Cyber Weapon Capable of Crashing the Internet?

Wednesday, February 23, 2011

Dan Dieterle


It seems to be standard procedure now in some countries to shut down the internet when there is political unrest. But what if a cyberweapon was capable of taking the entire internet offline?

The key would be to perform a crafted attack against internet routers running the border gateway protocol (BGP). According to Max Schuchard at the University of Minnesota, overloading the BGP routers could in effect shutdown the internet.

Max presented his findings at the Network and Distributed System Security Symposium in San Diego, California last week.

In normal operation, the BGP protocol helps keep the internet up and running. If a router goes down, Routers update the missing link and go around it. But if these routers are attacked on purpose and flooded with updates, it could put the internet into a state where it could not recover. 

An article on New Scientist explains how this would work:

"An attacker deploying the Schuchard cyberweapon would send traffic between computers in their botnet to build a map of the paths between them. Then they would identify a link common to many different paths and launch a ZMW attack to bring it down. "

"Neighbouring routers would respond by sending out BGP updates to reroute traffic elsewhere. A short time later, the two sundered routers would reconnect and send out their own BGP updates, upon which attack traffic would start flowing in again, causing them to disconnect once more."

"This cycle would repeat, with the single breaking and reforming link sending out waves of BGP updates to every router on the internet. Eventually each router in the world would be receiving more updates than it could handle – after 20 minutes of attacking, a queue requiring 100 minutes of processing would have built up."

The attack could theoretically be done with a botnet of 250,000 machines and would put the internet out of commission for days. Each router would need to be physically rebooted to clear the logjam.

Though highly unlikely that this would ever happen, New Scientist goes on to explain a slightly more plausible scenario for a nation under cyber attack:

"An alternative scenario would be the nuclear option in a full-blown cyberwar – the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the internet while preserving the attacking nation’s internal network."

There currently isn’t a fix for BGP vulnerabilities. And China has already used this to their advantage. Last April, China diverted about 15% of the worlds internet traffic through their routers. They did this by telling the world’s internet service providers that they had the fastest routers.

So, always looking for the fastest path, for about 18 minutes a huge amount of traffic from the internet was sent through Chinese routers. This included US government and military traffic.

If the world is going to depend on BGP for ensuring the security of the internet, changes need to be made, and quickly.

Cross-posted from Cyber Arms

Possibly Related Articles:
Hacking Cyber Security internet Attacks Routers botnet Border Gateway Protocol Max Schuchard
Post Rating I Like this!
Ben Keeley Nice article. I know BGP can use authentication (all be it with MD5), not clear though if thats the route to take? Similar problem to the DNS issue in 2008 it sounds.
Dan Dieterle Thanks Ben. That is a good question, there has to be a way to use some level of authentication or fault tollerance to thwart this type of attack.

Then the next question would be, could you get every country involved to play along? Especially with the current events in the Middle East.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.