You are on page 1of 73

Security (and Stability) of

the Internet
Steve Crocker
Steve@shinkuro.com

CEO, Shinkuro, Inc.

Chair, ICANN Security and


Stability Advisory Committee
A Brief Sermon
 Build security into the infrastructure
 Good architecture is cheaper and better than
chasing the bad guys
– It’s less sexy but more effective

 CERTs, Firewalls, Honeynets, etc. are all good


 Networking the security community is good
 Do all of this, but also invest in the
architecture

2
Sermon - Part Two
 Proactive is better than Reactive
 We need not be stuck with current
vulnerabilities
 Usability and Security compete but can
co-exist. (This is not a zero sum
game.)
 Be demanding. Insist on creative,
usable, useful solutions, products and
systems

3
Road Map
 General orientation
 Infrastructure Security
– Lines and Switches
– Routing
– Domain Name System
 DNSSEC

– Distributed Denial of Service


 ICANN & Internet Governance
4
Internet Hosts
400
350
300
millions 250
200
150
100
50
0

Jan-93
Jan-94
Jan-95
Jan-96
Jan-97
Jan-98
Jan-99
Jan-00
Jan-01
Jan-02
Jan-03
Jan-04
Jan-05
data from www.isc.org
5
Web Sites
80
70
60
50
millions
40
30
20
10
0

1993199419951996199719981999200020012002200320042005
http://news.netcraft.com
6
Internet Users
1000
900
800
700
600
millions
500
400
300
200
100
0

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
data from www.nua.com
http://www.internetworldstats.com/stats.htm
7
U.S. Information
Technology
1400

1200

billions 1000
per 800
year
600

400

200

19901991199219931994199519961997199819992000200120022003
http://www.esa.doc.gov/TheEmergingDigitalEconomy.cfm
http://www.esa.doc.gov/DigitalEconomy2003.cfm (2002 & 2003 are estimates)8
U.S. Retail E-Commerce
90
0.7% 80
of total 2.4%
US 70 of total
retail 60
50
billions
40
per
30
year
20
10
0

D-99A-00A-00D-00A-01A-01D-01A-02A-02D-02A-03A-03D-03A-04A-04D-04A-05A-05

http://www.census.gov/estats
9
Part 1: 1970 - 1997

mom!
business WWW
CSNet NBC TV
geeks geeks and students

1970 1981 1988 1997

10
Part 2: 1998 - 2000
everything
       IP
metronets
“irrational 
“traffic doubling 
exuberance” every 3 days”
(or something
like that)

VCs
mom!

1998 2000
11
Network Timeline

12
Arpanet
 1968 - 1990
 (D)ARPA sponsored
– Advanced Research Projects Agency
 Sputnik-inspired quick reaction funding agency
 Built
within the ARPA-sponsored
computer science research community
– Major universities & small research orgs
 Formal contract for IMPs, lines
 No formal organization for applications

13
Arpanet -- December
1969

14
Arpanet - December 1970

15
Arpanet - March 1977

16
Standards on the Arpanet
 Single vendor (BBN) for routers (IMPs)
– Proprietary format, addressing, routing
 No formal plan or organization for apps
– Organic cooperation among initial sites
 Informal, cooperative process emerged

17
Protocol Layers

18
The Early “Standards”
Process
 Open architecture
– Multiple protocol layers
 Not a fixed number; new layers anticipated

– Middle layers accessible


– New protocols encouraged
 Open participation
– Originally just from host sites
– Everyone equal - individuals, not organizations
– No cost for participation (NWG)
– No cost for documents (RFCs)

19
Network Working Group
 Loose, open organization
– From current or future Arpanet sites
 No formal charter
– S. Crocker chaired and was funded
 Grew from fewer than 10 to 50 and up
– Split into parallel working groups
 Telnet, File Transfer Protocol (FTP), others

20
Documents (The RFCs)
 Completely open, informal documents
 “Standards” arrived at by consensus
– Mild management to declare completion
– Strong emphasis on running code
 Documents named
“Request for Comments”
to emphasize open, invitational nature
 Became more structured over time

21
Arpanet begets the
Internet
Lots of other networks
 Other countries - UK, CA, FR
 Other agencies - NASA, DoE
 Local nets - Ring nets, Ethernet
 Other media - packet radio, packet satellite

Need to interconnect and interoperate

22
Internet Standards
 Network Working Group evolved
into multiple groups
 Internet Activities Board (IAB)
formed
 IETF born under the IAB 1986

23
Internet - August 1987

24
From Craig Partridge
Internet Assigned Number
Authority (IANA)
 Assigns numbers and keeps them
from colliding
– Protocol numbers
– IP addresses
– mostly delegated to IP Address
registries
– Names
– mostly delegated to DNS name
registries
1998: IANA transitions into creation of ICANN 25
IP addresses

 Mostly delegated to
– Registries such as RIPE/APNIC/ARIN
– Local providers via registries
– few end organizations get addresses
from IANA or registries

26
Names delegated to DNS
name registries

 ISO 2 letter names


– US, JP, CA, UK, CH, ZA, BG, BR, …
– Generally nationally managed
 Generic Top Level Domain names
– COM, NET, ORG, MUSEUM, AERO,
BIZ, INFO, PRO, etc.

27
Road Map
o General orientation
 Infrastructure Security
– Lines and Switches
– Routing
– Domain Name System
 DNSSEC

– Distributed Denial of Service


 ICANN & Internet Governance
28
Incidents Reported to CERT/CC

29
Vulnerabilities Reported to CERT/CC

30
Attack Sophistication vs. Intruder
Knowledge
email propagation of malicious code
DDoS attacks

“stealth”/advanced scanning techniques increase in worms

sophisticated command
widespread attacks using NNTP to distribute attack & control

Attack Sophistication
widespread attacks on DNS infrastructure

executable code attacks (against browsers) anti-forensic techniques

automated widespread attacks home users targeted

GUI intruder tools distributed attack tools


hijacking sessions
increase in wide-scale
Trojan horse distribution
Internet social engineering widespread
denial-of-service
attacks attacks Windows-based
remote controllable
techniques to analyze
code for vulnerabilities Trojans (Back Orifice)
automated probes/scans without source code
packet spoofing

1990 Intruder Knowledge 2004


31
(Some) Internet Security Issues

 Porn, hate, etc.


 Identity theft
 Other fraud
 Spam
 Denial of Service attacks
 Penetrations (vandalism, extortion,
espionage)
 Etc.

32
Edge vs Infrastructure
 Mostof the security issues are at
the edge
– Individual computers and enterprises
– With exception of DDoS attacks, local
defense is possible
 Need better products!!

33
Infrastructure Security
 Physical: Lines and Switches
 Routing
 Domain Name System (DNS)
 Denial of Service Attacks

34
Lines and Switches
 Lotsof redundancy
 Good, albeit not perfect
– World Trade Center: 1/2 of South
Africa DNS failed
– Earthquake in Taiwan
 Wellunderstood. Improving
steadily

35
Routing Security
 Routers examine each packet to
determine the next hop
 Routers have tables showing best
path to each region of the net
 Tables are updated dynamically
– Routes recomputed to avoid outages
 Limited security

36
Address Spoofing
 Each packet has a To and From address
 The From address is not usually
checked
 False From addresses often used in
attacks
 Uphill battle to get Internet Service
Providers to check
 Address checking is a prerequisite to
Routing security

37
Road Map
 General orientation
 Infrastructure Security
– Lines and Switches
– Routing
 Domain Name System
 DNSSEC

– Distributed Denial of Service


 ICANN & Internet Governance
38
The Domain Name System
 The Domain Name System
translates domain names into
addresses
 www.cert.in. =>69.44.159.41

39
What is WWW.CERT.IN’s address?

www.cert.in?
root name server

Resolver Caching
in Desktop forwarder
IN’s name server
(recursive)

69.44.159.41
CERT.IN’s name server

40
DNS: Data Flow
Zone administrator
1
4
Zone file master Caching forwarder

2
3 5

Dynamic
updates
slaves resolver

41
DNS Vulnerabilities
Corrupting data Impersonating master
Cache impersonation
Zone administrator
1
4
Zone file master Caching forwarder

2
3 5

Dynamic
updates
slaves resolver
Cache pollution by
Data spoofing
Unauthorized updates
Altered zone data

Server protection Data protection
42
DNSSEC
 DNSSEC is official security protocol
– IETF RFCs 4033, 4034, 4035
 Protects against data spoofing and corruption
 Uses public key cryptography
– Same cryptography as PKI, but just for hosts
 Implemented hierarchically
– The root signs the top level domain (.in)
– The TLD signs the next level (cert.in)
– Etc.

43
Deployment Status
 Specs and Software exist
 TLD deployment has begun
– Sweden (.SE) is operational!
– Bulgaria (.BG), Puerto Rico (.PR), Brazil (.BR) signed
– RIPE’s portion of in-addr.arpa is signed
– .ORG has announced it will sign
– Others are in progress, including .IN
 Browser and desktop will take a while

44
DNSSEC THIS MONTH
(http://www.dnssec-deployment.org)

45
Road Map
 General orientation
 Infrastructure Security
– Lines and Switches
– Routing
– Domain Name System
 DNSSEC

 Distributed Denial of Service


 ICANN & Internet Governance
46
Denial of Service Attacks
A Denial of Service (DoS) attack is
an orchestrated traffic jam
 Purpose is to shut down a site, not
penetrate it.
 Purpose may be vandalism,
terrorism or extortion
– Estonia “cyber riot”
– Sports betting sites

47
Distributed DoS (DDoS)
 Mostcommon DoS attacks use
thousands of computers
– Sometimes hundreds of thousands
 Individual computers (“zombies”)
are penetrated and marshaled into
common force (“bot armies”)
 Tools easily available
 Bot armies available for rent

48
Amplified DDoS Attacks
 New wrinkle observed last year
 Bots send DNS queries with false
return addresses
 Responses are aimed at target
 Responses are much larger than
queries

49
January - February, 2006

 Authoritative TLD DNS servers attacked


 Variant of a well-known DDoS attack
 Attacks generated from 2 - 8 Gbps
 Failures occurred at multiple points
 Resulted in disruption of DNS services
 Included many TLDs without any
apparent motive in most cases

50
Anatomy of the Attack
Attacker (1) Attacker directs Zombies
zombies to ... (2) All zombies send
begin attack DNS query for record “foo”
in domain “bar.<tld>”
to open recursive servers
and set source IP=10.10.1.1

(3) Open resolvers


ask bar.<tld> for
record “foo”

...

(4) bar.<tld> responds


Target name with record “foo”
server at Open (4000 byte DNS TXT RR) Name server
IP = 10.10.1.1 recursive bar.<tld>
(5) Open resolvers send servers
DNS response with
(4000 byte DNS TXT RR)
to target name server 51
One Attack
Graph of responses to
monitoring probes by the
authoritative nameservers
for a TLD before, during, and
after an attack in February
2006.
Vertical Axis shows the six
TLD Server IP addresses.
Red shows complete failure
to answer, yellow indicates
slow answers. For reference,
Servers 1 and 4 show lesser
impact than Servers 2, 3, 5,
and 6. The horizontal axis
shows actual time. This
attack lasted 14 minutes.
Graphs courtesy of RIPE NCC.

52
Attack Metrics (1)
 51,000 open recursive servers were involved
 55 byte query resulted in a 4,200 byte response,
for a 1:76 amplification
 8 gbps attack requires a total of 108 mbps of
queries.
 Each recursive server saw 2,100 bytes of queries,
or 38 qps, and responded with 160 kbps in
answers
 Assuming compromised hosts have minimum
512kb DSL modem, only 200 compromised hosts
were required

53
Attack Metrics (2)
 Source networks would see no effect
 Recursive servers saw minimal traffic or query
increase
 Victim network providers had catastrophic
experience
 Victim DNS provider was sent the equivalent
of 150 million qps
 At best, 1 in 100 real queries were answered

54
Road Map
 General orientation
 Infrastructure Security
– Lines and Switches
– Routing
– Domain Name System
 DNSSEC

– Distributed Denial of Service


 ICANN & Internet Governance
55
Controlling the Internet
 regulations & governance
 very different for the Internet than
for the telecom world
– very few Internet regulations in the
U.S.
– little governance over the Internet
internationally
 but things are changing
56
Regulations
 in telephone world most things are regulated
– e.g., services, prices, interconnections, international
links, money flow
 the Internet (in the US) has been essentially
unregulated for its entire history
– minor exceptions - e.g., NSF AUP
 anyone can start an ISP
– offer any services at any price they want
– not offer any services they do not want to
 ISP controls interconnection types and level

57
Purpose of Telcom
Regulations
 some example reasons given for regulations
– protect consumer
 e.g., defined QoS, E911 & full disclosure on terms

– protect investments
 e.g., guaranteed rates of return

– protect society
 e.g., control content - do not “confuse citizens”

– speed service deployment


 e.g., give vendors an incentive to deploy technology

– protect environment
 e.g., limit overhead wires

58
Some Example Issues
 peering relationships
– telephone - peering requirements defined
– Internet - big ISPs refuse to peer with small ISPs
– local peering points voluntary
 international settlements
– telephone - line cost splitting
– Internet - non-US ISP pays full cost for link to US
 quality of service
– telephone - service must meet specific quality
– Internet - best effort service

59
“Code is Law”
 The design of the Internet protocols affect the
ability for the Internet to be regulated
 Most protocols do not have a control point
 Carrier not involved in providing applications
– Hard to regulate what applications can be used
– Some carriers try anyway
 Some exceptions
– DNS & a unique internetwork address

60
Regulations in Place
 currentlist of effective US government
regulations on the Internet
– traditional fraud/business regulations
– CANSPAM
– CDA
– DNS squatting
– anti porn
– ...

61
“Openists”
Regulatory Approach
 Netmust be open to enable
innovation commons
– require network neutrality
 e.g., power grid does not favor toasters

 tolet people at edge/end innovate


 dumb pipe must be available

The Broadband Debate: A User's Guide - Tim Wu


62
http://ssrn.com/abstract=557330
Deregulationists
Regulatory View
 Ifnetwork is property then
companies will innovate
– note: “property” specifically includes
right to exclude
 Network owner needs incentive to
invest
– forced smart pipe OK

63
ICANN - Governance?
 Internet Corporation for Names and Numbers
 contract with U.S. DoC to:
– manage DNS root including defining new TLDs
– allocate IP address blocks
 to regional Internet registries (RIRs) (currently 5)

– Registers IETF Internet parameter values


 successor to work of Jon Postel
 DoC recently
– 1/ said that the U.S. would not relinquish oversight
– 2/ extended contract with ICANN for IANA services

64
ICANN

65
Illustrative North South Europe Africa Asia -
Amer Amer Pacific

8 Policy & Laws

7 Law Enforcement FBI

6 Response CERT AUCERT

NANOG AFNOG
Root Server Operators
5 Operations
Internet Engineering and Planning Group

4 Products/Networks

3 Implementation
IETF
2 Protocols

1 Architecture IAB

66
Illustrative North South Europe Africa Asia -
Amer Amer Pacific

8 Policy & Laws

7 Law Enforcement FBI

6 Response CERT ICANN AUCERT

NANOG AFNOG
Root Server Operators
5 Operations
Internet Engineering and Planning Group

4 Products/Networks Advisory role across multiple levels and


countries (DNS and addressing only)
3 Implementation
IETF
2 Protocols

1 Architecture IAB

67
Internet Governance
 many issues that are gathered under “Internet
Governance” - e.g.,
– crime, property (e.g., copyright & patents),
monetary authority, content (e.g., porn & counter-
government information), legal jurisdictions, cost
sharing, security, inter-state relationships, citizen-
state relationships, people to people & business to
business relationships, anonymity, political action,
regulations & regulatory authority, technical &
business standards, ...

68
Internet Governance,
contd.
 historically, no useful international dialogue
 individual countries do their own thing, except
...
– early Internet processes did not take country
regulators into account
 e.g., IP addresses, domain names & standards
approval
– e.g., rules on ccTLDs do not automatically give
authority to country government
 e.g., .iq - took years to activate

69
One Governance Hot Spot
 how do national laws work in the Internet -
some examples
 content
– e.g., Yahoo vs France on Nazi materials
– e.g., Australian (and other) libel verdict
 activities
– e.g., Internet gambling & WTO
 privacy
– European privacy rules vs. US on Internet commerce
– US “safe harbor” program

70
Internet Governance:
WSIS & IGF
World Summit on the Information Society -
WSIS, Tunis 2005
e.g., who should control DNS root, ccTLDs?
– currently ICANN with US DoC oversight
big push to move to UN (or the like)
– assumptions that other authorities might be
exercised later
– e.g., protect citizens from confusing information
Continuing action in Internet Governance Forum

71
Internet Governance,
contd.
 push to control the Internet will
continue
– nationally with regulations (e.g. House bill &
FCC)
– Internationally (e.g. IGF)
 some efforts will succeed
 the Internet will become less un-
regulated

72
For Deeper Background
 Mitch Waldrop, The Dream Machine: J.C.R. Licklider and
the
Revolution That Made Computing Personal
http://www.amazon.com/gp/product/014200135X/sr=11/qid=1144694781/
ref=pd_bbs_1/102-2824911-4710560?%5Fencoding=UTF8&s=books

 A brief history of the Internet by several of the pioneers


http://www.isoc.org/internet/history/brief.shtml

73