Personally I would probably go after MAE-West in San Jose, partly because almost all the traffic to and from Silicon Valley goes through there but mostly because it has a cool name.

Hacker credentials verified. Paying attention now.
posted by Tell Me No Lies at 2:28 PM on March 6, 2015 [11 favorites]

It's safe* to assume that Putin has been thoroughly briefed on this by now, yes?

*by a certain definition of "safe"
posted by argonauta at 2:43 PM on March 6, 2015

Huh, I'm kind of disappointed there's no mention of screwing around with routing protocols or that none of the national intelligence agencies (lol NSA) fall under "without having to go through large corporate QA".
posted by indubitable at 2:49 PM on March 6, 2015

What? No mention of the NSA? Or a casual alliance of ISPs who can turn around and blame the FCC and Net Neutrality? Maybe the author just knew whose cages could safely be rattled without the Giant Monty Python Foot coming down to squish them.
posted by oneswellfoop at 2:50 PM on March 6, 2015

I'm kind of disappointed there's no mention of screwing around with routing protocols

It's been a very long time since there has been a successful attack on routing protocols. The best you can do is start an ISP and inject bogus routes, and even that has gotten harder.
posted by Tell Me No Lies at 2:53 PM on March 6, 2015

Ah, now that I reread the article he's mostly concerned with DDoS attacks.
posted by Tell Me No Lies at 2:55 PM on March 6, 2015

I dunno, "somebody" was quite successful at removing Syria from the internet not too long ago, and I seem to recall (but can't find a link right now) a separate incident where the NSA hacked a router and then inadvertently crashed it while attempting to do something nefarious.
posted by indubitable at 2:58 PM on March 6, 2015

Apparently someone (possibly the someone in charge of the Great Firewall of China) has been using DNS poisoning to fuck websites (read the follow-up too). If the full force of China's Internet users were directed against MAE West or whatever, that would probably suffice.
posted by adamrice at 3:14 PM on March 6, 2015 [2 favorites]

Ah, now that I reread the article he's mostly concerned with DDoS attacks.

Which is a fine vector to analyze. I'd be more concerned with the people who have access to all the DNS roots.
posted by GuyZero at 3:58 PM on March 6, 2015

Hi, I'm the author of that blog post - thanks for the comments. To respond to a couple:

Yes, there could be attacks on the Internet that rely on screwing up routing. This happened accidentally in 1997 - google AS7007 for details. However, things have been improved quite a bit since then, but it might be within the capability of a sufficiently well funded nation state actor or evil genius. The root DNS servers are also very well protected. Again, they might be possible to attack, but only with nation state level resources (I hope!)

I do post fairly often about the damage that the NSA and GCHQ are doing to the Internet in terms of undermining encryption etc. No Monty Python foot so far, though sometimes I have to tone the wording down, or make points by quoting other people. I can't be as direct on a corporate blog as I might be in person.

I'm pretty sure the NSA could turn the Internet off any time they wanted to, and also disconnect the USA from the rest of the Internet. Those are basic precautions in the event of all out cyber warfare. The US Internet could do without the rest of the world a lot better than the rest of the world could do without the US Internet. I would probably do by physical means, just a small remote controlled explosive charge on every cable out of the US.

That brings up another point I did not talk about, which is physical attacks. You could probably do a lot of damage to the Internet with a backhoe and a flatbed truck to move it from one backbone cable to the next, and if you really want to bring MAE-WEST down, Hurricane Electric's colocation center is in the same building. You could smuggle in a lot of high explosive in a rack of empty 4u server boxes.

And yes, of course Putin knows all about this. He as people working for him at least as smart as we are.
posted by misterajc at 4:35 PM on March 6, 2015 [40 favorites]

Welcome to MeFi misterajc. Great comment.
posted by spitbull at 4:39 PM on March 6, 2015 [1 favorite]

Welcome misterjc.

Do the CDNs, ISPs, and other organizations discuss these scenarios among themselves? Or do they simply rely on conventions like DefCon and people like Matthew Prince Before it becomes something they think about?
posted by herda05 at 5:07 PM on March 6, 2015 [1 favorite]

will nobody rid me of this troublesome internet
posted by effugas at 5:18 PM on March 6, 2015 [4 favorites]

> If the full force of China's Internet users were directed against MAE West or whatever, that would probably suffice.

The full force of China's internet users would be channeled through China's own regulated gateways in order to target offshore sites. I kind of have my doubts about that scenario, even after handwaving the idea of coordinating the population of China to manually DDOS arbitrary IP addresses.
posted by ardgedee at 5:24 PM on March 6, 2015

The full force of China's internet users would be channeled through China's own regulated gateways in order to target offshore sites. I kind of have my doubts about that scenario, even after handwaving the idea of coordinating the population of China to manually DDOS arbitrary IP addresses.

You don't have to coordinate anything. All you have to do (which has been happening over the last few weeks) is have your DNS servers say that every domain on the internet resolves to the same IP.

A buddy of mine is on the list of addresses the Chinese DNS poisoners are rotating through. For about an hour a day he was getting most (if not all) of the Chinese traffic trying to get to http://www.facebook.com. After a couple days, he had his ISP block the Chinese subnets. Now as is well, except his business is inaccessible from China, but that's a small price to pay for not being blasted one hour out of every 24.
posted by sideshow at 5:30 PM on March 6, 2015 [1 favorite]

That's pretty horrible, but that's also a consequence of scale. The average independent business site is relatively easy to take offline because it's a single endpoint somewhere.

The MAEs already handle Facebook's traffic (as well as Netflix's, Amazon's, Google's, etc., simultaneously). DDOSing one of them requires a lot more volume.
posted by ardgedee at 5:59 PM on March 6, 2015

Yeah, that's what I mean, it wasn't that horrible. It was inconvenient for a couple days, and after a 5 minute config change at the ISP it was unnoticeable.

If all of China was put through one of the big pipes (like MAE-West) I'm sure someone on the monitoring side would notice. I just don't think it'd be the Armageddon that some think it would be.

A farmer with a backhoe would do a lot more damage to our daily internet lives.
posted by sideshow at 6:09 PM on March 6, 2015

After a couple days, he had his ISP block the Chinese subnets.

Oh hey thanks for reminding me about that. I recently migrated my website to a new platform, but I forgot to add the Chinese netblocks to my .htaccess deny list. I get thousands of spams a month if I don't block them. While we have some security mavens here, I thought I'd ask if anyone knows who has has the definitive block list. I also saw a "compromised server" blocklist, but I hesitate to block lots of individual IP addresses even within the US, even though I know I'm getting tons of spam from them. Any recommendations here?
posted by charlie don't surf at 6:09 PM on March 6, 2015

With regards to the NSA's kill switch, it seems to me that would be more likely that they would simply commandeer physical control of the systems at the landing point/peering points of intercontinental links than physically blow up undersea cables (at least, for most contingencies).

And regarding physical attacks or national defense scenario, One Wilshire might be as/more important than MAE-WEST. At least as concerns pacific rim links.
posted by snuffleupagus at 6:10 PM on March 6, 2015

Between the CDNs and the local peering relationships with all sorts of secondary tier providers I'm not sure that MAE-west would even be that great of a target. Yeah it would hamper the commercial internet a great deal and the smaller Silcon Valley companies would suffer but the really big boys have tons of redundant peers even if the average consumer can't really rely on them.
posted by vuron at 6:31 PM on March 6, 2015

Me. And I want...One. Million. Dollars!
posted by sexyrobot at 6:34 PM on March 6, 2015 [2 favorites]

effugas: "will nobody rid me of this troublesome internet"

Frankly, the reason no state actors have gone after the internet itself is it's value. It's a lot harder to pursue cyberwarefare or loot bank accounts if the internet itself is offline. It's also a lot harder to perform espionage if there's no traffic to intercept in the first place.
posted by pwnguin at 8:51 PM on March 6, 2015

effugas: I was actually surprised your name wasn't there.

You know, if you can save the internet, you can break it.

:)
posted by el io at 11:36 PM on March 6, 2015

charlie don't surf: Spamhaus has the best IP address blacklist for preventing spam. It won't block all spam, but used in conjunction with Cloudmark Desktop One (a free product from my employer, subsidized by our corporate sales) on individual workstations it will do a pretty good job.

effugas: I know that in the messaging security world we are certainly discussing various threats in private. I'm guessing that this is true for the Internet infrastructure providers as well. The Messaging, Mobile, and Malware Anti Abuse Working Group (MAAWG or M3AAWG) has private conferences, where attendees must be employees of approved enterprises, and proceedings are confidential. This has spawned a number of working groups to deal with particular issues, which operate by email and conference call, at various TLP levels.

That being said, security defense is usually reactive rather than proactive these days. A lot of potential threats get ignored until they start becoming a major problem. For about two years now I have being trying to get hosting companies to be more proactive about compromised web servers on their networks, but they seem to think it is somebody else's problem. Security on web servers is pathetic. One day someone is going to put together a really successful web server worm and we will be in serious trouble.
posted by misterajc at 6:57 AM on March 7, 2015 [2 favorites]

Thanks misterajc, but I probably should have specified, my problem is with blog comment spam. I get thousands of comments a week that are just loaded with hundreds of URLs for counterfeit viagra and Nike crap. Most of this gets filtered by the Akismet plugin, which I believe uses the Spamhaus blocklist. But these spammers are wasting resources on my server and I just want them blocked at the front door, rather than flushed down the toilet.

I don't know what they're trying to achieve because whoever is paying them to do this, surely must know that Wordpress blocks any comment with more than 2 URLs in the text. And even if they get one through, it has nofollow set so it gets them no referrals via Google or anything else. There are thousands of people in China sitting at little desks, manually copying and pasting spam messages into blogs all over the world, and they will get absolutely no return for it.

What is really going to break the internet is when someone discovers a bug in a widely deployed software package like Wordpress, and does some huge DDoS with that. There were a couple of close calls around this already.
posted by charlie don't surf at 10:12 AM on March 7, 2015

Ah, blog spam. It's not coming from real people, but from bots, often from a malware botnet to make it harder to block by IP address. There's a lot of old WordPress blogs out there that are not blocking these posts or inserting nofollow tags, and it it does have some impact on SEO or people would stop doing it.

There are a lot of vulnerabilities out there in content management systems - we see mass exploitation in Joomla and Drupal as well as WordPress. Often the bug may not be in the core code, but in some popular plug in. There's even been cases of vulnerabilities being deliberately inserted into popular open source WordPress plugins. Generally web server software is not updated nearly as regularly as workstation software. As a security guy, it's frustrating to see tens of thousands of web servers compromised by spammers because of a dumb SQL insertion bug were the patch was published five years ago.
posted by misterajc at 11:58 AM on March 7, 2015

On the bright side, nobody would miss Google+

Heh.
posted by flabdablet at 12:01 PM on March 7, 2015 [3 favorites]

As a security guy, it's frustrating to see tens of thousands of web servers compromised by spammers because of a dumb SQL insertion bug were the patch was published five years ago.

The Bell Curve: Can't live with it, can't live without it.
posted by Emor at 3:05 PM on March 7, 2015

Blog spam is kind of interesting... a few years ago one of the spammers accidentally began dumping pure gibberish rather than the usual broken English filler, immense chunks of:

I {{like|love|am fascinated by}} your {{post|article|blog}} and would {{like to know more|want to keep reading}} about it...

Obviously these were the raw text templates which allowed the spammer to permute a zillion variations of structured, readable text which was obviously spam to any human but very difficult to block heuristically. It didn't take long for Akismet and similar filters to notice the fuckup, and for a little while that particular spamming vector was pretty ineffective.

> What is really going to break the internet is when someone discovers a bug in a widely deployed software package like Wordpress, and does some huge DDoS with that.

WP is pretty tight these days; like misterajc says it's usually the plugins at fault for mass exploits (I wouldn't trust anything that requires you to pay to enable features, or disable adware or linkbacks to the developer). But there's also plenty of blame to be lavished on people with weak passwords on their admin-level WordPress accounts. A compromised admin-level account allows an attacker to remotely modify template files through the WordPess admin tools, and thereby inject any PHP or Javascript they feel like. Usually spam zombies.
posted by ardgedee at 4:46 PM on March 7, 2015

Ardgedee: yeah, that gibberish is called spintax, and it seems to be posted without proper substitution every now and then. When I see it, I consider how to filter out specific examples, but it seems to be a Hard Problem.
posted by Pronoiac at 11:47 PM on March 7, 2015