This article is more than 1 year old

Net security from one of the fathers of the biz

Bill Cheswick on firewalls, logging, DDOS, and the future of security

Do you think that we could use some mapping software to fight these types of attacks, just like weather people study the movement and shape of tornados with satellites?

Bill Cheswick: I don't think it's likely to be useful, because the source of DDoS attacks are widespread and generally not hidden. It doesn't help me if I know the location of 10,000 attacking hosts: I can't possibly track them down (using traceback, traffic analysis, or whatever) and shut them all down. These days I am told that the attackers often don't even bother to spoof the attacking addresses.

If there is a particular attacking stream of interest, then, yes, this technology may be helpful, combined with others. I mentioned traffic analysis: this is one area where I conjecture that the spooks may be well ahead of the public literature.

There are certainly researchers examining packet traceback, flood suppression, etc., using these tools, including my data.

It seems that net neutrality is under fire in the US. What is your opinion from a security standpoint? Could we see some security improvements if carriers had the right to filter the traffic on their networks?

Bill Cheswick: Short answer: some carriers do filter some traffic, and that sometimes is a benefit to their customers. As the Chinese would tell you if free to do so, it is actually quite hard to suppress all the unwanted traffic, given world-class encryption and a massive traffic flow in which to hide.

The USENIX Magazine published an article [PDF] titled Worm Propagation Strategies in an IPv6 Internet that you co-authored. It seems that IPv6 could help us in fighting worms thanks to its huge address space. What type of other indirect security advantages could IPv6 provide?

Bill Cheswick: That paper points out that it doesn't help us that much. IPv6 is a good idea, but it shouldn't be sold as a palliative for worms.

The job of hunting for hosts on a network also has legitimate motivations. Corporate auditors are keen to find and track their assets. I think they are going to have to talk to the routers more. Hopefully, the worms will be excluded from these conversations.

At present, I don't see much economic pressure for corporations to switch their intranets to IPv6. There is a lot of work involved, and I don't see the benefits.

The internet runs on two fragile technologies: BGP connections among routers, and a bunch of root DNS servers deployed around the planet. How much longer do you think this setup could still be effective?

Bill Cheswick: For quite a while, actually, though there are obvious, well-known weaknesses with both systems. The DNS root servers appear to be 13 hosts, but are actually many more. They have been under varying, continual, low-level attacks for many years, a process that tends to toughen the defenses and make them quite robust. A few years ago there was a strong attack on the root servers, taking 9 of the 13 down at some point.

The heterogeneity of the root server management was part of the underlying robustness. For example, Paul Vixie's servers (F.ROOT-SERVERS.NET) had many hosts hiding behind that single IP address. I understand they did not go down. In this case, the statelessness of the UDP protocol underlying the DNS system was a strength (it is a weakness in other ways, allowing a variety of attacks, including some new ones recently).

There are other root servers, of course. Anyone can run one, it is just a question of getting people to use it. I understand that China is proceeding with root servers of their own. DNSSEC is a way to get the right DNS answer, but its deployment has had problems for at least 10 years.

BGP is certainly another network issue. Where should my routers forward packets to? BGP distributes this information throughout the internet. There are two problems here: 1) is the distribution working correctly, and 2) are the other players sending the correct information in the first place. This is usually an easy problem between an ISP and their customer. The customer is only allowed to announce certain routes, and the ISP filters these announcements to enforce the restriction. It is easy on a short list of announcements.

But at the peering point with other ISPs, this becomes hard, because there are hundreds of thousands of routes, and it isn't clear which is which. Should I forward packets for Estonia to router A or router B? We are far removed from the places where these answers are known.

There are proposals to grab ahold of all this information using cryptographic signatures. SBGP is one on-going proposal, but there are lots of problems with it, and lots of routers to change (we identify almost 200,000 routers a day worldwide in the internet mapping project.)

And BGP announcements are misused. Evil nets will pop up for a little while, emit bad packets, and then unannounce themselves, confounding the job of tracking them down. Other attacks can divert packets from the proper destinations. There have been many cases of this, both accidental and intentional.

For all these problems, and others in the past, I have been impressed with the response of the network community. These problems, and others like security weaknesses, security exploits, etc., usually get dealt with in a few days. For example, the SYN packet DOS attacks in 1996 quickly brought together ad hoc teams of experts, and within a week, patches with new mitigations were appearing from the vendors. You can take the internet down, but probably not for very long.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Federico Biancuzzi is freelancer. In addition to SecurityFocus he also writes for ONLamp, LinuxDevCenter, and NewsForge.

More about

TIP US OFF

Send us news


Other stories you might like