In This Issue
Expansion of Frontiers of Engineering
December 1, 2003 Volume 33 Issue 4

Internet Security

Wednesday, December 3, 2008

Author: William R. Cheswick

Attacks on the Internet can be expensive and inconvenient, but they are not generally dangerous.

One of the design principles of the Internet was to push the network intelligence to the “edges,” to the computers that use the network rather than the network itself (Saltzer et al., 1984). Any given edge computer could send packets to any other edge host, leaving the details of packet delivery to the routers in the center of the network. This principle greatly simplified the design of the routers, which simply had to hot-potato packets toward the appropriate edge host as efficiently as possible. Routers could drop packets if there was congestion, leaving the edge hosts to provide reliable data delivery. Under this scheme, routers could relay packets with few complications, and they could be implemented in state-of-the-art hardware. Routers at the core of the Internet have benefited from Moore’s Law an operated at its limits since the late 1970s.

This approach is in direct contrast to the standard telephone system, in which the intelligence resides in centrally controlled phone switches, and the edges have dumb terminals (i.e., standard telephones). In the phone system, the phone company invents and implements the technology. In the decentralized Internet approach, edge computers can install arbitrary new protocols and capabilities not envisioned by the designers of the Internet; the World Wide Web is the most obvious example.

As a result of this design, most current newspaper articles covering the Internet refer to things that happen at the edges. Viruses infect PC clients, worms attack network servers, and the Internet dutifully delivers denial-of-service attack packets to the edges. (For the security concerns of edge hosts, see Wagner, in press.)

Most Internet edge hosts play the role of “clients” or “servers,” despite the popular use of the term “peer-to-peer” networking. A client requests a connection, and a server provides the service. Servers usually take all comers and must be accessible to a large number of hosts, most of which are clients and are privately owned. Hosts must connect to servers but aren’t necessarily servers, which makes them harder to attack.

A large majority of edge computers on the Internet are probably susceptible to attack and subversion at any given time. Because it is not economically feasible to harden all of these hosts, they are isolated from the rest of the Internet and many potential attacks by breaking the end-to-end model. It is impossible to mount a direct attack on a computer that cannot be reached. The trade-off between security and functionality does decrease the envisioned power and functionality of the Internet somewhat. Often, there is no satisfactory trade-off: the choice is between an unsafe service and no service at all.

Enclaves of edge computers are isolated topologically, through firewalls, routing tricks, and cryptography. At the same time, trusted communities of hosts, called intranets, allow businesses to operate with a reduced probability of successful attacks. This approach tends to create an organization with a hard outside and a soft, chewy center. Insider attacks can (and do) occur fairly often, and perimeter defenses often, even usually, contain holes.

Firewalls
Although network services can (and should) be hardened when necessary, the easiest defense is to get out of the game--to turn off the service or render it unreachable by attacking hosts. This can done by completely disconnecting the network from the Internet (as some high-security government networks have done) or by connecting it through a device that blocks or filters incoming traffic, called a firewall. Complete disconnection offers the best security, but it is very unpopular with most users, who may then seek to use sub rosa connections.

Nearly all corporate networks, and portions of many university networks (which have traditionally been open and unfiltered), use firewalls of varying strictness to cleanse incoming packet flows. Most consumers also have firewalls in their cable modems, DSL routers, wireless base stations, or client computers.

Firewalls provide a central site for enforcing security policies. Many companies provide a few firewalls as gateways between the corporate intranet and the Internet, equipped with the rules and filters to enforce the company’s security policies. The Internet security expertise, which is scarce and expensive, is situated at a few centralized choke points. This lowers the costs of configuring perhaps hundreds of thousands of corporate hosts to resist software attacks from random strangers and malicious software (“malware”).

Firewalls, a form of the classic perimeter defense, are supposed to offer the only connections between an intranet and the Internet, but long perimeter defenses can be difficult to monitor. A firewall may amount to circling the state of Wyoming, but modern corporate intranets can span the world. Therefore, it can be easy to add an unauthorized connection that breaches the perimeter without the knowledge of the centralized authority. Company business units and rogue employees may believe they have a compelling need--often a business need--to access the Internet in a way not permitted by corporate policy. For example, it may take time to get approvals for new services, and the new services may require filters that take time to install or may simply be impractical--overconstrained by a poorly designed protocol that doesn’t admit to easy filtering. An employee who decides it is better to apologize later than to get permission now might make his or her own connection.

Unauthorized connections that pierce the corporate perimeter may come from business partners, misconfigured gateways, or newly acquired companies. Even if unauthorized connections have been installed for good business reasons, the reason, and the person who understood the reason, may be long gone by the time a problem is identified. A new network administrator may have to choose between (1) closing down a suspect Internet connection and risking a vital business service and (2) leaving the connection up and allowing invaders into the company.

Rogue connections are often mistakes. It is easy to misconfigure virtual private networks (VPNs), Internet tunnels linking disconnected islands of trust (e.g., linking remote office networks or home computers with headquarters). Company employees often connect to a corporate network using encryption to conceal their data, thus creating a VPN that can interconnect home and office. An employee can also create a hole in the corporate perimeter. (My company’s principal business is to find these holes.)

If you are in charge of such a network, how can you deal with these problems? The most effective network administrators aggressively manage their networks. They control new and existing connections carefully. They use mapping tools to detect new routes and connections. They are equipped with, and use, aggressive management controls--violators of policy can be and are fired and even prosecuted.

Perimeter defenses like firewalls can be effective, and there are periodic pop-quizzes from the Internet itself that prove this. For example, if a widespread worm does not appear on an intranet, you may be reasonably sure that the perimeter does not have overt holes. Firewalls have limitations, of course. Attacks can come from inside an intranet, and many attacks or weakness are caused by stupidity rather than malice. (One government network administrator said he had more problems with morons than with moles.) An intranet must be hardened from internal attacks, which brings us back to host-based security.

Routing Limitations
You cannot directly attack a host you cannot reach. Besides firewalls, which can block access to a community of hosts, the community can also use network addresses that are not known to the Internet. If the Internet routers don’t know how to reach a particular network, an Internet edge host probably cannot send packets to that network. A community with an official set of private addresses that are guaranteed never to be announced on the Internet can use these addresses to communicate locally, but the addresses are not reachable from the Internet. The community can still be attacked through intermediate hosts that have access to both private and public address spaces, and many viruses and worms spread this way.

Some attacks on the Internet come from host communities that are only announced on the Internet intermittently. The networks connect, the attacks occur, and then the networks disconnect before a pursuit can be mounted. To give a community using private address space access to the Internet, one uses network address translation.

Network Address Translation
The Internet has grown, with very few tweaks, by more than nine orders of magnitude--a testament to its designers. But we are running uncomfortably close to one design limit of IP version 4, the technical description of the Internet and intranets, and their basic protocols. We have only about three billion network addresses to assign to edge hosts, and about half of them are currently accessible on the Internet, and more have been assigned. Thus, address space has gotten tight; by one common account, a class B network (roughly 65,000 IP addresses) has a street value of $1 million.

A solution that emerged from this shortage was a crude hack called “network address translation” (NAT). Many hosts hide on a private network, using any network address space they wish. To communicate with the real Internet, they forward their packets through a device that runs NAT, which translates the packet and sends it to the Internet using its own address as the return address. Returning packets are translated to the internal address space and forwarded to the internal host. A home network full of game-playing children probably looks like one busy host from the Internet.

Instead of the end-to-end model, in this model many hosts route their packets through a single host, sharing that host’s network address. Only one, or one small set of network addresses is used, conserving official Internet address space.

This model has had a useful implication for security. Hosts on the home network cannot be easily scanned and exploited from the outside. Indeed, it takes some work to detect NAT at all (Bellovin, 2002). Internal hosts enjoy considerable protection in this arrangement, and it is likely that some form of NAT will be used often, even when (if?) IP version 6 (a new protocol description with support for a much larger address space) is deployed. A special configuration is required on the NAT device to provide services to the Internet. The default configuration generally offers no services for this community of hosts, and safe defaults are a good design.

Emerging Threats to the Internet
Although one can connect safely to the Internet without a topological defense, like skinny dipping, this involves an element of danger. Host security has to be robust, and the exposed machines have to be monitored carefully. This is exactly the situation faced by web servers. A server like www.budweiser.com must have end-to-end connectivity so customers can reach it. Often commercial web services have to connect to sensitive corporate networks (think of FedEx and its shipping database or a server for online banking.) These web sites must be engineered with great care to balance connectivity and security.

The Internet is a collaboration of thousands of Internet service providers (ISPs) using the TCP/IP protocols. There is somewhat of a hierarchy to the interconnections; major backbone providers interconnect at important network access points and feed smaller, more local ISPs.

The graphical and dynamic properties of the Internet are popular research topics. Some recent studies have suggested that the Internet is a scale-free network, which would have important implications for sensitivity to partitioning. But this conclusion overlooks two issues. First, the raw mapping data used to build graphical descriptions are necessarily limited. Internet mapping is not perfect, although it is getting better (Spring et al., 2002). Second, the most critical interconnections were not formed by random processes or by accident, as perhaps are other “six degrees of separation” networks. Internet interconnections, especially backbone connections, have been carefully engineered by their owners over the years and have had to respond to attacks and a variety of misadventures, occasionally backhoes. These experiences have helped harden critical points in the network. (Network administrators do not like wake-up calls at 3 a.m., and unreliability is a bad component of a business model.)

But there are weaknesses, or at least obvious points of attack, in the core of the Internet. These include routing announcements, the domain name system (DNS), denial-of-service (DOS) attacks, and host weaknesses in the routers themselves.

Routing Announcements
A typical Internet packet goes through an average of 17 routers; the longest paths have more than 30 hops. A router’s job is to direct an incoming packet toward the next hop on its way to its destination. For a router near an edge, this is simple--all packets are directed on a default path to the Internet. But routers on the Internet need a table of all possible Internet destinations and the path to forward packets for each one.

A routing table is built from information exchanged among Internet routers using the border gateway protocol (BGP). When a network connects or disconnects from the Internet, an announcement is sent toward the core routers; dozens of these routing announcements are generated every minute. If a core router accepts an announcement without checking it, it can propagate trouble into the Internet. For example, a router in Georgia once announced a path to MIT’s networks through a local dial-up user. As a result, many parts of the Internet could not reach MIT until the announcement was rescinded. Such problems often occur on a smaller scale, and most ISPs have learned to filter routing announcements. Only MIT should be able to announce MIT’s network announcements.

One can easily imagine an intentional attempt to divert or disrupt the flow of Internet traffic with false announcements or by interfering with BGP in some way. Because ISPs frequently have to deal with inadvertent routing problems, they ought to have the tools and experience to deal with malicious routing attacks, although it may take them a while, perhaps days, to recover.

The Domain Name System
Although the domain name system (DNS) is technically not part of the TCP/IP protocol, it is nearly essential for Internet operation. For example, one could connect to http://207.171.181.16/, but nearly all Internet users prefer http://www.amazon.com. DNS translates from name to number using a database distributed throughout the Internet. The translation starts at the root DNS servers, which know where to find .go, .eddo, .czar, etc. Servers’ databases contain long lists of subdomains--there are tens of millions in the .com database--that point to the name servers for individual domains. For example, DNS tells us that one of the servers that knows about the hosts in amazon.com is at IP address 207.171.167.7.

DNS can be and has been attacked. Attackers can try to inject false responses to DNS queries (imagine your online banking session going to the wrong computer). Official databases can be changed with phony requests, which often are not checked very carefully. Some domains are designed to catch typographical errors, like www.amazon.com.

In October 2002, the root name servers came under massive denial-of-service (DOS) attacks (see below). Nine of the 13 servers went out of service-the more paranoid and robust servers kept working because they had additional redundancy (a server can be implemented on multiple hosts in multiple locations, which can make it very hard to take down). Because vital root DNS information is cached for a period of time, it takes a long attack before people notice problems.

Denial-of-Service Attacks
Any public service can be abused by the public. These days, attackers can marshal thousands of hacked computers, creating “botnets” or “zombienets.” They can subvert large collections of weak edge hosts and run their own software on these machines. In this way, they can create a large community of machines to direct packets at a target, thus flooding target computers, or even their network pipes, to degrade normal traffic and make it useless. These packets can have “spoofed” return addresses that conceal their origins, making trace-back more difficult. DOS attacks occur quite often, frequently to politically unpopular targets; Amazon, Microsoft, and the White House are also popular targets. Some PC viruses spread and then launch DOS attacks.

The Internet infrastructure does not provide a means for trace-back or suppression of DOS attacks, although several techniques have been proposed. Targeted hosts can step out of the way of attacks by changing their network addresses. Added host and network capacity at the target is the ultimate protection.

Routers as Edge Hosts
Security problems for routers are similar to those for hosts at the edge of the network. Although routers’ operating systems tend to be less well known and not as well understood as those of edge hosts, they have similar weaknesses. Cisco Systems produces most of the Internet routers, and common failures in their software can subject those routers to attack. (Of course, other brands also have weaknesses, but there are fewer of these routers.)

Attacks on routers are known, and underground groups have offered lists of hacked routers for sale. The holes in routers are harder to exploit, but we will probably see more problems with hacked routers.

Botnets
Attackers are looking for ways to amplify their packets. The Smurf attacks in early 1998 were the first well known attacks that used packet amplification (CERT? Coordination Center, 1998). The attackers located communities of edge computers that would all respond to a single “directed-broadcast” packet. These “tickling” packets had spoofed return addresses of the intended target. When community members all responded to the same tickling packet, the target was flooded with hundreds or even thousands of packets.

Most amplification networks now block directed-broadcast packets. At this writing, netscan.org has a list of some 10,000 broken networks with an average amplification of three, barely enough for a meaningful attack. So the hacking community began collecting long lists of compromised hosts and installed slave software on each one. These collections have many names--botnets and zombienets, for example. A single anonymous host can instruct these collections to attack a particular site. Even though the target knows the location of these bot hosts (unless they send packets with spoofed return addresses), there are too many to shut down.

Worse, the master can download new software to the bots. They can “sniff” local networks, spread viruses or junk e-mail, or create havoc in other ways. The master may use public key encryption and address spoofing to retain control over the botnet software and hide the source of the master.

The latest development is the use of botnets to hide the identity of web servers. One can put up an illegal web server, and traffic to the server can be laundered through random corrupted hosts on the Internet, making the actual location of the server quite difficult to find.

Conclusion
Most hypothesized Internet security problems on the Internet have eventually appeared in practice. A recent one, as of this writing, was a virus that patches security problems as its only intended action--in other words, a “good” virus. (Of course, it had bugs, as most viruses do.) I first heard proposals for this approach some 15 years ago. Although well intentioned, it is a bad idea.

The good news is that nearly all Internet attacks, real or envisioned, involve flawed software. Individual flaws can be repaired fairly quickly, and it is probably not possible to take the Internet down for more than a week or so through software attacks. Attacks can be expensive and inconvenient, but they are not generally dangerous. In fact, the threats of cyberterrorism devalue the meaning of “terror.”

There’s more good news. The Internet continues to be a research project, and many experts continue to work on it. When a dangerous, new, and interesting problem comes along, many experts drop what they are doing and attempt to fix it. This happened with the Morris worm in 1988 and the SYN packet DOS attacks in 1996, for which there was no known remediation at the time. Major attacks like the Melissa virus were quelled within a week.

The success of the Internet has fostered huge economic growth. Businesses have learned to control the risks and make successful business models, even in the face of unreliable software and network connections. Insurance companies are beginning to write hacking insurance, although they are still pondering the possible impact of a widespread, Hurricane Andrew-like Internet failure. I think we have the tools and the experience to keep the Internet safe enough to get our work done, most of the time.

References
Bellovin, S.M. 2002. A Technique for Counting NATted Hosts. Pp. 267-272 in Proceedings of the Second Internet Measurement Workshop, November 6-8, 2002, Marseilles, France.

CERT? Coordination Center. 1998. CERT? Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks.

Saltzer, J.H., D.P. Reed, and D.D. Clark. 1984. End-to-end arguments in system design. ACS Transactions on Computer Systems 2(4): 277-288.

Spring, N., R. Mahajan, and D. Wetherall. Measuring ISP Technologies with Rocketfuel. 2002. Presented at ACM-SIGCOMM ‘02, August 19-22, 2002, Pittsburgh, Pennsylvania.

Wagner, D. In press. Software Insecurity. In Frontiers of Engineering: Reports on Leading-Edge Engineering from the 2003 NAE Symposium on Frontiers of Engineering. Washington, D.C.: National Academies Press.

About the Author:William R. Cheswick is chief scientist at Lumeta Corporation in Somerset, New Jersey.