nanog mailing list archives
Re: Vulnerbilities of Interconnection
From: <sgorman1 () gmu edu>
Date: Thu, 05 Sep 2002 15:55:26 -0400
The question is what if someone was gunning for your fiber. To date cuts have been unintentional. Obviously the risk level is much higher doing a phyisical attack, but the bad guys in this scenario are not teenage hackers in the parents basement. There is a good foundation of knowledge on the implications of cyber attacks, but the what-if of an intentional physical attack is an important question I believe. The context in this discussion has been very valuable and many thanks to everyone that has offered opinions. ----- Original Message ----- From: Dave Israel <davei () algx net> Date: Thursday, September 5, 2002 3:50 pm Subject: Re: Vulnerbilities of Interconnection
The thing is, the major cuts are not "attacks;" the backhoe operators aren't gunning for our fiber (no matter how much it seems like they are). If I wanted to disrupt traffic, intentionally and maliciously, I would not derail a train into a fiber path. Doing so would be very difficult, and the legal ramifications (murder, destruction of property, etc, etc) are quite clear and severe. However, if I ping-bomb you from a thousand "0wn3d" PCs on cable modems, I never
had
to leave my parents' basement, I'm harder to trace by normal police methods, and the question of which laws that can be applied to me is less clear. -Dave On 9/5/2002 at 15:38:56 -0400, sgorman1 () gmu edu said:"Again, it seems more likely and more technically effective toattackinternally than physically. Focus again here on the cost/benefit analysis from both the provider and disrupter perspective andyou willsee what I mean." Is there a general consensus that cyber/internal attacks aremoreeffective/dangerous than physical attacks. Anecdotally it seemsthelargest Internet downages have been from physical cuts or failures. 2001 Baltimore train tunnel vs. code red worm (see keynote report) 1999 Mclean fiber cut - cement truck AT&T cascading switch failure Utah fiber cut (date??) Not sure where the MAI mess up at MAE east falls Utah fiber cut (date??) Then again this is the biased perspetive of the facet I'mresearching>Secondly it seems that problems arise from physical cuts notbecauseof a lack of redundant paths but a bottlneck in peering andtransit -resulting in ripple effects seen with the Baltimore incident. ----- Original Message ----- From: "William B. Norton" <wbn () equinix com> Date: Thursday, September 5, 2002 3:04 pm Subject: Re: Vulnerbilities of InterconnectionAt 02:45 PM 9/5/2002 -0400, alex () yuriev com wrote:This obviously would be a thesis of Equinix and other collospaceproviders,>since this is exactly the service that theyprovide. Itwon't, hower, be athesis of any major network that either already has a lot ofinfrastructure>in place or has to be a network that issupposed tosurvive a physicalattack.Actually, the underlying assumption of this paper is thatmajornetworks already have a large global backbone that need to interconnectinn-regions. The choice between Direct Circuits and Colo-basedcrossconnects is discussed and documented with costs and tradeoffs.Surviving amajor attack was not the focus of the paper...but... When I did this research I asked ISPs how many Exchange Points they felt were needed in a region. Many said one was sufficient, thattheywere resilient across multiple exchange points and transit relationships, and preferred to engineer their own diversity separate fromregionalexchanges. A bunch said that two was the right number, each withdifferentoperating procedures, geographic locations, providers of fiber, etc. ,asdifferent as possible. Folks seemed unanimous about there not being more than two IXes in a region, that to do so would splinter the peeringpopulation.Bill Woodcock was the exception to this last claim, positing (paraphrasing) that peering is an local routing optimization and that many inexpensive (relatively insecured) IXes are acceptable. The loss of anyonesimply removes the local routing optimization and that transit isalwaysan alternative for that traffic.A couple physical security considerations came out of thatresearch:> > 1) Consider that man holes are not alwayssecured,providing access tometro fiber runs, while there is generally greatersecuritywithincolocation environmentsThis is all great, except that the same metro fiber runs areusedto getcarriers into the super-secure facility, and, since neitherthosewhooriginate information, nor those who ultimately consume theinformation arelocated completely within facility, you still have the sameproblem. If weadd to it that the diverse fibers tend to aggregate in thebasement of thebuilding that houses the facility, multiple carriers use thesamemanholes>for their diverse fiber and so on. Fine - we both agree that no transport provider is entirely protected from physical tampering if its fiber travels through insecure passageways. Note that some transport capacity into an IX doesn't necessarilytravelalong the same path as the metro providers, particularly those IXes located outside a metro region. There are also a multitude of paths, proportional to the # of providers still around in the metro area, thatprovidealternative paths into the IX. Within an IX therefore is a concentration of alternative providers, and these alternative providers can be used as needed in the event of a path cut.2) It is faster to repair physical disruptions at fewerpoints, leveragingcutovers to alternative providers present in thecollocationIX model, asopposed to the Direct Circuit model where provisioningadditional> > > > capacities to many end points may take days or months.> > >This again is great in theory, unless you are talking aboutsomeone whois planning on taking out the IX not accidently, butdeliberately. Toillustrate this, one just needs to recall the infamous fibercutin McLeanin 1999 when a backhoe not just cut Worldcom and Level(3)circuits, butsomehow let a cement truck to pour cement into Verizon'smanholethat wasused by Level(3) and Worldcom.Terrorists in cement trucks? Again, it seems more likely and more technically effective to attack internally than physically. Focus again here on thecost/benefitanalysis from both the provider and disrupter perspective and you willseewhat I mean.Alex-- Dave Israel Senior Manager, DNE SE
Current thread:
- Re: Vulnerbilities of Interconnection, (continued)
- Re: Vulnerbilities of Interconnection Gerald (Sep 16)
- Re: Vulnerbilities of Interconnection alex (Sep 16)
- Re: Vulnerbilities of Interconnection Stephen J. Wilcox (Sep 16)
- why superior solutions aren't (Re: Vulnerbilities of Interconnection) E.B. Dreger (Sep 16)
- Re: Vulnerbilities of Interconnection Iljitsch van Beijnum (Sep 16)
- Re: Vulnerbilities of Interconnection Gerald (Sep 16)
- Re: Vulnerbilities of Interconnection Greg Maxwell (Sep 16)
- Re: Vulnerbilities of Interconnection Kurt Erik Lindqvist (Sep 17)
- Re: Vulnerbilities of Interconnection Kurt Erik Lindqvist (Sep 17)
- Re: Vulnerbilities of Interconnection Mikael Abrahamsson (Sep 05)
- Re: Vulnerbilities of Interconnection batz (Sep 05)
- Re: Vulnerbilities of Interconnection Mike Tancsa (Sep 06)
- Re: Vulnerbilities of Interconnection batz (Sep 06)
- Re: Vulnerbilities of Interconnection Valdis . Kletnieks (Sep 06)
- Re: Vulnerbilities of Interconnection Greg Maxwell (Sep 06)