nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerbilities of Interconnection

From: Dave Israel <davei () algx net>
Date: Thu, 5 Sep 2002 15:50:04 -0400


The thing is, the major cuts are not "attacks;" the backhoe operators
aren't gunning for our fiber (no matter how much it seems like they
are).  If I wanted to disrupt traffic, intentionally and maliciously,
I would not derail a train into a fiber path.  Doing so would be very
difficult, and the legal ramifications (murder, destruction of
property, etc, etc) are quite clear and severe.  However, if I
ping-bomb you from a thousand "0wn3d" PCs on cable modems, I never had
to leave my parents' basement, I'm harder to trace by normal police
methods, and the question of which laws that can be applied to me is
less clear. 

-Dave

On 9/5/2002 at 15:38:56 -0400, sgorman1 () gmu edu said:


"Again, it seems more likely and more technically effective to attack 
internally than physically. Focus again here on the cost/benefit 
analysis from both the provider and disrupter perspective and you will 
see what I mean."

Is there a general consensus that cyber/internal attacks are more 
effective/dangerous than physical attacks.  Anecdotally it seems the 
largest Internet downages have been from physical cuts or failures.

2001 Baltimore train tunnel vs. code red worm (see keynote report)
1999 Mclean fiber cut - cement truck
AT&T cascading switch failure
Utah fiber cut (date??)
Not sure where the MAI mess up at MAE east falls
Utah fiber cut (date??)

Then again this is the biased perspetive of the facet I'm researching

Secondly it seems that problems arise from physical cuts not because 
of a lack of redundant paths but a bottlneck in peering and transit -  
resulting in ripple effects seen with the Baltimore incident.



----- Original Message -----
From: "William B. Norton" <wbn () equinix com>
Date: Thursday, September 5, 2002 3:04 pm
Subject: Re: Vulnerbilities of Interconnection



At 02:45 PM 9/5/2002 -0400, alex () yuriev com wrote:

This obviously would be a thesis of Equinix and other collo space 

providers,>since this is exactly the service that they provide. It 
won't, hower, be a

thesis of any major network that either already has a lot of 

infrastructure>in place or has to be a network that is supposed to 
survive a physical

attack.


Actually, the underlying assumption of this paper is that major 
networks 
already have a large global backbone that need to interconnect in 
n-regions. The choice between Direct Circuits and Colo-based cross 
connects 
is discussed and documented with costs and tradeoffs. Surviving a 
major 
attack was not the focus of the paper...but...

When I did this research I asked ISPs how many Exchange Points 
they felt 
were needed in a region. Many said one was sufficient, that they 
were 
resilient across multiple exchange points and transit 
relationships, and 
preferred to engineer their own diversity separate from regional 
exchanges. 
A bunch said that two was the right number, each with different 
operating 
procedures, geographic locations, providers of fiber, etc. , as 
different 
as possible. Folks seemed unanimous about there not being more 
than two 
IXes in a region, that to do so would splinter the peering 

population.


Bill Woodcock was the exception to this last claim, positing 
(paraphrasing) 
that peering is an local routing optimization and that many 
inexpensive 
(relatively insecured) IXes are acceptable. The loss of any one 
simply 
removes the local  routing optimization and that transit is always 
an 
alternative for that traffic.




A couple physical security considerations came out of that 

research:> > 1) Consider that man holes are not always secured, 
providing access to

metro fiber runs, while there is generally greater security 

within

colocation environments


This is all great, except that the same metro fiber runs are used 

to get

carriers into the super-secure facility, and, since neither those 

who

originate information, nor those who ultimately consume the 

information are

located completely within facility, you still have the same 

problem.  If we

add to it that the diverse fibers tend to aggregate in the 

basement of the

building that houses the facility, multiple carriers use the same 

manholes>for their diverse fiber and so on.

Fine - we both agree that no transport provider is entirely 
protected from 
physical tampering if its fiber travels through insecure 
passageways. Note 
that some transport capacity into an IX doesn't necessarily travel 
along 
the same path as the metro providers, particularly those IXes 
located 
outside a metro region. There are also a multitude of paths, 
proportional 
to the # of providers still around in the metro area, that provide 
alternative paths into the IX. Within an IX therefore is a 
concentration of 
alternative providers,  and these alternative providers can be 
used as 
needed in the event of a path cut.



2) It is faster to repair physical disruptions at fewer 

points, leveraging

cutovers to alternative providers present in the collocation 

IX model, as

opposed to the Direct Circuit model where provisioning additional
capacities to many end points may take days or months.


This again is great in theory, unless you are talking about 

someone who

is planning on taking out the IX not accidently, but 

deliberately. To

illustrate this, one just needs to recall the infamous fiber cut 

in McLean

in 1999 when a backhoe not just cut Worldcom and Level(3) 

circuits, but

somehow let a cement truck to pour cement into Verizon's manhole 

that was

used by Level(3) and Worldcom.


Terrorists in cement trucks?

Again, it seems more likely and more technically effective to 
attack 
internally than physically. Focus again here on the cost/benefit 
analysis 
from both the provider and disrupter perspective and you will see 
what I mean.



Alex








-- 
Dave Israel
Senior Manager, DNE SE
Previous By Date Next
Previous By Thread Next

Current thread: