The Internet is Vulnerable

Cisco has announced a flaw in their IOS software that runs a lot of the routers used by ISPs and Internet customers:

Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets with specific protocol fields sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.

The Internet represents critical infrastructure, and its protection is a national security issue, so the Dept. of Homeland Security has gotten involved (really, the National Infrastructure Protection Center). DHS says:

DHS is working closely with the information technology industry to improve vulnerability awareness and information dissemination. DHS received confirmation that this vulnerability was exploited in a laboratory environment. Industry representatives have also verified that an exploit for this vulnerability exists in the wild. The probability of continued exploitation is high.
...
Because routers and switches are an essential part of all network infrastructures, and because Cisco devices comprise a significant portion of those infrastructures, widespread exploitation of vulnerable Cisco devices could disrupt portions of the Internet.

Yeah, Cisco has something like 82% of the router market. This as yet does not appear to be a major threat to the Internet's overall health, though portions will be effected by random attacks. However, a study published in Nature Magazine in 2000 showed that if a small portion of "key" routers were brought down, the Internet would actually cease to function:

[W]e used the latest survey of the Internet topology, giving the network at the inter-domain (autonomous system) level. Indeed, we find that the diameter of the Internet is unaffected by the random removal of as high as 2.5% of the nodes (an order of magnitude larger than the failure rate (0.33%) of the Internet routers), whereas if the same percentage of the most connected nodes are eliminated (attack), d more than triples. Similarly, the large connected cluster persists for high rates of random node removal, but if nodes are removed in the attack mode, the size of the fragments that break off increases rapidly
...
[D]espite frequent router problems, we rarely experience global network outages or, despite the temporary unavailability of many web pages, our ability to surf and locate information on the web is unaffected. However, the error tolerance comes at the expense of attack survivability: the diameter of these networks increases rapidly and they break into many isolated fragments when the most connected nodes are targeted.

"Diameter" is a fancy way of saying "how far apart routers are" (diameter in human society is estimated at 6, which is where we get the "Six Degrees of Separation" idea). If you increase diameter, you effectively fragment the network and decrease the ability to communicate. So the Internet is fairly robust when it comes to random crashes of routers, but if someone were to target less than 3% of the most-connected routers (i.e., ISP routers), they could bring the Internet to its knees.

Presumably our ISPs, particularly the large providers, have applied the latest patches to their Cisco routers (my dinky ISP did so at 3 o'clock this morning). But as we've seen in the past (e.g., the AT&T Frame Relay outtage in '98), bad code combined with human error or maliciousness can do serious damage to networks. With our ever-increasing reliance on the Internet for personal, government and business communication, not to mention commerce itself, this is a growing concern.

ntodd

PS--The Nature article is only available with a paid subscription. I actually sprang for the 18 bucks to get the PDF (it's related to my job, but I couldn't justify charging this to the company), and given that I think it's highway robbery to charge so much for a single electronic file that's 3 years old, I'm more than happy to violate copyright law and provide it to anyone interested. E-mail me if you'd like to see the full study.

[Update, 4:51PM: Code for an exploit of this vulnerability was posted on the Full Disclosure security mailing list.]  ¶ 2:00 PM