We all know about White Hats (Cyber Good Guys), Black Hats (Cyber Bad Guys), and Grey Hats (White Hats who skirt the edge of legality).
We’re missing a group. The three defined groups are all easily described by their economic motivations for doing what they do. But we have another group who are not easily defined - the Red Hats. Red Hats are groups motivated by politics. These groups have a stated political aim - Free Tibet - and will do what they need via the cyber world to achieve their goals. Since political agenda clash, we will often have Red Hat groups going against each other.
Red Hat groups use all means available - legal and illegal. The same group might at one time be doing something legal (working with law enforcement agencies) and the next moment doing something illegal (using SPAM to get hijacking malware on computers of their opposition).
So as we watch the Olympic 2008 Cyberwar progress (i.e. all the activity around Tibet and the Torch), be mindful that this is not a cyber battle between White, Grey, and Black Hats. It is a battle between Red Hats - Groups whose motivation is political.
April 13th, 2008
This week, we saw an indication of what could be massive disruptions on the Internet. Way back in 2002, I pointed out our continued vulnerability to prefix injection attacks - from intentional and unintentional insertions (see NANOG BGP Security Update). This weekend, we had the Pakistan Telecom Authority (PTA) order their ISPs to block access to YouTube - specifically addresses in 208.65.153.0/24. Blocking is not the problem. Leaking the prefix used to trigger the block is a problem. A problem which spread from one side of the Internet to the other.
While we have our dialog on NANOG and peers blog about the problem (Danny McPherson @ http://tinyurl.com/3y3pzl & Martin A. Brown @ http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml ), lets look at this from two angles. First, what is the immediate problem we need to resolve. Second, what is the real threat we need to worry about.
First, the immediate problem is simple. We had a censorship order to block access to an IP address. The SP in questions - Pakistan Telecom (AS 17557) - looks to have tried to do a BGP Shunt. When they did the BGP Shunt, they had two major mistakes:
- They did not add BGP Communities no-advertise and an extra BGP filter that can be used for a egress Murphy Prefix Filter.
- They did not have a Murphy’s Law prefix filter on their egress advertisements to their upstreams.
The consequence - 208.65.153.0/24 being leaked out to the Internet. That in turn had a consequence of all traffic to 202.54.153.0/24 going to AS 17557.
Action Plan for the Community - We need better documentation of how BGP Shunt is suppose to work. The problem is not the technique, nor is it clue. The problem is that we - the industry - do a poor job in communicating and empowering our peers through out the world how things really work. As a consequence, we get problems like this leak of YouTube’s routes.
Next - on the immediate problem thread - we have the upstream to AS 17557’s response. Here you have all this traffic heading down towards AS 17557, people calling their NOC, complaints coming from all over, so what do they do? PCCW (AS 3491) does not do the logical action - add to their ingress prefix filter on AS 17557 a simple line to filter out 208.65.153.0/24. No, instead, they unplug the customer.
Action Plan for the Community - Transit NSPs need to ingress filter the prefixes coming from their customers. This would allow them a tool to specific stop problems like this leak, with out unplugging them.
So, while the community start exploring the sBGP vs soBGP debate or how organizations should be using RADB tools, lets now loose sight of some quick simple tools which would help to mitigate this problem.
Now for the second problem ….. it is front page news that you can inject BGP prefixes from one side of the Internet and impact the entire Internet. Back in 2002, I was not drastically worried about this issue. Principle #3 of the current seven principles of the miscreant economy puts a behavioral check on the threat of using BGP prefix injection as a tool to massively disrupt the Internet (and the global IP NGN). Today, I’m worried. We have people out in the world who are increasing their skills. It would be feasible for a small group of people to grab a range of BGP speaking routers which have been violated and owned (i.e. someone as broken into them) to advertise BGP prefixes from all over the Internet. The result would not take out the Internet - but it would cause massive disruption. Massive disruption of the telecommunications system exacerbates a crisis - which is what you want if you want your terrorist attack to have a more impactions.
In other words, the press coverage of this BGP prefix leak is shining light on an attack vector which can cause some serious havoc during a period where people will need the Internet the most.
February 25th, 2008
This week we’ve seen a flurry of outages on some of the major submarine cable systems:
http://www.getit.org/Mediawiki/index.php?title=Submarine_Cable_Systems_in_the_News
Some points everyone is missing.
First, as I pointed out on a NANOG post, cable outages happen all the time. Nothing new. that is why we have a large fleet of ships to repair cables. At the time of these recent outages, 2/3 of the fleet were deployed on jobs (on station, in transit, or in prep) . So it is nice to have attention on this critical resource, but the events are not news. What is news relates to the impact of the outage …. which leads to my second point.
Second, why did the telecommunications providers not safe guard their business by trading and investing in capacity around choke points? Many of the countries most impacted are not stuck with one submarine cable. They have multiple paths. Most submarine cables which land in the effected countries are way stations - where you have two paths going out. What does this mean? It means that each of these telecommunications providers have options. Options which allow for redundancy and recovery planning.
The real story is the lack of redundancy planning. Engineers did not work out how their telecommunications services would recover if known areas of common submarine cable incidents really happened. Now, some would say that redundancy is expensive. True, but that is part of the business. Plus, if you get into the planning, asking about recovery option, talking to peers (competitors) about swapping reserved capacity during an emergency, or looking at Layer 3 recovery options, reveal options. But these options will not appear unless the engineers responsible for the “engineering” work ask the questions. These engineers are the IP engineers - pushing on the layer 2 (circuit), and layer 1 (submarine systems engineers) know exactly what is happening with their telecommunications paths.
For example, asking the submarine company for the list of all their cases where a repair ship had to be sent, where these happened, and the mean time of repair are all facts which are provided to their customers. All it takes is knowing that you can ask for it, then pushing to get it. When you are spending millions of dollars a month on these telecommunication services, you need to ask for the information to safe guard that investment. As seen in the attached map (from Flag), thes submarine cable companies can and will provide the information you need to understand, plan, and implement effective telecommunications recovery plans.
This is not new! We - the telecommunications industry have done this in the past - why cann’t we do it today? The Internet is our new Next Generation Network (IP NGN) for all telecommunications. We cannot throw out the baby with the bath water moving forward with IP NGN.
February 6th, 2008
Previous Posts