Cyberweapon could cause Internet doomsday

cycle would repeat, with the single breaking and reforming link sending out waves of BGP updates to every router on the Internet. Eventually each router in the world would be receiving more updates than it could handle — after twenty minutes of attacking, a queue requiring 100 minutes of processing would have built up.

Clearly, this is a problem. “Routers under extreme computational load tend to do funny things,” says Schuchard. With every router in the world preoccupied, natural routing outages wouldn’t be fixed, and eventually the internet would be so full of holes that communication would become impossible. Shuchard thinks it would take days to recover.

“Once this attack got launched, it wouldn’t be solved by technical means, but by network operators actually talking to each other,” he says. Each autonomous system would have to be taken down and rebooted to clear the BGP backlog.

Meltdown not expected

So is Internet meltdown now inevitable? NS says that perhaps it is not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.

An alternative scenario would be the nuclear option in a full-blown cyberwar — the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the Internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the Internet while preserving the attacking nation’s internal network.

Sitting duck

Whoever launched the attack, there is little we could do about it. Schuchard’s simulation shows that existing fail-safes built into BGP do little to protect against his attack — they were not designed to. One solution is to send BGP updates via a separate network from other data, but this is impractical as it would essentially involve building a shadow internet.

Another is to alter the BGP system to assume that links never go down, but this change would have to be made by at least 10 percent of all autonomous systems on the internet, according to the researchers’ model, and would require network operators to monitor the health of connections in other ways. Schuchard says that convincing enough independent operators to make the change could be difficult.

“Nobody knows if it’s possible to bring down the global Internet routing system,” says Mark Handley, an expert in networked systems at University College London. He suggests that the attack could cause “significant disruption” to the Internet, with an effect greater than the Slammer worm of 2003, but it is unlikely to bring the whole thing down.

“The simulations in the paper make a lot of simplifying assumptions, which is necessary to simulate on this scale,” he explains. “I doubt the Internet would behave as described.”

Schuchard and colleagues presented their findings at the Network and Distributed System Security Symposium in San Diego, California, last Tuesday.