A little taste of an apocalyptic scenario occurred last Friday when a large chunk of the Internet was unreachable for up to an hour. Similar to the plot of a Hollywood horror movie, this was an experiment that went wrong -- on one of the most important protocols of the Internet system.

An experiment designed to “contribute towards the secure and stable operation of the Internet” delivered a surprising result to researchers from Duke University and staff from RIPE NCC, the operations center for Réseaux IP Européens.

Investigations revealed that RIPE’s Routing Information Service (RIS) caused a major service breakdown, which at its peak affected 1.4 percent of the whole Internet, or about 4,500 prefixes.

RIPE, based in Amsterdam, is one of the five Regional Internet Registries (RIRs) that support the operation of the global Internet, an important position that requires constant system vigilance. One of its expected duties is to conduct research that could “further global understanding of specific aspects of Internet routing behavior.” Well, that is exactly what happened, but in a roundabout sort of way. What RIPE and its academic investigators didn’t account for was a serious flaw in the Border Gateway Protocol (BGP).

BGP is not something that the majority of users have to worry about, and even many system administrators are blissfully unaware of its importance to the Internet framework. However, BGP is the protocol of Internet service provider and of many large networks. BGP is essential as a routing communication; BGP underpins the entire Internet.

Just one of the effects of this action is described by RIPE: “Noticeable problems were seen for the Slovenian and French TLDs, .si and .fr. In the case of .fr, two DNS servers became almost completely unreachable.”

Although an unfortunate accident, all damage limitation systems went into action. The problem was quickly found in Cisco routers, was promptly patched, and all was back up and running within an hour (see the Cisco advisory)

In the aftermath, one anonymous response on a wiki board summed it up best: “Not the whole internet, but a part. And the few buggy routers here and there were mostly Cisco CRS-1's which didn't understand the new attribute and sent a malformed message to all peers, causing them to close the BGP session."

So not much damage done and pretty good response times?

In a way, yes, thankfully, and it could have been a whole lot worse, although there are one or two reports of possible obscure “knock-on” effects that need further investigation. Another issue altogether is why such a major vulnerability within a core component of BGP had not been detected in the Cisco lab long ago. The public release of the patch still poses a security risk, more evidence of the seriousness of the event -- if more were needed.

However, for me, the most worrying aspect is the exposure of the Internet’s vulnerability, reliant as it is upon some very fragile and buggy components, any one of which could ”de-peer” huge chunks of our service provision. Sadly, this is but one of the results of piecemeal development. The Internet is not a robust system; most technicians’ familiar with the Internet’s infrastructure know just how fragile it is. The overall system has limitations, and a breakdown is almost certain to happen again.

How it may happen again is a question, and the reason it is important to understand the who, where, and when of cybercrime. A real Cyber Apocalypse consequence has been discussed in small circles as a plausible scenario for some time.

With limited suppliers and known vulnerabilities -- such as Cisco Systems Inc. (Nasdaq: CSCO) and Juniper Networks Inc. (NYSE: JNPR) controlling a majority of the world’s market for infrastructure routers -- it is simple to see how a real attack on core vulnerabilities, allied with malware-laced exponential BGP query requests, could collapse the whole house of cards.

By Jart Armin

www.internetevolution.com