Monday, February 14, 2011

Could the CXPST attack take down the Internet?

Stan writes to ask my opinion on the new CXPST denial of service attack, and whether it really could take the Internet down.

First, a quick overview of the attack.  Most Internet devices that most of us deal with are end systems - typically servers, like the ones that live at or some such place.  There are another set of devices that are typically invisible (in the out-of-sight-out-of-mind sense): routers.  These are specialized computers that figure out where each message needs to go so that it gets delivered to the proper location.  The broadband router in your house is a very small version of this.

The routers at the Internet core are massive in comparison.  They need to be, because they need to know where everything lives on the Internet.  The only way that this can work (because nobody knows what the Internet really looks like) is that the routers talk to each other, and explain where things are.  This all happens automatically, by a protocol called Border Gateway Protocol (BGP).

The CXPST attack is said to use a combination of techniques to overload the core routers, causing them to crash.  Stan asks: is there anything to this?

Maybe.  Let me break down the components you'd need.

1. Massive zombie botnet army

The attack needs a really large number of computers to work, because there's a ton of data to collect.  Something along the lines of a quarter million computers.  So I haven't bothered to say "don't try this at home", because most of us don't have a botnet of 250,000 pwned computers.

But some people do.  A sadly large percentage of computers - even those "protected" by antivirus - are infected.  Maybe 30%.  So this part is pretty plausible.

2. Internet reconnaissance

If you want to attack the core routers, you need to know where they are.  Since they don't have easy to remember names (like, you need to figure this out on your own.  There are programs to do this - traceroute is an elegant hack and will give you a list of all the routers that sit between your computer and your destination.

The problem is that there are many paths through the 'net, which go through many different core routers.  This is where the botnet army comes in, with a ton of zombies figuring out the paths through the 'net to identify the top choke points.

But yeah, this is just programming.  Plausible.

3. BGP vulnerability

While rare, attacks exploiting vulnerabilities in routing protocol software have been seen before.  But that's not really what we're seeing in this attack.  Rather, it's a timing attack, where you use the protocol as intended.  CXPST tries to overwhelm a router so that it removes itself from the BGP interactions with its fellow routers.  Then as it "clears its head" and starts to rejoin the BGP community CXPST targets a fellow router so that it goes down as the first is coming back.  The intended outcome is to introduce rolling instability that cascades through the core, ultimately turning into a chain reaction that ultimately melts down the entire core.

You see why you need a lot of reconnaissance from the botnet - you don't need one core router to target, you need a bunch.  If you only have a few, it's quite likely that your attack will fizzle.

So plausible or not?  I'm a bit skeptical here.  Timing attacks are nothing new, but you have to know what you're doing for them to work, and remember that nobody really knows what the Internet looks like.  Nobody watches BGP in action, you the pool of expertise to get the timings right is really limited.

Could you?  Maybe.  I'd think that the intersection of the groups understand BGP timings and have a whopping great botnet army may be limited to nation state actors.  Plausible, but unlikely.

4. Motivations

Here's where it gets dicey.  This sounds about right:

Ordinary botnet owners would never launch such an attack. They’re making far too money from spam and reaping malware’s credit-card number fruits to want to kill the Internet. It is conceivable though that a rogue nation could attempt to wreck the Internet in a cyberwar.

In the long run, a CXPST attack would be stopped, but for a few hours to a day or two the Internet could conceivably be knocked out.
The people who plausibly could do this either probably wouldn't want to, or they are Intelligence Agencies who would probably only do it as a hostile act.  China almost certainly has the capability to do this to us (we're likely the country most dependent on the Internet), but with all the economic activity that relies on Internet Just In Time communications (and with how their economy relies on ours), it would probably take them down, too.

I'm not at all sure I see the motivation among these people.  Then again, that may just point out the limits of my own imagination.

Bottom line, the number of interesting new attacks is an infinitely renewable source of risk.  Robustness and resiliency are prudent, but no guarantee.  But I'm not using this as an excuse to top up the diesel for the generator.


TJP said...

Wouldn't the attack immediately cease when the routers were no longer passing traffic?

The underlying problem with the Internet isn't the protocols, it's the organization. Lots of huge points of failure, and lots of government interference with utilities at the local level.

saintx said...

"Wouldn't the attack immediately cease when the routers were no longer passing traffic?"

No, the point at which the routers are no longer passing traffic does two things.

First, it denies service to all other users of those routers. So, rather than having ceased, in that case it has succeeded.

Second, when these routers go offline they trigger BGP route updates on the other routers attached to these (typically, BGP peers at AS boundaries would be targeted). So, changes in network topology would need to be propagated through the network. When these same routers, moments later, came back online, new updates would be sent while the attack resumed. Then they'd go offline again, and the cycle would repeat. Essentially each of the targeted routers would be stuck in a link flapping loop, continually broadcasting route update traffic to their BGP peers.

The "C" in CXPST stands for "coordinated", meaning dozens or hundreds of these attacks would be made simultaneously around the world. The resulting storm of BGP route update traffic from routers stuck in the link flapping loop described above would flood the control plane of the world's AS boundary routers, effectively bringing the entire system offline. Could you ping your gateway? Yes. Could you move traffic beyond the core of your local AS, and across AS boundaries to other networks? No. Essentially there'd be no more "Inter" in the "Internet".