
Someone Is Learning How to Take Down the Internet - skennedy
https://www.lawfareblog.com/someone-learning-how-take-down-internet
======
goda90
Since there are lots of hobbies that sometimes overlap with community service
I'd love to see a club that focuses on being prepared to reestablish intra-
community communication in case the Internet goes down. Yes, it'd be great if
everyone was self hosting, using distributed services and involved in a mesh
network now, but without motivation it won't happen. So this club could focus
on developing the resources that a few individuals in a community could use to
set these things up after the network is already down. They could have offline
caches of Wikipedia and Openstreetmaps, copies of firmware, apps and
instructions for attaching consumer routers and other Wi-Fi devices to a mesh
network, systems for registering people with a locally functioning email
address, etc. User friendly portals could be made that provide the basic
instructions for people who stumble on a mesh network access point with their
otherwise disconnected smartphones.

All of the tech exists in some form or another, but if it were well packaged,
it's not hard to see there being a sufficient distribution of members to get
people connected easily.

~~~
kej
The amateur radio community already has the technical know-how and disaster
readiness to do most of that, and I'd be willing to bet there's enough overlap
between them and the meshnet crowd to take care of the rest.

~~~
Florin_Andrei
KG6YHQ here. It's doable, but if the wired net becomes unusable and you have
to rely wholly on the RF spectrum, bandwidth would be stupendously tiny.
Forget about sending anything else but, basically, text-based messages.

Perhaps in an event like that a decision would be made to temporarily open up
the spectrum, but even then there are only so many of us, only so many
transceivers out there.

I feel the HAM net would be more useful after a natural catastrophe, where the
infrastructure would be destroyed physically. Which is exactly what a lot of
us are preparing for.

~~~
harshreality
Wouldn't SDRs be a lot more useful for creating higher-bandwidth wireless
networks in the sort of disaster where the FCC opens up other frequency
ranges?

The amateur radio regulation regime and common ham radios work well for small
numbers of small messages sent around in a well-regulated way, without the
government initiating a frequency band jubilee. But beyond that, HAM radios
are limited, even if they're modded, and the cheap SDRs are even cheaper than
baofeng handhelds, so where does that leave amateur radio in a real frequency
free-for-all? I think what would matter is, as mentioned above, availability
of SDRs, and secondly, parties of people tracking down transmitters that are
messing up the ad-hoc sdr wireless nets.

~~~
Florin_Andrei
Sure, but everything has to be ready, prepared and exercised _before_ anything
happens. Whatever plan you may conceive, you have to do plenty of test runs in
advance. After it happens, it's chaos, it's too late to start new initiatives.

And there are caveats anyway.

For local connections, some kind of WiFi mesh might still be the best option.

For long distance, I don't think you can currently use anything but proper HAM
equipment, and fairly large power at that. For a reliable connection,
especially at good bandwidth, you need lots of power and a good antenna. But
if you blow standards out of the water, and start pumping out huge bandwidths
at huge powers, you run again into a tragedy of commons - you're taking up
large chunks of spectrum over entire continents.

There is no free lunch.

~~~
acidburnNSA
As a fellow ham, I have to say: guys, guys... it's ham, not HAM. Other than
that I totally agree with you.

The (VHF and UHF) ham bands will send data a few tens of kilometers with good
messaging bandwidth. Here in Seattle there's a Monday-night digital net
through a repeater on the Columbia tower where folks send text messages and
some (slow) photos on 444.55 MHz. Typical speeds are like 9600 baud.

As you mention, when you go down to the HF bands like 20m you can transmit and
receive around the world, but there's far less bandwidth. The tragedy of the
commons is right on.

I've operated PSK31 (which runs at 31 baud) worldwide on 20m and it's pretty
much a chatroom. You can get a lot said with that, but you certainly won't be
browsing the web.

It would be cool to play around with connecting 2.4 GHz local wifi meshnets
with ham repeaters at ranges of say 50 km. Then you'd have nice fast local
communication with reasonable long distance. .

------
linkregister
Although Schneier is probably correct in this instance, one of the most
exasperating features of his computer security writing is an utter lack of
citations or evidence to back up his claims. (His writing about cryptography
should require no citations because he is an actual crypto expert.)

After the significant inaccuracies and frequent unsubstantiated speculation in
_Schneier on Security_ , I don't think credible security researchers can take
his analysis at face value. Additionally, the halo effect of his actual
expertise, cryptography, convinces people who aren't security experts that his
opinions and speculations are correct. Worse, he rarely frames his speculation
as such; he states conjecture as fact. This is counterproductive and leads to
confusion among journalists and eventually the general public.

To the imminent downvoters, I'm not offended; I expect it with an unpopular
opinion. I'd prefer you engage with a reply in addition to the downvote so we
can have a discourse. I think it's important that I add my dissent to the
conversation.

~~~
Florin_Andrei
Sometimes it feels as if computer engineers have a unique inability to deal
with ambiguous information.

Yes, I agree the article is vague, and I'd like to learn more. But this is
typical for this kind of backchannel intel. From some sources, through some
channels, for some kinds of info - this is all you get. This is business as
usual.

Take it in for what it's worth. It's a signal from a sea of noise, nothing
more. Maybe it's actionable, but perhaps it's not. Just learn to deal with
ambiguity; the world at large is quite different from the rigid boolean-logic
computer systems you're interacting with on a daily basis.

~~~
TeMPOraL
> _Just learn to deal with ambiguity; the world at large is quite different
> from the rigid boolean-logic computer systems you 're interacting with on a
> daily basis._

You're shitting me, right?

Computer engineers are the _last_ people who think in rigid, boolean-logic
ways. It's the general population that does that. If you do any serious
thinking in any STEM field, you quickly learn that the world is probabilistic
in nature, and ambiguity is what you eat for breakfast. What the technical
fields do to manage with it is learn to quantify the exact nature of
ambiguity. When you do that, by means of probability theory, you learn that
ambiguity doesn't mean "anything goes", there are rules it follows.

Like, backchannel intel may be vague, and this also implies it's likely to not
be true (unless you can pull out additional evidence in its favour, like e.g.
good track record of the person delivering this backchannel intel; that point
is discussed in parallel threads). In a sea of noise, the "signal" you see is
most likely a coincidence. Not comprehending this (aka. "seeing patterns
everywhere") is one of the biggest sources of irrationality in people.

~~~
qwertyuiop924
Well, as far as ambiguity goes, a CS or CE's job is to fit that round peg into
our square hole, with mathematics and neural networking as our hammers.

------
asclepi
So how exactly is one entity, even a state entity, going to take down all 13
root servers, _assuming_ that that is what Schneier is talking about since the
man speaks in mysteries? What would it take to do that?

Let's safely assume that these servers, every single one of them, are subject
to DDoS attacks all the time and have at least some experience in handling
them, and have a backup scenario ready for a serious attack. One of the
reasons why the root servers are not centralized is to avoid the kind of
disaster that Schneier predicts.

Also what if I maintain a list of IP addresses of the websites I visit most
and update that list daily. When the "big attack" strikes, I put that list in
/etc/hosts. Would I still be able to do my holiday shopping from Amazon? Would
I still be able to read the logs on my VPS by ssh'ing to its IP? How long
would such an attack sustain before BGP modifications start blackholing the
sources? Long enough to let the average TTL cache expire?

Would an attack on the root servers really take down the internet? Or in case
Schneier isn't talking about that, what kind of attack on the decentralized
internet is actually able to take it all down? I'm not saying he is wrong, but
I have a hard time thinking about how we should prepare and protect our
infrastructure if he doesn't want to share the intel he knows instead of some
generic warnings.

~~~
Florin_Andrei
Every once in a while I think of creating a little DNS cache that never
expires entries, except when it runs out of storage, and run it on a Raspberry
Pi, feeding it with DNS queries on my home network (but never using it to send
replies to clients, just store queries and results).

But I never do anything about it.

~~~
fanf2
You can use dnstap with unbound or BIND 9.11 to do this kind of data
collection really easily.

------
M_Grey
This is both unsurprising, and worrying. Unsurprising because it's the job of
any nation's military and espionage arms to consider and form plans to cripple
or destroy their potential enemy's infrastructure, information included.
Worrying, because as far as I can tell most people remain deeply ignorant
and/or unconcerned (present company excluded both from that remark, and
realistically the descriptor "most people") about 'cybersecurity' in any form.

That needs to change, and the author is right that while there seems to be
little to do now, people should be aware of it.

~~~
grokas
'the author' (Bruce Schneier) is right a lot.

~~~
increment_i
He suspects China or Russia as the likely culprit. What exactly rules out an
American agent? Is it because American economic and social activity rely
disproportionately on internet backbones more so than other state actors? If
so, that would be especially interesting.

~~~
wtracy
It depends on exactly what services Schneier is talking about here, but an
awful lot of the infrastructure of the internet is hosted in countries that
the US armed forces have easy physical access to.

Even if a cyber attack were the "plan a" for quickly and untraceably taking
those systems out, the US has an easy enough "plan b" that testing "plan a"
isn't going to be a major concern. Add that to the fact that the US has a lot
more to lose if it gets caught attacking internet infrastructure than China
and friends do (even just tests like this) and I would be surprised (honestly
not shocked, but definitely surprised) if the USA is behind these shenanigans.

Actually, if the US wanted to test something like this on a service in a
friendly country, I would expect the NSA to approach the infrastructure
company and say something like, "We're concerned that $enemy_of_free_speech
may be planning an attack on your service, and we would like to wargame that
scenario with you. What time(s) would an outage have a minimal impact to your
bottom line?"

~~~
rantanplan
> Add that to the fact that the US has a lot more to lose if it gets caught
> attacking internet infrastructure than China and friends do (even just tests
> like this) and I would be surprised (honestly not shocked, but definitely
> surprised) if the USA is behind these shenanigans.

So can you give me the address of the rock you've been living under for the
past 3 years?

~~~
wtracy
No, but maybe you can share some of the evidence you apparently have that the
United States is actively trying to sabotage the world's communication
infrastructure?

Sure, it throws its weight around when asking various social media platforms
to censor certain types of content, and it has a no-holds-barred approach to
intercepting data traffic, but it generally draws the line at knocking
services entirely offline.

~~~
rantanplan
It creates, exploits and maintains vulnerabilities in public infrastructure
that anyone else(state nation or similar capacity) can take advantage of.

> it generally draws the line at knocking services entirely offline

Well if you're gonna play the card "I'm reading a different Internet than you
are", sure whatever.

------
norea-armozel
This is why I worry about the centralization of all communications as we've
done over the entirety of human history. Letting the Internet be centralized
as it has been might be make economic sense but as for sustaining the world
economy through a potentially global conflict it doesn't make any sense to put
all our eggs in one basket here. It's like I mentioned on the "napalm girl"
post that we've become too complacent with having ease of use trump
reliability of communication. This is just one of the larger consequences of
our individual and collective choices coming to bite us in the butt. I hope
this spurs people to get smarter and put together p2p solutions that can
weather such a conflict at least for regional and/or city-wide communications.

~~~
Grishnakh
The internet _is_ decentralized, for the most part; it was designed to be that
way from the start. Whole pieces of the internet can go offline that the rest
of it will continue operating as normal, with packets routed around the
damage. The TCP and IP protocols were designed for this.

It's not the designers fault that so many people are dumb enough to happily
give one company a near-monopoly over certain forms of communication.

It's very simple: stop using Facebook for everything. Use different
sites/services, or switch to a decentralized service like Diaspora. Otherwise,
stick with Facebook for everything and stop complaining when it bites you in
the butt, and suffer the consequences when disaster strikes.

~~~
norea-armozel
You're confusing the issue by focusing on protocols versus actual physical
implementations (data centers, trunk lines, etc). The physical installations
for what we call the Internet are centralized. Companies like Level 3 might
put some redundancy but at some point the cost of redundancy out weighs its
benefits for them and other companies like them. This is especially true of
consumer financial services like banking. If an attacker wanted to disrupt the
United States they only have to do it to banking to cause a panic. They could
easily ignore emergency services, hospitals, and even the government itself
(outside of ACH) while doing this. And it would be such a mess that we
couldn't resolve it immediately. The happiest outcome is the disruption is
only for a few hours but the more likely outcome is possibly days or weeks of
disruption where a large part of the banking system would be inoperable. It
doesn't matter if you used TCP/IP or switch based communications the outcome
is the same: the American economy shaken and possibly worse. So, we can take
all day about Facebook and Diaspora but neither of those services do anything
important for the average user like your bank which also uses the same
centralized infrastructure. There is no Diaspora for banking and not one
that's widely used or not using the current banking/financial transfer systems
which are centralized.

------
chmike
I totally disagree that we can't do anything. With the existing TCP/IP
protocol we can't do anything because it's possible to forge the origin IP
address or modify the datagram content on its route to destination. A
receiving end has no way to verify the validity of the datagram.

An IP datagram authentication at the lowest level is required so that anyone
on the route can detect forgery, error or tempering with the data. This would
allow tracking the real sources of DDOS attack, diagnose the cause and fix it.

What's the point of keeping digging deeper trenches ?

This should be a top priority change of the Internet. There was no incentive
to move to IPv6. Now there is one to move to a more secure Internet.

~~~
pjc50
> top priority change of the Internet

See you in thirty years.

Also, IP authentication doesn't help you. DDOS traffic often has real IP
source addresses on. It tells you that the traffic is several hundred thousand
home PCs. Now what?

~~~
mhandley
If you knew for sure that an IP src address involved in a DDoS attack was not
spoofed, we could easily design a control protocol that allowed a recipient to
contact the origin ISP and enable a block on that particular {src,dst} pair.
Unless you know for sure that the src address isn't spoofed though, such a
mechanism would itself be abused to deny service. Having the ability to
validate a source address would be the enabler for proper defense mechanisms.

We wrote about one way to do this about ten years ago, but no-one was really
interested at the time:
[http://www0.cs.ucl.ac.uk/staff/M.Handley/papers/terminus2007...](http://www0.cs.ucl.ac.uk/staff/M.Handley/papers/terminus2007.pdf)

~~~
oarsinsync
> Unless you know for sure that the src address isn't spoofed though, such a
> mechanism would itself be abused to deny service.

Unfortunately, even if you know that the source address isn't spoofed, such a
mechanism would itself be abused to deny service

------
segmondy
The Internet is suppose to be decentralized. Yet we have these centralized
groups, proving backbone, DNS, certs. Well duh, it's no surprise. Why can't I
connect to my neighbor who lives next door without the packet doing a 200 mile
trip? The Internet is really only devices that can route packets through at
least 2 different gateways. If you only have one route. You are not part of
the vision of the Internet.

~~~
evgen
You can make such a connection and establish a mesh network, most people are
just too lazy or technically unsophisticated to pull it off apparently.
Centralization is a consequence of that fact that people do not actually want
to maintain their own infrastructure, they just want it to work while they get
back to the rest of their life.

------
angrydev
Can anyone elaborate on what he means when he says that Verisign can 'go down'
and take down most of the internet with it? How would a registrar going down
affect anything to do with actual hosts?

~~~
Panino
Poor wording. Verisign operates .com for the US government. So if Verisign's
.com servers were to go down, then .com would go down with them. The author
shouldn't have used the word "registrar" which makes people think of the
creation of _new_ domain names, à la GANDI (good) or GoDaddy (bad).

~~~
TeMPOraL
What does it mean "operates .com" and ".com would go down"? Does it mean that
"google.com" would suddenly stop resolving? If so, how is that possible given
the way DNS works? If not, what exactly is the panic about?

~~~
oarsinsync
Most DNS resolvers come with a 'root zone hints file', which includes a list
of the root nameservers and static IPs for each one.

When you look up google.com, these root nameservers are queried for com, and
they return the results (name and IP) for the nameservers for .com

These nameservers for com are then queried for google.com, which then return
the results for the nameservers for google.com.

Google's nameservers are then queried for google.com, and an IP is returned.

So yes, given how DNS works, all .com and .net domains would stop resolving if
the Verisign nameservers for .com and .net were to go down. Most people go
through caching nameservers, which would retain the values for google.com, and
continue to return them, up until the time to live on those records expired,
at which point they too would stop returning any values if the upstream
servers hadn't returned before then.

------
m-jones
This is (one of) the reason(s) I moved my website to the decentralized web-
hosting platform ZeroNet. It is still accessible to regular web users (through
the use of proxies) but is ultimately secure against DDOS attacks and the like
as there is no single server to attack (it could still be done, but it would
take much more effort as you would have to attack each user of ZeroNet
individually).

As applicable with all areas of life, association is a security risk. By
depending upon any centralized authority (such as a server or domain name
registrar) you are open to being censored (either by them or an attacker).

At this point however, decentralized web-hosting solutions still rely upon
clearnet centralized port checkers, which is (ofcourse) an issue. The best the
community can do is help to raise awareness of decentralized web hosting in
the hopes more people will adopt it leading to a higher likelihood that the
problems will be solved.

------
gpvos
_> The NSA, which has more surveillance in the Internet backbone than everyone
else combined, probably has a better idea, but unless the U.S. decides to make
an international incident over this, we won't see any attribution._

Or unless it's the US itself. Not the most likely possibility I think, but
still a possibility.

------
akerro
When my Omnia Turris arrives I will connect it with second WiFi card and
enable cjdns on it. We need to start showing it.

------
sgnelson
Makes me wonder if we'll ever see a "hot" war that starts off as a "cyber"
war.

~~~
Zigurd
The start of every US war in the ME has featured attacks on communication and
infrastructure, starting with hacking in to the telephone exchanges weeks or
months before the hot war starts, and culminating with the takedown of
critical physical infrastructure, like power, water, etc. as the first thing
to go when the shooting starts.

~~~
linkregister
Can you clarify this? I remember seeing some articles about this tactic in
maybe 2010, but nothing before then. I recall the Gulf War and OIF/OEF
infrastructure damage being primarily from aerial bombing, but it's possible I
missed the articles about the hacking element.

I'm not doing the snarky "citations pls" thing; I don't dispute it happened. I
just want to know more.

~~~
Zigurd
I can't find the article I read at the time. The gist of it was that a
sysadmin was bribed to gain access to the telephone exchanges and once the
Iraqi government realized they were compromised they ran expedient unburied
fiber links to communicate with commanders.

------
phantom_oracle
Blaming China or Russia is lazy writing. It could be just about anyone,
including a rogue internal agency doing a spoof-attack to precisely cause the
blame to go towards the obvious "state actors".

Cyber-warfare is the 'new' war and just like any war, misinformation plays an
important role.

~~~
m0nty
> Blaming China or Russia is lazy writing

It's what the author is being told by the people he has spoken too. Maybe a
lazy _assumption_ on their part, but it's not lazy writing. And your point is
directly addressed in TFA:

"The data I see suggests China, an assessment shared by the people I spoke
with. On the other hand, it's possible to disguise the country of origin for
these sorts of attacks."

It would be interesting to know the sort of resources needed for this kind of
attack/probing. Is it limited to state actors, or could we all play? Is the
objective simply to be prepared, or is there a plan afoot?

~~~
AnimalMuppet
> Is it limited to state actors, or could we all play?

Per the article, no, we can't all play. We don't have either the bandwidth or
the expertise.

~~~
m0nty
> Per the article

Not quite, it says "If the attacker has a bigger fire hose of data than the
defender has, the attacker wins" and "the size and scale of these probes—and
especially their persistence—points to state actors" which is not quite the
same as saying you need to own the bandwidth. For example, DNS amplification
can be used "to turn initially small queries into much larger payloads, which
are used to bring down the victim’s servers".

[https://www.incapsula.com/ddos/attack-glossary/dns-
amplifica...](https://www.incapsula.com/ddos/attack-glossary/dns-
amplification.html)

So maybe there are other techniques which might allow for similar leverage.
Neither is the article conclusive about "state actors", they are merely
"pointed to". As for expertise ... I don't doubt there are people out there
who have it or might acquire it. So it's still an interesting question imo.

~~~
AnimalMuppet
OK, perhaps I phrased it slightly wrong. _I_ can't play, because _I_ don't
have the bandwidth or the expertise. I think that most of us on this board are
in that category. (There's expertise here, but most of it isn't on the level
of these attacks.)

