How To Build A Cybernuke

The Internet infrastructure has been having a bad month. Not as bad as, say, the world’s aviation infrastructure, but bad enough.

First, Chinese Internet censorship leaked out to a few massively unlucky users of the I root server. Then China Telecom failed to filter someone who leaked thousands of hijacked routes to other people’s networks through them, probably by accident.

And then, inexplicably, Forbes went where no one had gone before (with a wink to Wired), and asked whether China might actually be testing a “cybernuke“.

At first, this irritated me. Journalists and bloggers and blogger-journalists are fanning the flames of US unease about the growing role of China in world affairs. But then I realized that I could probably make tens of thousands of people read my blog, too, by jumping on the bandwagon. By all means, then, grab an MRE and hunker down in your Internet bomb shelter while I try to answer some of the obvious questions that came our way in the wake of the Forbes article:

  • How would anyone build a cybernuke? What is that?
  • Could a single actor, state-sponsored or otherwise, actually take down the global or regional Internet infrastructure of 2010, disrupt financial markets, throw civilization into chaos?
  • How do I get my cybernuke movie screenplay optioned by Jerry Bruckheimer? His people won’t return my calls.


What is a cybernuke?

Let’s start by distinguishing carefully between an attack designed to take a single organization off the Internet, and a cybernuke. The former takes place every day, and nobody is entirely immune. If you get the wrong kind of people angry, you can be thrown off the Internet in very short order, using unsubtle distributed denial of service attacks that you can readily rent for cash at the prevailing market rates. No controversy there.

We’re talking instead about designing a cybernuke: an infrastructure attack that would allow you to shut down (or centrally subvert, or control) a large part of the Internet, not a single organization. That’s a different class of beast.

705px-Nuclear_fireball.jpg

There are three broad schools of thought here.

Option 1: Hijack Everything

This is the cybernuke that Forbes saw lurking in the dark shadows. Using the Border Gateway Protocol, inject just the right kinds of false traffic into the global routing network, so that all the packets go to the wrong places. Game over, man!

There are a few problems with this scenario. To make it work, you have to inject your false routes in such a way that a substantial part of the planet will hear them and believe them. Because of the way the BGP routing protocol works, that means that your ersatz paths to other people’s networks have to look more attractive than the real thing (meaning: short and direct, or more specific).

Many of the routes you’ll be attacking are already about as specific as they can get and still be globally propagated, so you have to compete on directness; for the rest, you’re going to have to advertise more than one more-specific network for every network you’re trying to attack (300,000 make up the whole Internet, more or less). That’s a lot of routes. If you’re injecting enough different paths to take down large swaths of the Internet, you’ll therefore need to enlist a partner who already advertises tens of thousands of routes, so that the massive increase in routes they propagate on your behalf won’t raise an eyebrow.

Together, those requirements mean that you almost certainly need to convince one of the dozen-or-so largest worldwide Internet carriers to act as your agent. Anyone smaller is too far from the Internet’s core, and since the average packet on the Internet only changes hands three or four times en route, even one extra handoff is going to make your fake routes look sleazy and unattractive.

Moreover, most of these carriers are very clueful about the possibility of being used as an unwitting agent of evil. They have procedures and filters and circuit-breakers in place to prevent exactly such an embarrassment. That doesn’t mean it can’t happen, although it happens more and more rarely as the years go by.

(It did just happen to China Telecom; however, because of the bad press it received, I would wager that this is the last time it will happen to China Telecom.)

Even if you manage to get your fifty thousand fake network routes announced by a major carrier, and the rest of the world believes them, and your routes are selected as “best” by some significant percentage of the Internet, will the world’s traffic actually be impacted? Not yet.

It’s almost certain that the immediate neighborhood of each victim network (all of their Internet service provider’s customers, and all of their providers’ customers, and so forth) will blithely ignore the cybernuke, and continue sending traffic to the correct destination, as usual. The parts of the Internet that are close to the attacker’s point of injection may change their mind, so the victims may well lose visibility to the attacker’s networks. Do you care? It becomes more of a local censorship issue, an attack on the attacker’s network, if you will, rather than a major irritation to the supposed victims.

The final indignity, of course, is that an attacker who deploys such a cybernuke will probably blow themselves off the Internet by accident. If you successfully manage to subvert BGP to publish a large number of attractive routes to places that matter, you will shortly be on the receiving end of many, many gigabits per second of traffic that are trying in vain to find their rightful home. This flood of misrouted traffic will crush your network, and your launching zone will disappear beneath the waves, like Atlantis. Look on my works, ye Mighty, and despair!

Option 2: Cut the Cord

I hope I’ve convinced you that option 1, while a perfectly plausible way of wreaking mysterious small-scale damage, isn’t going to move you down the road toward cyber-world domination.

Option 2 is physical damage to the infrastructure: classically, cutting the cables that hold the Internet together. There have actually been very decent studies of this recently, highlighting both the vulnerability of the infrastructure, and the frightening dependence of the world economy on good communications.

The hard part about this cybernuke option is that it’s precisely the scenario that the Internet has evolved to avoid. With every month that passes, the Internet becomes better and better connected to itself. Remember, the Internet consists of tens of thousands of independent infrastructure service providers and content delivery companies, all working to keep the traffic flowing to billions of paying customers.

When submarine cable cuts happen, as they have over and over in history, these providers take notice. New cables get laid and lit. New contracts get signed that create alternative paths for traffic to take. Companies that have a global footprint no longer trust the Internet to “just work” — they take provider diversity seriously as a core element of a due diligence strategy. They seek out providers who are well-connected and can speak the language of risk management.

There’s no doubt that physical damage at one of the Internet’s pinch points, whether that be in the Red Sea or in the Straits of Malacca or at one of a number of windowless buildings throughout the world, would cause some serious disruption. But our data and experience suggest that each cable cut causes less serious impact than comparable ones that preceded it. Human networks are more resistant to point-source damage than you’d think, and the Internet is a human network.

Option 3: Inject and Amplify

That leaves option 3, which is more of a “Cyber-Bioweapon” than a Cybernuke. The challenge would be to design an injectible routing message that would cause a large fraction of the world’s routing infrastructure to fail, while going unnoticed by the rest. The idea is to have the immune population propagate your attack to all the vulnerable machines, which fail and take down the Internet with them (at least until they can be individually patched, and brought back into service).

500px-Biohazard_symbol_(red).svg.png

Who would think of such a thing? The scary part is that no one had to think of it — it has happened naturally more than once as a byproduct of the complexity of the Internet ecosystem. A design defect in one kind of router will create malformed routing traffic, which gets passed obliviously to the four corners of the earth, where vulnerable routers encounter the bad messages, and die noisy deaths. We’ve documented mild outbreaks of this sort before — three times just last year, in fact: in February and May and August 2009.

Unfortunately, unlike the previous two options, this one actually scares me. Known threats, like bogus routes that exploit trust relationships within the definition of the routing protocols, we can defend against. Point source damage to buildings and cables, we can defend against. But the Internet’s routing hardware and software diversity is actually pretty poor, compared to its topological richness.

Think of it this way: two hardware vendors (Cisco and Juniper) probably represent something like 60%+ of all the infrastructure routers in the world. Craft a vulnerability that passes one and crashes the other, and you could do some serious damage. The size and decentralization of the Internet work against us here: you can’t just go out and patch hundreds of thousands of routers on demand, even in the face of a material threat. Vulnerable machines will litter the ecosystem for months or years to come. The Internet can catch the same flu over and over.

The good news here, if there is any, is that stiff price competition, particularly in emerging markets, is driving a healthy trend toward hardware diversification: as recently as 2005, vendors C and J probably controlled more than 90% of the market, instead of 60%. Welcome to the neighborhood, Huawei!

Conclusion: Busted .. or Plausible?

As much as I’d like to say that the myth of the Cybernuke is busted .. option 3 gives me pause and makes me reluctantly conclude that it’s just barely Plausible (although not along the lines everyone expects, and not necessarily in a form that could be targeted at anyone smaller than The Whole Planet).

Just to get the last of the sensationalist metaphorical Bruckheimer-bait out of the way, what stands between us and the impact of an Internet Dinosaur-Killer? The same three advantages that have stood the Internet in good stead throughout its incredible 40-year evolution:

  • Awareness of the dangers of centralized controls and hardware/software monocultures that can be exploited by bad guys
  • Acceptance of the frustrations that come with decentralization and diversity, and a willingness to do whatever it takes to buy an acceptable level of redundancy for key services
  • Communities like NANOG and RIPE and APRICOT and MENOG, where network operators reach rough consensus about the kinds of security and operational best practices that keep everything from blowing up. Have you thanked a network engineer today?

And Jerry, if you’re reading this: Call my people. Seriously. This cybernuke screenplay will be MONSTER BOX OFFICE.

14 comments
Pointless
Pointless

Well, my cat 5 cable just melted...I don't believe this is possible, that would be unless every network or ISP in a particular country decided to all perform the same actions, all at once. Wouldn't it just be easier to "kick the plug" out of the wall and turn the power off?

KP
KP

I'm new to your blog. Any thoughts on the Richard Clarke book "Cyber War?" He must've used a ghost writer or two. I saw him talking about cyber war on HBO over the weekend and honestly, he didn't get it right in terms of content or context.

Alexandru Strimbeanu
Alexandru Strimbeanu

Hacking high traffic web servers and reconfiguring their DNS can increase the strain on the major DNS servers and bring them to a halt.As this might not bring down the whole internet it can still do a lot of damage. Another option might be to work as a team with people from major ISP companies and just deploy a worm which will alter device configuration so that they drop their routing tables, even if this needs extensive knowledge of the network architecture it can still be achieved. I don't know who's mad enough to take down the internet but if you find 20 people from 20 major ISP willing to do this you have yourself "nuke"

Stiennon
Stiennon

Simply brilliant analysis inspired by a tongue in cheek piece aimed at Condé Nast. In your first scenario you dismiss as unlikely the idea that a major telecom operator would accept spurious route announcements. You rightly point out that while this has happened in the past the industry is learning from its mistakes and maturing. But have the telecoms advanced to the point where they can watch the watchers? Are there network engineers within their organizations who could plot and execute a wide dispersal of granular route announcements? Could a saboteur, in league with a nation state, "detonate" a cybernuke?

Alexander Sverdlov
Alexander Sverdlov

There is a program out there, and it's source code is freely available. Once you modify the intentionally broken code (it's broken, so kiddies could not break down the Internets) - and run it... you can, eventually, break down the WHOLE internet. The code of this program is 1 page long, pure C. Of course, I can't tell you the name of the program - but it's to do with DNS servers and exponential number of DNS query requests among them. You see, there are the people, the solutions - all it takes is an angry person to take them to action

Zex
Zex

It was called "the net" and Sandra bullock is now paying the price for being in it.

Trex
Trex

I'd say there are big enough "bits" on every side of every sea to come up with an appropriate fix... besides, good luck with distributing malware like that; the economy doesn't run on a couple of Windows 95 machines in your mom's basement. Speaking of which, you really need to spend more time outside :p

Tem
Tem

We've already seen them. Worms have taken down large parts of the internet at times. Its very unlikely you'd be able to make a worm thats smart enough to take down anything by itself or break into anything. The usual tactic of worm creators is let the user do the damage to themselves. Disguise it in porn, and you'll take control a lot of peoples machines.

Auto
Auto

It's a pretty frightening thought if it is plausible.

rb
rb

Thanks for such a good article. leak from AS23724 did cause large scale outages, in China and elsewhere around the world. While the total amound of leaked prefixes seemed to be less than AS9121 incident, the impact was more serious from the view of as_path. AS9121 leaked prefixes were carried along some limited paths, but AS23724's leaked prefixes' path was seen not only on pre-existing paths but also on some new directions, I think this is because AS4134 has much more uplink to the core than AS9121 in those days. Anyway, we can only hope leakage like this will not happened again anytime soon, yet I think it definitely will came again, just where and when.

ian
ian

What about dns attacks? As I understand it, this seems like the easiest and most plausible attack. There are only a handleful of root dns services.

Tony Finch
Tony Finch

What about an edge-based cybernuke? Using the widespread installed base of malware you could: * DDOS everything from everywhere * Directly disable most home and small business PCs * Do a distributed scan of the Internet to exercise remote-crash vulnerabilities etc.

Steve Campbell
Steve Campbell

Thanks for the article, James. As always, it's thoughtful, timely, and well-written. When "Renesys Blog" lights up on my RSS reader, I always grab a fresh cup of coffee and settle in for an interesting read. Steve Network Manager (ret.)