Attacks continued to become more frequent, persistent, and complex
September 15, 2016 1:17 PM   Subscribe

Who is trying to see what it would take to shatter the internet's backbone? "Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services... [T]his is happening. And people should know. " (SLSchneier)
Previously.
Other Schneier on the blue in the past.
posted by doctornemo (68 comments total) 34 users marked this as a favorite
 
It's the Other Internet!
posted by parmanparman at 1:20 PM on September 15, 2016 [6 favorites]


It is now official. Netcraft has confirmed: The Internet is dying

One more crippling bombshell hit the already beleaguered Internet community when IDC confirmed that Internet market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that the Internet has lost more market share, this news serves to reinforce what we've known all along. The Internet is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

I'm sure everyone in the MetaFilter community will miss it - even if you didn't enjoy its work, there's no denying its contributions to popular culture. Truly an American icon.
posted by entropicamericana at 1:23 PM on September 15, 2016 [28 favorites]


entropicamericana: I imagine you've had that saved in a text file on your desktop for ten years, waiting for the right moment. If you googled it I'm going to be seriously disappointed.
posted by Leon at 1:24 PM on September 15, 2016 [4 favorites]


Google? Hell no! I used Veronica!
posted by entropicamericana at 1:27 PM on September 15, 2016 [17 favorites]


I used Google.
posted by caution live frogs at 1:29 PM on September 15, 2016


So long as these State Actors and the Advanced Persistent Threats and Other Important Sounding Words are Acting, Advancedly Persisting, and Sounding Important, I'm gonna just be ready with the gopher:// protocol just in case. You'll thank me later.
posted by tclark at 1:35 PM on September 15, 2016 [4 favorites]


gopher:// protocol

UUCP. Y'all shrink-wrapped and stored your modems around Y2K, yeah?
posted by Leon at 1:38 PM on September 15, 2016 [8 favorites]


whoa, old school classic threadshitting from entropicamericana. do I flag it or favorite it?

flag it... or favorite it?

hmmm...
posted by indubitable at 1:41 PM on September 15, 2016 [3 favorites]


.-.. . .- .-. -. / --- .-.. -.. / - . -.-. .... -. --- .-.. --- --. -.-- / ..-. --- .-. / .-- .... . -. / - .... . / .. -. - . .-. -. . - / -... .-. . .- -.- ...
posted by Wordshore at 1:45 PM on September 15, 2016 [1 favorite]


So why can't it be the NSA or other Western Intelligence Agency?
posted by Foci for Analysis at 1:45 PM on September 15, 2016 [1 favorite]


Google? Hell no! I used Veronica!

That's how I got here!

I want to file a complaint. This darn website won't let me post links directly to gopher. Says the link is 'broken.' That's WWWist, I tell you! Can't even telnet to Archie!
posted by leotrotsky at 1:45 PM on September 15, 2016


So why can't it be the NSA

The Internet is too useful to the NSA as a surveillance tool.
posted by entropicamericana at 1:46 PM on September 15, 2016 [4 favorites]


"Shatter the internet's backbone" sounds so dramatic, but could you really do much more than take it down for a couple of hours before people figured out what you were doing and stopped you? And then you'd get massively sued and possibly have your country thrown off the internet? I don't see the point.
posted by Mitrovarr at 1:48 PM on September 15, 2016


convince the internet to lift with its back
posted by indubitable at 1:50 PM on September 15, 2016 [19 favorites]


And then you'd get massively sued and possibly have your country thrown off the internet? I don't see the point.

I'm not sure what the point is either, but I assume the result would be a massively fractured internet, even moreso than it is now, with dataflow between countries severely impeded/degraded.

I mean, if my understanding is correct (it probably isn't) then since the internet is designed as nodes that can continue to work when other nodes fail, it would mean that large chunks of the internet would be physically/geographically cut off from one another, and suddenly your options of what servers you can connect to whittle down to mostly computers physically within your own countries borders (and in a large country like America, perhaps even having an internet blackout on opposite sides of the country, with East and West being unable to communicate.).

I am absolutely talking out of my ass here, anyone with actual big-N Networking knowledge in here to give a better rundown of what might happen?
posted by deadaluspark at 1:58 PM on September 15, 2016 [1 favorite]


"Shatter the internet's backbone" sounds so dramatic, but could you really do much more than take it down for a couple of hours before people figured out what you were doing and stopped you? And then you'd get massively sued and possibly have your country thrown off the internet? I don't see the point.

But what if I've just posted my hottest take? A take so hot, The Man can't stand the heat? So he shatters the backbone and nobody can read it until it's too late? It's already cooled: a mere tepid take that threatens nobody!
posted by straight at 1:58 PM on September 15, 2016 [11 favorites]


"Shatter the internet's backbone" sounds so dramatic, but could you really do much more than take it down for a couple of hours before people figured out what you were doing and stopped you? And then you'd get massively sued and possibly have your country thrown off the internet? I don't see the point.

A state actor (or a sufficiently motivated non-state actor) could do an enormous amount of damage in that few hours.
posted by Itaxpica at 2:01 PM on September 15, 2016 [8 favorites]


In Vernor Vinge's novel A Deepness in the Sky a human space vessel is marooned in a solar system with only one planet, that planet contains a pre-space species as of yet unaware of wider galactic civilization. The humans have cryosleep/hibernation technology and secretly work in shifts from orbit to elevate the technological sophistication of the alien species, by surreptitiously interacting via their equivalent of the internet and other media to introduce new technology or to put the breaks on adverse developments, until it reaches the level capable of refueling the spacecraft.

So maybe this is aliens, or some other force trying to stop aliens. /πŸ”
posted by XMLicious at 2:04 PM on September 15, 2016 [11 favorites]


This has to do with election season, and the threats to mess with digital voting. It has to do with creating attack protocols for both sides, or all sides, and then defensive protocols. I also think it has to do with distribution of misinformation, of all kinds, political, money laundering, readjustments to the entire system to hone surveillance capabilities. All the players are doing their regular maintenance.

It is not that the back will be broken, but the credibility of all systems will be broken, even more than they already are. Unfortunately people can't just go back to talking under bridges, and in cafes, because it is all on camera, every sidewalk, every school, everything. They are just going to make it work for the biggest players to have more power. Isn't that the plan?

The amount of misinformation fronted by the web, by credible actors is the bulk of its use. Banks, research, big pharma, big illegal pharma, big computer, big social media, big news media, big government, big surveillance private and government. I am sorry to be so cynical, but flexing the internet has to be the way of the internet, as it gets bigger and bigger, with the information it seeks by all means imaginable, the information it spits out, and the information it stores, then there are the control systems, power, transportation, defense, water, city management, government building and all other big systems.

Soon it will self assess, and it will want to guide, control its inner workings.
posted by OyΓ©ah at 2:08 PM on September 15, 2016 [13 favorites]


Itaxpica: A state actor (or a sufficiently motivated non-state actor) could do an enormous amount of damage in that few hours.

Pfft, I really don't think the likes of Michael Ian Black or Ken Marino can do much, if any, damage to the Internet.
posted by dr_dank at 2:12 PM on September 15, 2016 [33 favorites]



I'm not sure what the point is either, but I assume the result would be a massively fractured internet, even moreso than it is now, with dataflow between countries severely impeded/degraded.


Which is the overt desire of several governments, and the de facto condition in Cuba and North Korea, both of which have separated national intranets.
posted by ocschwar at 2:13 PM on September 15, 2016 [3 favorites]


It's the Other Internet!

Quick, which one's wearing the goatee??
posted by Greg_Ace at 2:15 PM on September 15, 2016 [6 favorites]


DNS isn't the "internet backbone". It is important to the web because we decided that we like names better than numbers (somehow those worked fine with phones...), but taking down the authoritative DNS servers for .com and .net does not actually "shatter the backbone".
posted by floatboth at 2:21 PM on September 15, 2016 [1 favorite]


The whole point of the design of the original Internet protocols, as I understand it, was to be a _decentralized_ network structure, so that it would be extremely difficult to attack. The fact that things are so centralized now may go against the original DARPA design.

Am I mistaken in remembering this? Anyone?
posted by amtho at 2:21 PM on September 15, 2016 [2 favorites]


So why can't it be the NSA

The Internet is too useful to the NSA as a surveillance tool.


I wouldn't be surprised if the NSA wants to have the ability to take down the Internet (or at least large portions of it) if that better suits its purpose at some point. Or maybe it's the CIA or the military. Given some of the interagency rivalries we have in the US, I also wouldn't be surprised if some other government agency wanted to take the Internet down just to screw with the NSA.

Could be Trump, too.
posted by TedW at 2:28 PM on September 15, 2016


@floatboth,

He didn't mention DNS at any point, so I assumed he must have meant something far more "critical," I suppose. What brought you to the conclusion he is speaking specifically about Domain Name Servers?
posted by deadaluspark at 2:30 PM on September 15, 2016


UUCP. Y'all shrink-wrapped and stored your modems around Y2K, yeah?

I have one or two USR 56k externals sitting in the basement, but the real star of the show is this box from Multitech that takes a serial cable attached to the aforementioned modem, and gives you an ethernet jack and an IP address.
posted by mikelieman at 2:36 PM on September 15, 2016 [3 favorites]


I assumed he must have meant something far more "critical,"

I expect it involves the subject of the "Weekly Routing Table Report" that comes to my Inbox.
posted by mikelieman at 2:38 PM on September 15, 2016


DNS isn't the "internet backbone". It is important to the web because we decided that we like names better than numbers (somehow those worked fine with phones...), but taking down the authoritative DNS servers for .com and .net does not actually "shatter the backbone".

It's more than just "the web" that relies on DNS. Email's another example, and yeah, you can put IP addresses into FTP requests, but names are easier to manage. I'm willing to bet that most of the other non-port 80 services like to use names primarily. Obviously, essential services should be able to fall back in the case that DNS isn't available/can't be trusted but can they? Do we even understand what "essential" means? For example, take a look at the Left-Pad incident covered in this Reply All episode.

The whole point of the design of the original Internet protocols, as I understand it, was to be a _decentralized_ network structure, so that it would be extremely difficult to attack.

Pure decentralization is also vulnerable to attack (see, e.g., Bitcoin's 50% + 1 voting problem). When everything's decentralized there isn't a good way to know who to trust. So some systems become the "authoritative" ones and sit happily at the top of the trust chain and downstream systems worry a little less because they know they have a trusted higher-up. In theory, if your browser couldn't reach Verisign's DNS server, it could fall back to a less trusted one -- but what if what was compromised in the same attack?

What brought you to the conclusion he is speaking specifically about Domain Name Servers?

"Verisign is the registrar for many popular top-level Internet domains, like .com and .net."
posted by sparklemotion at 2:38 PM on September 15, 2016 [3 favorites]


entropicamericana: " Truly an American icon"

Plus the rest of the planet, where I believe Internet has been somewhat popular too.
posted by langtonsant at 2:38 PM on September 15, 2016


TFA talks about Verisign data, but more as a proxy for sources/entities unwilling to have their identity disclosed.
posted by snuffleupagus at 2:39 PM on September 15, 2016 [1 favorite]


Could be Trump, too.

Come on.

For a start, who in the hell in that camp would have that kind of competence?

Bruce Schneier is not writing disinformation to throw you off the trail of the NSA or more incredibly another agency. If he wrote what he wrote (given he's been happy to id the NSA when called for), then he meant it.
posted by C.A.S. at 2:40 PM on September 15, 2016 [8 favorites]


I have one or two USR 56k externals sitting in the basement, but the real star of the show is this box from Multitech that takes a serial cable attached to the aforementioned modem, and gives you an ethernet jack and an IP address.

That'll give em the SLIP.
posted by snuffleupagus at 2:42 PM on September 15, 2016 [27 favorites]


Obviously, essential services should be able to fall back in the case that DNS isn't available/can't be trusted but can they?

echo 54.186.13.33 www.metafilter.com >> /etc/hosts.doomsday
posted by sfenders at 2:44 PM on September 15, 2016 [20 favorites]


Accusing Trump of every single bad thing in the world is really playing into the issue the media has right now in reporting Trump. Nate Silver discusses it on twitter starting here. If there's a million Trump controversies, its impossible to really explain any single controversy in depth. Eventually it just looks like a static noise of issues, which voters can't really grasp.

But also, c'mon.
posted by lownote at 2:47 PM on September 15, 2016 [2 favorites]


i can't believe people are seriously discussing this

this article is nothing but vague fearmongering that reminds me of the old Homeland Security Threat Alert Colors

it lowered my estimation of Bruce Schneier several notches
posted by indubitable at 2:54 PM on September 15, 2016


Mitrovarr: disrupting the internet, even if only for a few hours, could be an excellent component if you're going to do a blitzkrieg, of, say, Ukraine. The Russian Federation has been developing a new military doctrine of 'tactical ambiguity' in the Crimea conflict- Russian soldiers in separatist uniforms, neverending ceasefires honored in name only- which blurs the line. This is combined with a propaganda offensive on the internet aimed at creating murk and ambiguity- has Russia really invaded the Ukraine?

The doctrine of 'tactical ambiguity' is an evolution of Israel's doctrine of strategic ambiguity, a posture used to deter attacks by the Arab states. It evolved after the Israeli action in Lebanon and during the first intifada. Basically, by creating tactical ambiguity over whether you're at war/ it's a police action/ it's 'independent' militias/paramilitary (be they settlers or Serbian gangs), you can then exploit the anxiety and ambiguity of the states that might otherwise intervene militarily against you.


In a sense, an attack like this could be used to prevent an immediate and rapid response. Then you just set on whatever you've managed to conquer in your one day of blitzkrieg, and wait out the sanctions, which only reinforce the power of your regime (examples: Cuba, Iran, North Korea).

If you're an autocratic state actor with a 19th century mindset, whose main concern is consolidating your state's power over your people, disrupting the world's internet is a valid strategy. It buys you a few hours of blitzkrieg, and what is the west going to do? Start a nuclear war over an internet outage? It's not like they're going to somehow sanction you even more than they already would have.

TL, DR: Brinksmanship is a valid strategy against Western states, because, to invert Golda Meir's proverb, we love our children more than we hate our enemies.
posted by LeRoienJaune at 3:19 PM on September 15, 2016 [7 favorites]


Why doesn't this seem like something an activist, criminal, or researcher would do? I realize that it takes a lot of resources but if you have an exploit that gives you access to them, it seems like the natural thing to do. For that matter, it seems like exactly the kind of thing espionage or intelligence gathering agencies would do. I appreciate the the immense scale of computing power and bandwidth required to pull this kind of thing off but if you have the ability to falsely send, say all cellphone and home internet traffic to an identical but fake version of a popular news source in the middle of a large crisis, while simultaneously DDoSing everything else that might be working to distribute an accurate message, you have an immensely powerful weapon of propaganda and terror. Imagine 9/11 but CNN.com doesn't just go down, it's the only site that's up and it's been subtly replaced by an identical site full of carefully forged media that says the president and entire chain of succession was killed when White House, Capitol, and Pentagon were destroyed and the nation has surrendered to _____ or something like that. You can project that scenario into just about any situation in any country where the internet is a go-to information source.
posted by feloniousmonk at 3:23 PM on September 15, 2016 [3 favorites]


So why can't it be the NSA

NSA has much more elegant ways of doing it because they have backdoors into so much network infrastructure across the Internet as a whole that a DDOS flood, even a multi-prong one like Bruce describes, is too much of a blunt tool for their purposes. Their control is much more granular & tunable, with a dedicated out-of-band C&C infrastructure. It's just too crude for them.
posted by scalefree at 3:24 PM on September 15, 2016 [2 favorites]


this article is nothing but vague fearmongering that reminds me of the old Homeland Security Threat Alert Colors
Personally I trust and am interested in Schneier's assessments waaay more than anything Homeland Security has ever said/done.
YMMV
posted by Golem XIV at 3:27 PM on September 15, 2016 [12 favorites]


Why doesn't this seem like something an activist, criminal, or researcher would do?

Coordination. Sure if you have the right set of 0-days you can make millions of machines stop & play the same simple tune. But this is more like the performance of an orchestra. It's something that requires a lot of people playing lots of parts on lots of different instruments, all under the instruction of a conductor. There's only a small handful of groups that are funded, experienced & motivated enough to pull something like this off.
posted by scalefree at 3:36 PM on September 15, 2016 [1 favorite]


Belatedly:πŸ” (As regards Trump. I do think the US could just as easily be covertly looking at ways to take down networks up to and including the Internet just as well as any other reasonably powerful nation.)
posted by TedW at 4:00 PM on September 15, 2016


Dark Army. Duh.
posted by Damienmce at 4:53 PM on September 15, 2016 [6 favorites]


Bruce Schneier is not writing disinformation to throw you off the trail of the NSA or more incredibly another agency. If he wrote what he wrote (given he's been happy to id the NSA when called for), then he meant it.

How do we know he wrote it? The article isn't signed.
posted by invitapriore at 4:55 PM on September 15, 2016 [3 favorites]


"Shatter the internet's backbone" sounds so dramatic, but could you really do much more than take it down for a couple of hours before people figured out what you were doing and stopped you?

It's not meant to be a standalone attack that breaks the Internet forever but a force multiplier to make some other attack more effective. Russia has been perfecting the use of disinformation campaigns to sow confusion among its enemies. Preventing the use of the Internet as a tool to debunk staged broadcasts or otherwise counter these techniques could be very useful if applied at the right moment to gain a strategic advantage.
posted by scalefree at 5:02 PM on September 15, 2016 [1 favorite]




DNS isn't the "internet backbone". It is important to the web because we decided that we like names better than numbers (somehow those worked fine with phones...), but taking down the authoritative DNS servers for .com and .net does not actually "shatter the backbone".

Not so fast, floatboth. The internet may not require DNS, but a whole ton of internet security does. A SSL certificate grants a server an identity in the form of a name, like *.chase.com, and not an IP address. With no DNS, there's nothing to actually verify. You can still encrypt traffic from the client to the server, but the ability of the client to verify the identity of the server is gone. Spoofing a bank site will go from very difficult to something that anyone between you and the bank on the network can do, just by rerouting your ip traffic to a malicious server.

Machine certificates and PKI have replaced username and password in most modern organizations for verification of identity between servers. That also depends on DNS, so a lot of secure machine to machine automated communication will dry up and die. Like... patches. Imagine the merry hell that could be unleashed if someone spoofed Microsoft Update.
posted by quillbreaker at 5:21 PM on September 15, 2016 [7 favorites]


I at times I wish I hadn't read Dick's Penultimate Truth, again this year, but so it goes. Every new computer that comes out has ad blockers put on. Every entity who wants to track, to advertise, to peek in our wallets, is bending the internet as best they can. Every western human, well, enough of them carry small internet linked machines of increasing complexity, with them everywhere they go. To geo locate those, to track communications, to try to utilize the information for commerce, surveillance, and social media that is a lot of traffic, I can't even imagine the number to apply, to describe the up tick in quantity of personal web usage thanks to phones. Pulling the wool over everyone's eyes is increasing in difficulty, at a rate I can't imagine, and I don't have a math faculty on tap.

Then there are other things. There have been over time some military plane crashes, and I imagine how hard everyone is working on taking control of aircraft that are not their own. Imagine if you could just turn a squadron of bombers around, and make them go home and drop their loads. So many applications, so little time, in between the trillions upon trillions of other small interchanges, in any one second.

I have always thought it amazing that we can drive down the interstate at 80 miles per hour, and very little else happens but getting where you are going. The internet is such a new, omnipresent, sentient, growing thing, all bets are off as to when it takes on a life of its own, or it has a new unintended master, or masters, or anything really.
posted by OyΓ©ah at 5:31 PM on September 15, 2016 [2 favorites]


I have been generally ignoring the state of the art in terms of DNS and I understand that there have been some attempts to probe the defenses of the root name servers but to date there has been an inability to take them all down although some of the individual root name server networks have been saturated at points.

While theoretically it seems like the anycast networks that typically support each of the root name servers can be DDoSed it seems likely that various server providers would step in and begin shutting down the networks where most of the attacks originate in an attempt to save the remainder of the system.

Unless their DDoS amplification strategies can be launched from extreme bandwidth location it seems like eventually they'll run up against a situation where the root namer servers and the ISPs that surround them have more bandwidth than the DDoS attackers can throw at the problem. So yeah you can quite likely severely impact downstream users but being able to maintain a consistent DDoS assault long enough to impact the downstream caches but also diffuse enough to be hard to disable the networks it's coming from would be challenging at best.
posted by vuron at 5:41 PM on September 15, 2016


DNS isn't the "internet backbone". It is important to the web

The article is admittedly obscure about what the attacks are and the simplest example that Bruce (he responded to an email so I can use the familiar:) use about denial of service attacks had on tap was name service but likely that many attacks would take vastly longer descriptions. Security by obscurity is not an effective strategy but not publicizing details of attacks does not hurt as there are in incredible number of wanabe (ScriptKiddies) folks that would add to the problem "for the luz".

I kinda disagree that DDoS would be a State Players best method of taking down the internet. There are hubs, a dozen, maybe less key nodes, physical nodes. If you see a building with no windows (oh say down on Canal st) a vast amount of pretty hard wired connections. It would not shut down the internet but things would get really slow.
posted by sammyo at 6:02 PM on September 15, 2016


Yes the various internet exchange points are obvious targets for physical disruption but they are also incredibly resilient to other forms of disruption. The biggest ones can handle absolutely massive amounts of traffic and that's ignoring the various private peering relationships. Yes downstream internet exchanges can be totally crushed by sustained attacks but while individual iSP can be victim to big service interruptions it's not completely clear that you could maintain that sort of pressure on the big exchange points in the US and Europe.
posted by vuron at 6:23 PM on September 15, 2016


I think that a percentage of all business done on this planet is illegal, and say when you have a major player like Volkswagen, game the system; it reveals a lot about how business is done. I live in a state loaded with NSA, and a state that gives business everything, every advantage. I think there is a penumbra, impenetrable, between the defense business, and private security agencies who twin the work of governmental agencies, and criminal activity on behalf of their corporations. We are dismayed by stories of trillions of unaccounted for dollars, and then fail to make the connections that this is a criminal misuse of taxpayer monies. This is done by manipulation of data, by deliberate softening of the interfaces between what is legal, and what is not. Theft on a scale this grand requires vast computing resources. Something like the planning it takes for drug companies to game Medicare, Medicaid, and health care systems, heck the VA, requires vast computing resources. Moving drugs in the organized fashion they move, regular shipments hidden in other regular shipments, covert salaries payed to the rank and file, within huge criminal organizations requires a lot of covert computation, and constant change to maintain anonymity, or keep cover. Then all of the stolen funds have to be laundered through banking institutions, security requires a lot of room in a system. Then you get nation states involved in covert activities who have to pay for things, for people in the field, for armies, and weaponry, oh yes the weapons and the secrecy about sales, covert activity has to be the source of continuous probes and rechecks on the web architecture. It has to be more than 60% of all activity. Has to be. The fact that it is secret, unaccountable, systems might not be designed for the quantity of duck and cover.
posted by OyΓ©ah at 7:12 PM on September 15, 2016 [1 favorite]


Security by obscurity is not an effective strategy but not publicizing details of attacks does not hurt as there are in incredible number of wanabe (ScriptKiddies) folks that would add to the problem "for the luz".
Except that Schneier himself is vehemently pro-transparency when it comes to issues of security and has been an activist on this precise issue for as long as I've known about him. This is why this article kind of infuriates me--it's vague enough to prevent any sort of contextualization of the danger presented by his dire warning at the end. He could have eliminated a few hundred words and still communicated the same message--SCARY ESCALATING BACKBONE ATTACKS OF UNKNOWN ORIGIN ARE SCARY. JUST SO YOU KNOW.
posted by xyzzy at 11:15 PM on September 15, 2016 [1 favorite]


It is now official. Netcraft has confirmed: The Internet is really dying

News guy wept and told us,
Earth was really dying
Cried so much his face was wet,
Then I knew he was not lying
I heard telephones, opera house, favorite melodies
I saw boys, toys, electric irons and T.V.'s
My brain hurt like a warehouse, it had no room to spare
I had to cram so many things to store everything in there
And all the fat-skinny people, and all the tall-short people
And all the nobody people, and all the somebody people
I never thought I'd need so many people
posted by evilDoug at 11:22 PM on September 15, 2016


How do we know he wrote it? The article isn't signed.

Maybe the secretary of state for Hawaii can release the long form of his birth certificate and clear it up for us.
posted by C.A.S. at 2:25 AM on September 16, 2016 [1 favorite]


Not so fast, floatboth. The internet may not require DNS, but a whole ton of internet security does. A SSL certificate grants a server an identity in the form of a name, like *.chase.com, and not an IP address. With no DNS, there's nothing to actually verify. You can still encrypt traffic from the client to the server, but the ability of the client to verify the identity of the server is gone. Spoofing a bank site will go from very difficult to something that anyone between you and the bank on the network can do, just by rerouting your ip traffic to a malicious server.

We're still just talking about HTTPS here, right?

I kinda disagree that DDoS would be a State Players best method of taking down the internet.

The Web is not the Internet.

You can have authentication and encryption at the network level without having to care about DNS. Seems like SSH is a decent case in point.

Preventing the use of the Internet as a tool to debunk staged broadcasts or otherwise counter these techniques could be very useful if applied at the right moment to gain a strategic advantage.

I think this is probably the point, looking at the role of Twitter and Facebook and etc. in recent conflicts and revolutions, uprisings, etc.
posted by snuffleupagus at 5:21 AM on September 16, 2016


Mitrovarr: disrupting the internet, even if only for a few hours, could be an excellent component if you're going to do a blitzkrieg, of, say, Ukraine. The Russian Federation has been developing a new military doctrine of 'tactical ambiguity' in the Crimea conflict- Russian soldiers in separatist uniforms, neverending ceasefires honored in name only- which blurs the line. This is combined with a propaganda offensive on the internet aimed at creating murk and ambiguity- has Russia really invaded the Ukraine?
I think there's an even more plausible scenario: if you're an authoritarian regime, many of your greatest threats are internal and maintaining the image of being in control is critical but also much harder in the Internet era. You can take the North Korean approach where the Internet is tightly restricted but that's incompatible with a modern economy so you end up with a hybrid approach of monitoring and selective blocking. There are sadly now a number of examples where a short outage might make a big difference even if it's not sustainable for more than a few days: consider how July could have gone in Turkey had Facetime been blocked or the current ongoing outages in Gabon during an election dispute.

There are a bunch of outside services which tend to figure in those stories (Twitter, Facebook, WhatsApp, etc. – generally very hard targets to take offline) and activist groups trying to make it easier for people to smuggle news outside (satellite phones, Tor, etc.). In all of those cases, the time where the opposition might organize, a neighboring country might decide to intervene, or simply the time needed to prepare some plausible counter-narrative is rather short so it wouldn't surprise me at all to see someone asking questions like whether it would be possible for them to take a Facebook video offline for a couple of days. It'd have some sort of penalties but probably not much and certainly far less than a military action outside of your borders.
posted by adamsc at 6:35 AM on September 16, 2016


There's been a notable spree of internet blocking by various nations on the African continent. Could this just be testing a whole new tool in this whack a mole game?
posted by infini at 7:10 AM on September 16, 2016 [2 favorites]


I've worked in NOCs and network engineering teams at ISPs for the last few decades. If an attack like this launched, i.e. ddos against DNS and similar infrastrcture, the first thing a NOC would do is identify the source/destination/port, and either blackhole the traffic before it gets to the target, or set up a firewall policy to drop said traffic. If the attack became large enough, offending peers would be filtered, or even shut off entirely, at the edge to avoid congestion of the core network. Meanwhile, the various vendors impacted would be coming up with workarounds and patches to keep it from happening again.

My real fear would be that someone would come up with a set of 0-day exploits for the major routers (Cisco and Juniper would seem to account for the majority in my experience) and a way for a compromised router to seek out and infect any vulnerable connected equipment, similar to how a worm attack works. Have it infect any device it can reach, then brick itself hard (requiring hardware replacement), and we'd have to rebuild the majority of the Internet infrastructure before it could go operational again.

Better to find out who's doing this and cut them off at the edge before they move to the next stage.
posted by Blackanvil at 9:31 AM on September 16, 2016 [1 favorite]


heh, didn't Juniper have a big issue with one of their lines of VPN boxes having its IPSec implementation badly compromised by persons unknown? And didn't something come out of the Snowden leaks about the NSA hamfistedly crashing an edge router in Syria while trying to do... whatever it is that they do? I wouldn't count out one of the major players having a couple of 0-days up their sleeve for just that kind of thing.
posted by indubitable at 11:35 AM on September 16, 2016


We're still just talking about HTTPS here, right?

And LDAPS and SMTP/TLS, and SSL encryption of IRC authentication. So if that SSH server is pulling user keys out of OpenLDAP using port 636, you're potentially also boned. Basically, I have Nagios check our DNS server health for a reason. Pretending like losing the root servers isn't a big deal is sort of shrugging off anything maintream society values about computers.

If you don't like backbone, heart's a fairly good analogy. They have multiple chambers, but if they all fail, you won't survive long without replacement technology to keep the data circulating.
posted by pwnguin at 8:12 PM on September 17, 2016


I've worked in NOCs and network engineering teams at ISPs for the last few decades. If an attack like this launched, i.e. ddos against DNS and similar infrastrcture, the first thing a NOC would do is identify the source/destination/port, and either blackhole the traffic before it gets to the target, or set up a firewall policy to drop said traffic.

I'm decidedly not a network engineer, so enlighten me. How exactly do you propose to block UDP packets destined at port 53 and still have a functional .com DNS server? Are you going to take the Alexa Top 500 offline by blocking requests to them?
posted by pwnguin at 8:17 PM on September 17, 2016


Pwnguin's question above is relevant -- DNS, by virtue of using UDP for most operations, is a common target for spoofing attacks. It's trivial in most networks to forge a bogus source address for a packet, but that doesn't work well for TCP attacks because you have to complete the handshake to establish a connection (something which is not going to work if you are just making up bogus source addresses.)
posted by Nerd of the North at 1:26 PM on September 19, 2016


For what it's worth.. I earn my living working for an organization that is one of the root DNS operators (and while that's not directly my role, I do need to be kept semi-informed because I am part of the on-call rotation which might handle first response should a major incident occur) and on a regular basis I issue security advisories concerning vulnerabilities in DNS software.

I am not aware of any heightened activity in the immediate recent past, but there have definitely been denial of service attacks against the root servers in the fairly recent past, including a significant incident in November of last year.

There have also been incidents reported to us where, after we have publicly disclosed a vulnerability affecting DNS software, we have received reports from large organizations and/or nations who have observed that vulnerability being used to probe their infrastructure.

I don't know what specifically prompted Schneier's column but there are some interesting things going on in the DNS world and to the best of my knowledge nobody is quite sure who is at the bottom of things (for my money, I would be inclined to bet heavily against the idea of a single perpetrator.)
posted by Nerd of the North at 1:35 PM on September 19, 2016


I've worked in NOCs and network engineering teams at ISPs for the last few decades. If an attack like this launched, i.e. ddos against DNS and similar infrastrcture, the first thing a NOC would do is identify the source/destination/port, and either blackhole the traffic before it gets to the target, or set up a firewall policy to drop said traffic.
One other troublesome aspect of DNS, when it comes to distributed denial of service attacks, is that it's very easy to use DNS queries for reflection attacks.

Let's say I want to overwhelm you with traffic. I know that if I send a stream of malicious traffic directly to you then either you or some network provider along the way is going to drop my traffic, rendering my attack only briefly effective at best. However, I can spoof UDP DNS queries with a high multiplication factor and send them to legitimate DNS servers around the net. It only costs me a few bytes of outgoing traffic to send servers all around the net small queries which yield large responses and to forge the source address so that they send their large responses to you. You get flooded with traffic from thousands of sources, none of whom are particularly at fault, and many of whom you might actually need to accept traffic from (since if you block DNS responses from those servers your own clients can't get answers to legitimate queries when they need them.) DNSSEC makes this even worse, because in addition to the answer section of the query, which can already be many times larger than the spoofed query itself, you're also going to get signatures in the response's additional section and they're comparatively huge -- really upping the multiplication factor.
posted by Nerd of the North at 1:45 PM on September 19, 2016


Couple new data points:

Arbor Networks tracks 540 GBPS DDOS against Rio Olympics

Brian Krebs reports 665 GBPS DDOS on his website, believed to be the largest in Internet history.
posted by scalefree at 10:48 PM on September 20, 2016


if you block DNS responses from those servers your own clients can't get answers to legitimate queries when they need them.

Forward client requests through DNS resolvers or a generic tunnel, hosted elsewhere?

The silencing of KrebsOnSecurity opens a troubling chapter for the Internet. Not good on detail, but I agree with the sentiment. If the attack is a botnet running from the homes you want to reach, it seems like you're pretty screwed.

Hopeless security on consumer electronics: not just a threat to the owner.
posted by sourcejedi at 4:23 AM on September 24, 2016 [1 favorite]


Ah, the detail came from Krebs (the victim of the DDoS), so that's why was bit hard to track down.

KrebsOnSecurity Hit With Record DDoS (Wayback Machine)
posted by sourcejedi at 4:31 AM on September 24, 2016


« Older Skating, surfing, shredding Sky Brown, youngest...   |   Jay Z: The War on Drugs Is an Epic Fail Newer »


This thread has been archived and is closed to new comments