March 21, 2006 at 10:00 AM ET
Last week came yet another story predicting doomsday for the Internet. Except this time, it wasn't a Digital Pearl Harbor that was coming. It was a "Katrina of the Internet."
Ordinarily, I would just shrug off such a story -- there are always two or three of these each year -- and recommend that readers do the same. After all, the Internet sky has been said to be falling many times, and yet, it never seems to happen. But this story was written by Ted Bridis at the Associated Press, whose work is beyond reproach. So I dug in, and sure enough, there is something to be worried about.
The fundamental problem, one that should ring true to many consumers, is this: On the Internet, it’s far too easy for data to lie about what it is, and where it’s come from. Until the problem of such data impersonation is solved, no one can promise you that your e-mail won’t one day disappear, your Internet phone calls will stop working, or your electronic commerce business might one day be brought to its knees. Just imagine if your water, electricity, heat, or gasoline were that unreliable.
“It's as if our electric grid didn't even have fences around it,” said Paul Vixie, president of Internet Systems Consortium Inc., a non-profit that helps run the computers at the heart of the Internet. "This is disgraceful what we do, and what we don’t do, to protect the Internet.”
All this means, at a minimum, consumers should have Internet disaster plans ready, a virtual fire escape and digital smoke detector. Have backup copies of your baby pictures somewhere, and not just online; keep paper copies of banking statements for the day you can't bank online, that kind of thing. We've come to depend on the network, but we should remember that it has an Achilles heel.
The Internet is a bit of a paradox, being both incredibly fragile and incredibly resilient. Recall that we all lost a day's work seven years ago when a frustrated Philippine graduate student named Onel de Guzman released the LoveBug virus on the world.
On the other hand, despite the best efforts of every ill-meaning hacker to ever sprout pimples, the Internet has not "gone down." Sites have gone down. E-mail has been overwhelmed by spam. Web traffic has even been slowed a smidge by computer worms. But basically, the Internet has survived everything that's been thrown at it. That's a credit to its redundant, distributed design -- files are copied and backed up all over the world, and there are almost always multiple ways for data to travel. If one Internet road is cut off, there are always detours. The system has survived everything, even 9/11 and Katrina.
This resiliency is a good news/bad news story. And here's the bad news: At this point, every alarm bell that's sounded has the air of the boy who cried wolf.
But as I called around to security experts last week, the people who really watch the 1s and 0s as they fly around the globe, I could sense exasperation. Just because the big one hasn't come yet doesn't mean it won't come, I heard.
Turning the Internet against itself
Now, for the new attack. VeriSign Inc. says someone took an army of 30,000 hijacked computers and trained them on 1,500 targets earlier this year, overwhelming them with traffic. The attacked computers were helpless. And then, after a few weeks, the attacks stopped. The attacking packets were not defeated by countermeasures; the attackers simply moved on.
Such denial of service attacks are not new. But VeriSign's Ken Silva said that this new attack was much more intense than anything seen before.
"We're trying to fire a flare here," he said. "This is a problem that is bigger than anyone is currently thinking."
Here's why: Hackers aren't using simple hijacked home computers to attack. They are turning the Internet's Domain Name Server system against itself. The domain name server system is the Internet's addressing system. It maps ugly numeric IP addresses like 220.127.116.11 to simple names like MSNBC.com. There are 13 root nameservers, which are essential to the proper functioning of the Internet. Verisign runs two of them.
But there are perhaps 1 million or more additional domain name servers, operated by just about every company with a network in order to speed things up.
It's these local domain servers that are being used in the attack. Criminals have figured out a way to ask one of these smaller servers a question, and by using a fake return address, get the answer sent to a different computer. That's called spoofing, but it might be thought of as data identity theft. Or, in real-world terms, it's like having a pizza delivered to a friend's house as a prank.
Criminals have trained tens of thousands of domain name servers on individual computers, flooding them with so much traffic that they are forced off the Internet. The attack is incredibly effective because traffic coming from domain name computers tends to be trusted. And it's particularly hard to filter out the attacking traffic from legitimate traffic.
For example, criminals send a question from a hijacked university computer to BigCompany.com’s domain server, pretending to be Retailer.com. The responses go to Retailer.com. Repeated thousands of times, the site eventually topples over. Were the rogue traffic sent from a university computer, Retailer.com might be able to filter it out. But Retailer.com tends to believe BigCompany’s domain name server, and cutting it off would tend to cut off visits from every employee in the company. Multiply that effect by a few hundred domain name servers and the Web site has a terrible choice -- either shut out half the Internet, or be overwhelmed by traffic.
Why people are really worried
Now here's what has the network operators really worried. Domain name server software is being used to dramatically amplify the size of the attacks. When a criminal sends a a certain kind of question with a fake return address to a cooperative domain name server, the answer coming out is 64 times larger than the question. That gives the attackers an incredible multiplier effect. One computer initiating an attack like this feels like 64 computers to the target. And the 30,000 domain name servers used in the attacks earlier this year? They created a Internet storm that felt like 2 million computers.
"This is not childs' play out there," Silva said. "This is very serious."
The problem has actually been discussed for close to a year, said Johannes Ulrich, director of the Internet Storm Center. It's called open recursive domain name servers, if you’d like to read up on the conversation. These computers shouldn't just take questions from anyone -– they really only need to answer to computers on their local network. But they do. Perhaps three-quarters of all DNS servers are incorrectly set up, VeriSign's Silva said. Hundreds of thousands of computers are ready and waiting to be used in another attack, Silva says.
Ulrich was a bit more reserved in his description of the problem's severity. While the heart of the Internet itself -- the 13 root nameservers -- is probably not at risk, individual sites are absolutely in peril, he said. Four years ago, attackers struck at Microsoft's domain name servers, shutting the company's Web sites down for the better part of three days. A similar attack using this new technique could shut down large Web sites, Ulrich said.
Those who operate domain name servers are urged to make them far less compliant to the whims of attackers.
The fundamental problem
But Vixie said this new attack was just one of dozens of methods hackers could use to threaten Web sites. There's a far more fundamental problem with the Internet, he said, one that needs to be addressed immediately -– data can readily lie about where it's come from.
Computers are a trusting lot. They simply believe the return address they see when a request comes in. That's how the Internet was designed, for a trusting lot of university professors. But today, the network doesn't deserve the trust we give it. The ability to lie about return addresses enables most Internet misbehavior, in everything from this new attack to phishing e-mails that appear to come from legitimate companies. The Internet is not only anonymous, it's imposter-friendly, and that's the problem. New standards, such as a new Internet protocol called IPv6, would severely limit a computer criminal's ability to hide behind other identities. To stop the specific case raised by VeriSign would be even easier, Vixie said. Simple changes by Internet service providers could make sure that no packet leaving their network wasn’t properly addressed, with a return address known to belong to a customer -- a technique called reverse path forwarding.
But adoption of new, safer standards has been sluggish, to put it generously. There’s a reason. Without any meaningful government regulation, such changes must be made on a voluntary basis. For-profit companies just don’t spend money for no reason. In the case of packet spoofing, there’s no cost for an ISP to allow impersonating packets out of their network -- the cost is on the company that suffers the attack. So there’s no motivation for the ISP to fix the problem, and in fact, there’s economic incentive to ignore the problem.
The built-in atrophy is called an “asymmetric cost benefit” -- you’re asking one company to spend money so another company saves money. Fat chance. Nothing will change until change is forced. So long as we live in a Web where anyone can hide this way, the Internet can't be trusted.
On almost the same day as this latest Internet threat story came out, NBC News revealed that screeners at over 20 airports failed to catch bomb-making material carried on airplanes by congressional investigators. The news was followed by the usual chest-beating and claims that keeping bombs off airplanes was a top priority for airport security workers.
It's hard to imagine, in a world where the government hasn't gotten airplane security right yet, it will take on the basic security of the Net. And yet, if it does not, and the current state of affairs continues, we may just yet get that digital Pearl Harbor. And there will be a long list of people saying "I told you so.'