Among the many security failures of the past few months there has been one notable success. The Internet proved that it was robust enough to withstand Papermag.com’s Break the Internet edition. It’s nice to know that while North Korea can take down Sony, and Lizard Squad can put major gaming sites out of business on Christmas Day, the Internet itself can handle any amount of undraped celebrity derrière. That episode set me to thinking, though. If Kim Kardashian and her photoshopped posterior can’t break the Internet, than who could?
The first place you might consider attacking would be the DNS root name servers. These control the very top level of DNS, and without them no server on the Internet would have a name. There are a limited number of them, and they are controlled by a committee, the DNS Root Server System Advisory Committee otherwise known as the Secret Masters of the Internet. However, the servers themselves are run on heavily protected highly redundant hardware, and are geographically distributed. They also run different software, so a single vulnerability could not be used to take down all the root servers. They are such an obvious place to attack that they are too well defended to be a good target.
The Internet can route around damage. That is a strength when dealing with minor damage or attacks but a problem when a major component is damaged. The network traffic that gets rerouted causes bottlenecks and slowdowns elsewhere in the network. Once you hit the dreaded Reload Threshold, when web pages are loading slowly enough that people start hitting the reload button and sending multiple requests for the same page, then large sections of the net would grind to a halt. This happened on July 18th, 2001 when a train accident in a tunnel in Baltimore severed an Internet backbone cable. That afternoon users all over the US had problems accessing web sites in other parts of the US, apparently randomly. A simple brute force DDoS attack against one or two key points in the Internet would be enough to make the rest unusable. Personally I would probably go after MAE-West in San Jose, partly because almost all the traffic to and from Silicon Valley goes through there but mostly because it has a cool name.
To make a serious dent in the bandwidth of one or more Internet Exchange Points you would need total bandwidth in the Terabits/second range, an order of magnitude larger than the Spamhaus attack. Who has access to that sort of bandwidth and the expertise to point it all at one place?
My first thought was Netflix. During prime viewing hours Netflix streaming videos account for about a third of all the bandwidth used in the US, and probably more when a new season of House of Cards comes out. In order to serve their fifty million plus viewers, Netflix probably uses between ten and twenty Terabits/second which is more than enough to take down several Internet Exchange Points. However, they don’t control all of the bandwidth directly. Much of it is either leased from content distribution networks (CDN) such as Limelight and Level 3, or sent from caching devices that are colocated in major ISPs. While Netflix could temporarily disable the Internet, pretty soon the CDNs and ISPs would pull the plug on their equipment, and things would be back to normal.
Next up in the bandwidth stakes is Google, whose YouTube video streaming takes up about half as much bandwidth as Netflix. That’s certainly enough to do serious damage, but there is a limited range of IP addresses from which the attack could originate. So, this attack could be blocked, though with significant collateral damage. Actually, if Google were just to take down Google Search, Gmail, Google Voice, Google Drive, and YouTube, the Internet would be broken for many people. On the bright side, nobody would miss Google+. Luckily large corporations have checks and balances built in to prevent this sort of corporate suicide.
I mentioned the CDNs earlier, and certainly the large ones like Limelight, Level 3, Amazon AWS, and Akamai have enough bandwidth to be a significant threat. I would be especially concerned about Akamai, as they have a wide geographical distribution of their servers. Anyone surfing the Internet regularly downloads files from Akamai many times a day without noticing it. However, while these companies could do temporary damage in the long run they could simply be disconnected from the rest of the Internet. Things would be painful if they were offline for any period, though, as the content they are currently delivering would be unavailable. Once again, I don’t think corporate suicide is very likely.
For an attack on the Internet to be successful and sustained, it would have to come from many different sources. So the question is, who could get control of enough devices to take down not just a large corporation or a small country, but the entire Internet? Clearly any of the large software vendors that push out updates to millions of devices on a regular basis could do this: Microsoft, Apple, Adobe, Oracle, etc. Let’s hope they all have good enough quality assurance to prevent a rogue programmer from inserting a backdoor and enabling the launch of the Mother of All DDoS Attacks.
Are there any individuals or small groups that could launch a supermassive DDoS attack without having to go through large corporate QA? I came up with three good examples, and there are probably quite a few more out there.
Matthew Prince: Probably nobody knows more about defending against DDoS attacks than Matthew Prince and his team at the DDoS protection company Cloudflare. Not only does Cloudflare have access to massive bandwidth to absorb DDoS attacks, but to be a good defender, you also have to understand everything about the attack. At Defcon last year Prince gave a presentation on how to break the Internet by simply scaling up the sort of DNS amplification attack used against Spamhaus.
This used open DNS resolvers (of which there are tens of millions on the Internet) to amplify an attack coming from a handful of compromised web servers on networks that allow IP address spoofing. At the height of the Spamhaus attack, CloudFlare was considering a strike-back attack in which the open resolvers were made to attack each other. Happily they did not need to do this, though the code was written and ready to go. Of course, if all twenty eight million dangerous open DNS resolvers were set to attack a few key targets it would be game over for the Internet. If you want more details about Prince’s plan for breaking the Internet it’s all on this YouTube video starting at the 20:00 mark, which means that there are probably a lot more people who could do it now.
Bram Cohen: When someone has to add code to their product specifically to avoid breaking the Internet, that’s a good sign that they could break the Internet any time they wanted to. Cohen is the author of the predominant peer-to-peer file sharing protocol, BitTorrent. If you look at the prime time bandwidth consumed by BitTorrent it seems small, less than a tenth of Netflix, but there is a good reason for this. The BitTorrent protocol is smart enough to detect network congestion and throttle back so as not to make things worse. At times of less network demand BitTorrent will ramp up again and use the bandwidth that nobody else is using. When Cohen made this change a few years back he complained that he had saved the backbone Internet providers many millions of dollars and there was no way for him to monetize that. Simply turning off this feature would result in a significant increase in prime time Internet bandwidth usage with significant bottlenecks and disruption. However, if Cohen wanted to go further than that he could introduce a deliberate backdoor into the protocol to allow him to use all that bandwidth for evil purposes. Of course the code is open source, so he would have to disguise the new functionality in a way that would not be easily detected by inspection. Given that Cohen is also an expert on steganography and a published puzzle designer, I don’t think he’d find this hard.
The Carna Botmaster: In 2012, an unknown researcher pulled off one of the most interesting hacks of all time – a survey of the entirety of IPv4 address space. A worm program looked for home routers and other equipment with weak login credentials by systematically probing all low ports on all IP addresses. When it found one it would install another copy of itself and go on searching. The worm was designed to be low impact, and the entire botnet uninstalled itself and cleaned up once every IP address on the Internet had been tested. At its peak this botnet, Carna, had 420,000 nodes. If, say, a quarter of those were on broadband connections with 10 Megabit/second capacity, that would give the entire botnet the Terabit/second capacity necessary for a truly devastating attack. Any rapidly spreading worm on PC or mobile devices would soon be detected by the anti-virus companies and resources would be devoted to taking it down. However, by infiltrating devices not running anti-virus software the Carna botmaster was able to build a stable network which avoided detection for months. Now that’s a frightening thought.
UPDATE: March 9, 2015. This post sparked off an interesting discussion over on MetaFilter. MetaFilter is free to read, but charges a small fee via PayPal to obtain rights to post. As well as financing the web site this is a highly effective Turing Test which discourages forum spam.