’s post wondered why even hostile actors would want to take down the internet, since if they do, they won’t be able to use it either.
Whatever the reality, it has prompted some energetic discussion.
Schneier said the probing has been done mainly with calibrated Distributed Denial-of-Service (DDoS) attacks, which overwhelm a site with so much data that it cannot respond to legitimate traffic.
DDoS attacks are nothing new – activist and criminal hackers use them all the time. What distinguishes these is their profile.
Schneier said he had spoken with leaders of several companies – who all demanded anonymity – that operate elements of the “backbone” of the internet, and they had all told him similar stories.
"It feels like China. You can hide the origin of a lot of attacks, but it is harder to hide the origins of a DDoS. And this doesn’t seem like their (the NSA’s) style”
Bruce Schneider, CTO of Resilient Systems
“These attacks are significantly larger than the ones they're used to seeing,” he wrote. “They last longer. They're more sophisticated. And they look like probing.”
That, he said both in his post and a later interview with CSO, is because of their “style” – over time, the volume of the attack increases, to the point of the defense system’s failure. They also employ multiple attack vectors, “so they force the companies to use all their defenses at once.”
He suggested it was the digital version of what the US did during the Cold War, when the US would fly high-altitude planes over the Soviet Union to force them to turn their air defense systems on, which would then let the US map their capabilities.
“We didn’t do it because we’re evil,” he said. “We just wanted to know – just in case.”
He said these attacks look like they’re coming from a nation-state – probably China. While some responses to his post have said it may be the US National Security Agency (NSA) doing a sort of “stress test” on the internet, Schneier doubts that. “It feels like China,” he said. “You can hide the origin of a lot of attacks, but it is harder to hide the origins of a DDoS. And this doesn’t seem like their (the NSA’s) style.”
Dan Kaminsky, security researcher and chief scientist at White Ops, agreed. “I don't think the NSA is doing it, because it'd very much surprise me if they needed to,” he said.
Schneier also pointed to a recent quarterly report from Verisign, the registrar for many popular top-level Internet domains, like .com and .net., which reported a 75 percent increase in attacks, year over year, with an average peak attack size of 17.37Gbps (Gigabits per second), an increase of 214 percent.
That pales in comparison with the recent record 620GbpsDDoS attack against the website of security blogger Brian Krebs, and Schneier said the Verisign report doesn’t have the level of detail he got from the anonymous industry leaders he spoke with, but he said, “the trends are the same.”
He added that since his blog post, he has heard from three other companies that support the Internet’s “backbone,” and they have also told him they are seeing same thing.
So how worried should the US be? Is this just some cyber Cold War maneuvering, or a potentially catastrophic threat?
Most experts say they think it needs attention, but see it more as maneuvering than an imminent increase in danger to the integrity of the internet.
Sam Curry, chief product officer at Cybereason, said based on his observations, “risk levels haven't changed. It's an interesting hypothesis that needs more data points, but watch out for confirmation bias going forward.”
"Risk levels haven't changed"
Sam Curry, chief product officer, Cybereason
There is little disagreement, however, that a massive DDoS attack could disable portions, or even all, of the internet for some period of time.
Kaminsky called Schneier a "highly credible source," and said he believes some hackers actually can take down the internet, in part because, "the damage from cyberattacks keeps growing and the risk perceived by attackers keeps shrinking."
This, he said, applies especially to nation-states, which have figured out that, "while their militaries might be trivially overrun, their hackers aren't.
"Cyberwar has become like real war, except you can wage it, and possibly win it, in the sense that you can extract political concessions not to fight it at all," he said. "And the capital investment is tiny – no tanks, no fuel, just talent, time, food, and access."
It has also become easier to launch much larger DDoS attacks because so many internet of things (IoT) devices can be so easily compromised and used as part of a botnet. Krebs, in a post on the DDoS attack that took down his site, noted that they are, "protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or – in the case of routers – are shipped by ISPs to their customers."
Paul Vixie, CEO of Farsight Security and previously president, chairman and founder of Internet Systems Consortium (ISC), agrees that the internet is vulnerable, but always has been. "The threat is old and well known," he said. "The internet was built in a lab for eggheads who all trusted each other, and so it has no defense against its own users."
But he said he thinks Schneier needed to be much more precise about what he meant about taking down the internet. "Down for who, and for how long?" he asked. "There's no way to break the internet permanently, since the same activities that gave rise to it and which reinvent it every day will eventually recreate a new infrastructure that works mostly the same way the old one did."
"The Internet was ... set up so the network could remain alive, even if parts of it get blown up. Even if the 'great server in the sky' got taken down, it would be replaced instantly."
Gary McGraw, CTO, Cigital
Gary McGraw, CTO of Cigital, sees it much the same way. "The internet was designed to survive a nuclear war," he said. "It was set up so the network could remain alive, even if parts of it get blown up. Even if the 'great server in the sky' got taken down, it would be replaced instantly."
Schneier said he agrees with much of that. "I'm not convinced it will go down," he said, "and if it does, it will be temporary. A DDoS attack needs the internet to work. It eventually eats its own tail."
But even a temporary takedown could cause great damage, Vixie said. "In a thought experiment, a bunch of us got together and brainstormed ways to make the internet unavailable to the G-20 for 72 hours.
"This was because an attack of that kind, had it been pulled off on Sept. 10, 11, and 12 of 2001, would have vastly amplified the terror and confusion of the terrorist attacks on 9/11," he said.
McGraw agrees that the potential for damage is very real. "If you have a critical system, you need to pay attention," he said. "I'd hate to be having remote surgery when the internet goes down and there's a scalpel sticking out of my chest. "
But he said horror stories like planes falling out of the sky, "aren't going to happen. That's ridiculous."
Some comments on Schneier's blog have suggested that the DDoS attack isn't the real attack – that it is meant to be the digital version of "covering fire," so the hackers can get something like an advanced persistent threat (APT) into a system without detection.
"I thought of that," Schneier said, "but I didn't write about it because it would be too speculative."
What to do about it draws even more of a mixed response. Schneier has said he doesn't know what should be done, but did call for a "national strategy" on DDoS attacks, "because a lot of this is critical infrastructure. The question is what do we do when critical infrastructure is in private hands. We don't have a good way of dealing with it."
Kaminsky said he thinks the US needs, "an NIH (National Institute of Health) for cyber." He also called for more resources. "More nerds, more resources, more structure, absolute bureaucratic firewall against the offense guys," he said.
Israel Barak, CISO at Cybereason, said it will take more of what Congress and the Obama administration have called for with the Cyber Information Sharing Act (CISA), but which still is not a reality.
Rapid detection and response, "requires tight cooperation, integration and information sharing between a large number of Internet Service Providers, CERT organizations, law enforcement, and government agencies," he said, "backed up by supporting government regulation related to the permitted scope of lawful interception and privacy regulations. We're very far from this today."