Professional Documents
Culture Documents
the Internet
Steve Crocker
Steve@shinkuro.com
2
Sermon - Part Two
Proactive is better than Reactive
We need not be stuck with current
vulnerabilities
Usability and Security compete but can
co-exist. (This is not a zero sum
game.)
Be demanding. Insist on creative,
usable, useful solutions, products and
systems
3
Road Map
General orientation
Infrastructure Security
– Lines and Switches
– Routing
– Domain Name System
DNSSEC
Jan-93
Jan-94
Jan-95
Jan-96
Jan-97
Jan-98
Jan-99
Jan-00
Jan-01
Jan-02
Jan-03
Jan-04
Jan-05
data from www.isc.org
5
Web Sites
80
70
60
50
millions
40
30
20
10
0
1993199419951996199719981999200020012002200320042005
http://news.netcraft.com
6
Internet Users
1000
900
800
700
600
millions
500
400
300
200
100
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
data from www.nua.com
http://www.internetworldstats.com/stats.htm
7
U.S. Information
Technology
1400
1200
billions 1000
per 800
year
600
400
200
19901991199219931994199519961997199819992000200120022003
http://www.esa.doc.gov/TheEmergingDigitalEconomy.cfm
http://www.esa.doc.gov/DigitalEconomy2003.cfm (2002 & 2003 are estimates)8
U.S. Retail E-Commerce
90
0.7% 80
of total 2.4%
US 70 of total
retail 60
50
billions
40
per
30
year
20
10
0
D-99A-00A-00D-00A-01A-01D-01A-02A-02D-02A-03A-03D-03A-04A-04D-04A-05A-05
http://www.census.gov/estats
9
Part 1: 1970 - 1997
mom!
business WWW
CSNet NBC TV
geeks geeks and students
10
Part 2: 1998 - 2000
everything
IP
metronets
“irrational
“traffic doubling
exuberance” every 3 days”
(or something
like that)
VCs
mom!
1998 2000
11
Network Timeline
12
Arpanet
1968 - 1990
(D)ARPA sponsored
– Advanced Research Projects Agency
Sputnik-inspired quick reaction funding agency
Built
within the ARPA-sponsored
computer science research community
– Major universities & small research orgs
Formal contract for IMPs, lines
No formal organization for applications
13
Arpanet -- December
1969
14
Arpanet - December 1970
15
Arpanet - March 1977
16
Standards on the Arpanet
Single vendor (BBN) for routers (IMPs)
– Proprietary format, addressing, routing
No formal plan or organization for apps
– Organic cooperation among initial sites
Informal, cooperative process emerged
17
Protocol Layers
18
The Early “Standards”
Process
Open architecture
– Multiple protocol layers
Not a fixed number; new layers anticipated
19
Network Working Group
Loose, open organization
– From current or future Arpanet sites
No formal charter
– S. Crocker chaired and was funded
Grew from fewer than 10 to 50 and up
– Split into parallel working groups
Telnet, File Transfer Protocol (FTP), others
20
Documents (The RFCs)
Completely open, informal documents
“Standards” arrived at by consensus
– Mild management to declare completion
– Strong emphasis on running code
Documents named
“Request for Comments”
to emphasize open, invitational nature
Became more structured over time
21
Arpanet begets the
Internet
Lots of other networks
Other countries - UK, CA, FR
Other agencies - NASA, DoE
Local nets - Ring nets, Ethernet
Other media - packet radio, packet satellite
22
Internet Standards
Network Working Group evolved
into multiple groups
Internet Activities Board (IAB)
formed
IETF born under the IAB 1986
23
Internet - August 1987
24
From Craig Partridge
Internet Assigned Number
Authority (IANA)
Assigns numbers and keeps them
from colliding
– Protocol numbers
– IP addresses
– mostly delegated to IP Address
registries
– Names
– mostly delegated to DNS name
registries
1998: IANA transitions into creation of ICANN 25
IP addresses
Mostly delegated to
– Registries such as RIPE/APNIC/ARIN
– Local providers via registries
– few end organizations get addresses
from IANA or registries
26
Names delegated to DNS
name registries
27
Road Map
o General orientation
Infrastructure Security
– Lines and Switches
– Routing
– Domain Name System
DNSSEC
29
Vulnerabilities Reported to CERT/CC
30
Attack Sophistication vs. Intruder
Knowledge
email propagation of malicious code
DDoS attacks
sophisticated command
widespread attacks using NNTP to distribute attack & control
Attack Sophistication
widespread attacks on DNS infrastructure
32
Edge vs Infrastructure
Mostof the security issues are at
the edge
– Individual computers and enterprises
– With exception of DDoS attacks, local
defense is possible
Need better products!!
33
Infrastructure Security
Physical: Lines and Switches
Routing
Domain Name System (DNS)
Denial of Service Attacks
34
Lines and Switches
Lotsof redundancy
Good, albeit not perfect
– World Trade Center: 1/2 of South
Africa DNS failed
– Earthquake in Taiwan
Wellunderstood. Improving
steadily
35
Routing Security
Routers examine each packet to
determine the next hop
Routers have tables showing best
path to each region of the net
Tables are updated dynamically
– Routes recomputed to avoid outages
Limited security
36
Address Spoofing
Each packet has a To and From address
The From address is not usually
checked
False From addresses often used in
attacks
Uphill battle to get Internet Service
Providers to check
Address checking is a prerequisite to
Routing security
37
Road Map
General orientation
Infrastructure Security
– Lines and Switches
– Routing
Domain Name System
DNSSEC
39
What is WWW.CERT.IN’s address?
www.cert.in?
root name server
Resolver Caching
in Desktop forwarder
IN’s name server
(recursive)
69.44.159.41
CERT.IN’s name server
40
DNS: Data Flow
Zone administrator
1
4
Zone file master Caching forwarder
2
3 5
Dynamic
updates
slaves resolver
41
DNS Vulnerabilities
Corrupting data Impersonating master
Cache impersonation
Zone administrator
1
4
Zone file master Caching forwarder
2
3 5
Dynamic
updates
slaves resolver
Cache pollution by
Data spoofing
Unauthorized updates
Altered zone data
Server protection Data protection
42
DNSSEC
DNSSEC is official security protocol
– IETF RFCs 4033, 4034, 4035
Protects against data spoofing and corruption
Uses public key cryptography
– Same cryptography as PKI, but just for hosts
Implemented hierarchically
– The root signs the top level domain (.in)
– The TLD signs the next level (cert.in)
– Etc.
43
Deployment Status
Specs and Software exist
TLD deployment has begun
– Sweden (.SE) is operational!
– Bulgaria (.BG), Puerto Rico (.PR), Brazil (.BR) signed
– RIPE’s portion of in-addr.arpa is signed
– .ORG has announced it will sign
– Others are in progress, including .IN
Browser and desktop will take a while
44
DNSSEC THIS MONTH
(http://www.dnssec-deployment.org)
45
Road Map
General orientation
Infrastructure Security
– Lines and Switches
– Routing
– Domain Name System
DNSSEC
47
Distributed DoS (DDoS)
Mostcommon DoS attacks use
thousands of computers
– Sometimes hundreds of thousands
Individual computers (“zombies”)
are penetrated and marshaled into
common force (“bot armies”)
Tools easily available
Bot armies available for rent
48
Amplified DDoS Attacks
New wrinkle observed last year
Bots send DNS queries with false
return addresses
Responses are aimed at target
Responses are much larger than
queries
49
January - February, 2006
50
Anatomy of the Attack
Attacker (1) Attacker directs Zombies
zombies to ... (2) All zombies send
begin attack DNS query for record “foo”
in domain “bar.<tld>”
to open recursive servers
and set source IP=10.10.1.1
...
52
Attack Metrics (1)
51,000 open recursive servers were involved
55 byte query resulted in a 4,200 byte response,
for a 1:76 amplification
8 gbps attack requires a total of 108 mbps of
queries.
Each recursive server saw 2,100 bytes of queries,
or 38 qps, and responded with 160 kbps in
answers
Assuming compromised hosts have minimum
512kb DSL modem, only 200 compromised hosts
were required
53
Attack Metrics (2)
Source networks would see no effect
Recursive servers saw minimal traffic or query
increase
Victim network providers had catastrophic
experience
Victim DNS provider was sent the equivalent
of 150 million qps
At best, 1 in 100 real queries were answered
54
Road Map
General orientation
Infrastructure Security
– Lines and Switches
– Routing
– Domain Name System
DNSSEC
57
Purpose of Telcom
Regulations
some example reasons given for regulations
– protect consumer
e.g., defined QoS, E911 & full disclosure on terms
– protect investments
e.g., guaranteed rates of return
– protect society
e.g., control content - do not “confuse citizens”
– protect environment
e.g., limit overhead wires
58
Some Example Issues
peering relationships
– telephone - peering requirements defined
– Internet - big ISPs refuse to peer with small ISPs
– local peering points voluntary
international settlements
– telephone - line cost splitting
– Internet - non-US ISP pays full cost for link to US
quality of service
– telephone - service must meet specific quality
– Internet - best effort service
59
“Code is Law”
The design of the Internet protocols affect the
ability for the Internet to be regulated
Most protocols do not have a control point
Carrier not involved in providing applications
– Hard to regulate what applications can be used
– Some carriers try anyway
Some exceptions
– DNS & a unique internetwork address
60
Regulations in Place
currentlist of effective US government
regulations on the Internet
– traditional fraud/business regulations
– CANSPAM
– CDA
– DNS squatting
– anti porn
– ...
61
“Openists”
Regulatory Approach
Netmust be open to enable
innovation commons
– require network neutrality
e.g., power grid does not favor toasters
63
ICANN - Governance?
Internet Corporation for Names and Numbers
contract with U.S. DoC to:
– manage DNS root including defining new TLDs
– allocate IP address blocks
to regional Internet registries (RIRs) (currently 5)
64
ICANN
65
Illustrative North South Europe Africa Asia -
Amer Amer Pacific
NANOG AFNOG
Root Server Operators
5 Operations
Internet Engineering and Planning Group
4 Products/Networks
3 Implementation
IETF
2 Protocols
1 Architecture IAB
66
Illustrative North South Europe Africa Asia -
Amer Amer Pacific
NANOG AFNOG
Root Server Operators
5 Operations
Internet Engineering and Planning Group
1 Architecture IAB
67
Internet Governance
many issues that are gathered under “Internet
Governance” - e.g.,
– crime, property (e.g., copyright & patents),
monetary authority, content (e.g., porn & counter-
government information), legal jurisdictions, cost
sharing, security, inter-state relationships, citizen-
state relationships, people to people & business to
business relationships, anonymity, political action,
regulations & regulatory authority, technical &
business standards, ...
68
Internet Governance,
contd.
historically, no useful international dialogue
individual countries do their own thing, except
...
– early Internet processes did not take country
regulators into account
e.g., IP addresses, domain names & standards
approval
– e.g., rules on ccTLDs do not automatically give
authority to country government
e.g., .iq - took years to activate
69
One Governance Hot Spot
how do national laws work in the Internet -
some examples
content
– e.g., Yahoo vs France on Nazi materials
– e.g., Australian (and other) libel verdict
activities
– e.g., Internet gambling & WTO
privacy
– European privacy rules vs. US on Internet commerce
– US “safe harbor” program
70
Internet Governance:
WSIS & IGF
World Summit on the Information Society -
WSIS, Tunis 2005
e.g., who should control DNS root, ccTLDs?
– currently ICANN with US DoC oversight
big push to move to UN (or the like)
– assumptions that other authorities might be
exercised later
– e.g., protect citizens from confusing information
Continuing action in Internet Governance Forum
71
Internet Governance,
contd.
push to control the Internet will
continue
– nationally with regulations (e.g. House bill &
FCC)
– Internationally (e.g. IGF)
some efforts will succeed
the Internet will become less un-
regulated
72
For Deeper Background
Mitch Waldrop, The Dream Machine: J.C.R. Licklider and
the
Revolution That Made Computing Personal
http://www.amazon.com/gp/product/014200135X/sr=11/qid=1144694781/
ref=pd_bbs_1/102-2824911-4710560?%5Fencoding=UTF8&s=books
73