Security of the Internet Infrastructure- A Literature Review

Download

The security of the Internet infrastructure has become a major concern for security experts both in the private industry and government. A primary source of this concern is the fact that the Internet infrastructure, and a security breach of such, could have a major impact on the critical infrastructure of the United States or other countries due to the reliance on the Internet as a communication means to control critical infrastructure. Friedlander, Mankin, Moughan and Crocker noted that (2007, p. 45)

“A 2004 survey of technology leaders by the Pew Internet & American Life Project found that respondents found these experts seriously concerned about the infrastructure: 66% of them agreed with the statement “At least one devastating attack will occur in the next 10 years on the networked information infrastructure of the country’s power grid”.”

Similar concerns have been raised in regards to conventional power plants, nuclear power plants, water systems, the air traffic control system and many other areas of the critical infrastructure that are intertwined with the Internet. In many cases a failure of the Internet could cause other critical infrastructure elements to fail.

The purpose of this literature review is to evaluate the previous research done and identify continuing and new areas where additional research is needed. I will begin by providing a literature comparison matrix of the literature used for this review and will then review the literature is a discussion format relating to the vulnerability of the internet infrastructure, defenses against these attacks and finally what is being done to prevent a failure of the infrastructure.

The Vulnerability of the Internet Infrastructure

A limitation in the review of literature related to the vulnerability of the internet infrastructure is that only unclassified literature is being reviewed. There is undoubtedly additional research being done under classified conditions by the Department of Homeland Security and other government agencies. Even with that limitation though; the literature that is reviewable is the same literature that would be readily available to individuals or organizations that may want to initiate an attack on the internet infrastructure. A second limitation is that in the United States the Internet infrastructure is owned by a variety of commercial entities instead of the government. With this in mind there are major limitations on the actual information available since most information is considered proprietary information by the respective companies who own the infrastructure. This limitation will be amplified in many of the following articles.

Peng, Leckie and Ramamohanarao provide an introduction into the seriousness of the topic when they state “the result of an infrastructure attack is potentially catastrophic as the whole internet may be affected …. An infrastructure attack can tie up both the network and the host resources of a DNS root server, disrupting all Internet services ……given the scale of the potential impact of an infrastructure attack, global cooperation is essential for an effective defense” (2007, p15-16). Peng, Leckie and Ramamohanarao (2007) go on to discuss an attack that occurred on the Internet infrastructure that is not well known to the public. In October, 2002 all 13 root Internet DNS servers were attacked by a well coordinate denial of service attack. This attack lasted over one hour and was stopped by the attacker, not by the efforts of the infrastructure providers. During this hour period all 13 DNS servers were affected and there was a noticeable slowdown on the Internet. While all 13 servers were able to respond to all queries they received this attack clearly demonstrates the potential for a well coordinated attack to take place on the Internet infrastructure. Had the hacker(s) not stopped the attack on their own it is still not known what the final effect would have been. There is clearly the potential for future attacks on the Internet infrastructure.

In order to determine the vulnerability of the internet infrastructure we would first need to understand the exact nature and construct of the infrastructure. Gorman, Schintler, Kulkarni and Stough quickly identified a problem with that requirement in their 2004 study when the noted “All of these components have a physical location, but since the US information infrastructure is privately owned and proprietary, these locations are most often undisclosed” (p48-49). The Authors further state “Without an aggregated network to map there is no process by which to determine if the network is susceptible to a targeted attack” (p49). The lack of any clear picture of the exact infrastructure can be both a negative and positive. While it greatly complicates the task of securing the infrastructure it also complicates the plans of any would be attackers. Even with this in mind however Gorman, Schintler, Kulkarni and Sought point out that “The average performance of the Internet would be cut in half if just 1% of the most highly connected routers were incapacitated, and loses its integrity with 4% of the most highly connected routers destroyed”(2004, p49). With this in mind the real question then becomes where these top 4% of the most highly connected routers are located, are they subject to attack and what backup and recovery systems exist.

Goorman, et al. direct their research towards validating the nodal hierarchy structure of networks and the effects of the elimination one or more primary nodes. While the research did validate previous research and the ability to incapacitate the internet Goorman et al. also noted that “overall the network is more resilient than has been outlined by previous studies carried out at the router and AS level. The network did not become Balkanised into large subgraphs until sixteen nodes (10.9%) were removed – a much higher number than the 4% indicated by previous studies” (2004, p61). Goorman et al. primary concerns continued to be with the ownership structure of the infrastructure and its incentives (2006, p61)

“Multiple providers supply the infrastructure, often interconnecting with each other and always in tight competition, creating unique interdependencies. One network’s security is only as good as the other networks it interconnects with. Thus there is not a direct economic incentive to secure a network if it can be compromised by the competition”

Their concerns seem well placed. There is currently no agency with oversight of the Internet infrastructure in the United States or on a global level. Instead there are multiple organizations in a free market, which are in direct competition with each other that hold the responsibility for ensuring reliability of an infrastructure that could cause great economic harm if interrupted.

Grubesic and Murray provided additional research in relation to the effect the loss of critical nodes has on the Internet infrastructure but for a slightly different reason. Grubesic and Murray were more concerned with “the fundamental premise of cascading failure in critical infrastructure system – events triggering a collapse produce a series of secondary failures in inter-dependant infrastructures”(2006, p64). Grubesic and Murray evaluated the structure of the internet and its reliance on vital nodes. Much like Goorman et al., Grubesic and Murray validated the potential for a catastrophic failure of the internet if vital nodes are eliminated. Grubesic and Murray then went one step further and tested the cascading effects this failure could have on the rest of the system.

A primary concern deals with the use of the hub-and-spoke system used to provide the internet infrastructure with the hub being the vital node and the spokes being the various connections to other nodes. Grubesic and Murray determined that the failure of one hub would cause the network to redirect traffic to alternative pathways that would become overloaded and fail thus causing the cascading effect that they were concerned with. Interestingly enough Grubesic and Murray are also concerned with structure of ownership of the Internet infrastructure and the problems it causes. Gurbesic and Murray note “hub-and-spoke networks have distinct economic advantages. They are less expensive to construct” and that “unfortunately, the economic advantages of these geographically linked hub-and-spoke networks also leave them relatively unprotected against cascading failure, both within and outside the system”(2006, p76-77). It should be noted that in the 2002 attack on the Internet infrastructure there was no indication of any potential cascading effect between the root DNS servers. However, it must be remembered that attack lasted only slightly over one hour, was done with limited attack power and was called off by the hacker(s). Had the attack continued or used a higher attack speed it is and a root DNS actually failed it is unknown if there would have been a cascading effect between the root DNS servers.

All the authors agree that the internet infrastructure is vulnerable to some extent against a coordinated attack on vital nodes. There is disparity between the percentage of vital nodes that would need to be disabled in order to cause a catastrophic failure that range form one vital node to 11% of the vital nodes. The potential for catastrophic failure based on the loss of one vital node is contingent upon that node causing a cascading failure that extends to other nodes. The authors also agree that to some extent the vulnerability of the internet infrastructure rests with the economic decisions make by the privately held companies that control the infrastructure. It is also worth noting that the failure of a vital node can be the result of a cyber attack or physical attack on the actual fiber that connects the node to other nodes. All the authors note the tendency of security experts to concentrate resources on potential cyber attacks while putting minimal attention on the potential for physical attack against facilities.

Types of Attacks and Prevention

There are two three primary threats to the Internet Infrastructure (1) physical threat to facilities (2) some type of denial of service attack to disrupt service on a large scale and (3) hacking of the infrastructure to actually take some type of control over the infrastructure in order to further penetrate into the critical infrastructure of utility grids, etc.

First, we must look at the physical facilities that facilitate and house the critical infrastructure of the internet. It is not uncommon to forget about the physical security of assets when talking about the internet. Typically conversations and security plans seem to focus on the threats associated with cyberspace attacks and not with a physical attack on “hard” assets.

In order for the internet to exist there are literally thousands of miles of hard cabling along with large scale facilities to facilitate the receiving and routing of all traffic. This leaves an almost unlimited number of potential attack points for a physical attack to be conducted at. However, the real question here is what damage would be caused by a physical attack? The vast majority of the Internet infrastructure is owned in the United States by telecommunication companies who have long been in the business of providing reliable telephone and other related services. These companies primary motivation is based on profit and profit is only derived if you have satisfied customers. These customers have long demanded reliable telephone service long before computers were even invented. In order to ensure reliable service to their customer’s telecommunication companies have long established infrastructures that are capable of providing a high level of redundancy in order to ensure service even when part of the infrastructure goes down. Unfortunately, examples of this can be seen every time there is a natural disaster. It is not uncommon for utilities, including telecommunication services, to be up and operating within hours of even some of the worst natural disasters to ever occur in the United States. Even more important, there has never been a natural disaster that has caused such extensive damage to the infrastructure that telecommunications to areas not directly affected by the disaster were affected on a large scale. While this is definitely an area for additional further research, is seems apparent from the history of the telecommunications industry that it is highly unlikely anything less then a multi-location, coordinated physical attack with par-military type action would have any major affect on the physical infrastructure of the internet.

The second type of attack we are concerned about is a denial of service (DoS) or distributed denial of service (DDoS) attack. Both types of attacks are designed to overwhelm servers to the point that they can no longer provide the service for which they were intended. According to Tian, Hu, Li, Liu and Zhang (2006) DoS and DDos attacks constitute a serious threat to Internet services as whole and are by far one of the most difficult network security issues there is. Typically denial of service type attacks are focused on a specific target such as one company or internet web site. The ultimate goal of the attack is no more then to simply cause the server being attacked to “crash” from and overload of requests and thereby going out of service. Denial of service attacks can cause economic harm not only in the cost of repairing the network but also costs related to lost business, etc.

So then we come to the question of how denial of service attacks could affect the Internet infrastructure. As discussed in the fist section the Internet Infrastrucre is built around a system of nodes with many of these nodes being considered critical nodes within the communication structure of the Internet as a whole. The risk is that a large scale denial of service attack could be launched against one or more critical nodes within the infrastructure thereby potentially disrupting a large portion of, or the entire internet. Of even greater concern in the potential that the failure of one critical node may cause a cascading effect on more critical nodes and effectively “collapse” the entire Internet Infrastrucre. Due to the limitations on information available for the telecommunications companies it is very difficult to make any reasonable estimate of the time or cost to recover from the failure of one or more critical nodes.

The good news is that there are many types of defenses against denial of service attacks even if no one defense if full proof. Peng, Leckie and Ramamohanarao break the defenses down into “four broad categories of defense against DoS attacks: (1) attack prevention, (20 attack detection, (3) attack source identification, and (4) attack reaction”. (2007, p15). The authors further discuss the need to use of all four categories of defense in order effectively defend against denial of service attacks but they also readily admit that there is no fail proof defense to a denial of service attack. In fact, the authors specifically state that attack prevention, attack detection and source identification all serve the purpose of helping to react to an attack properly in order to minimize damage. They do not attempt to imply that any of these measures can in fact actually prevent an attack form ever happening. To the contrary the emphasize that they best you can do is prepare for the attack and have the proper reaction when it eventually does occur.

Green, Raz and Zviran (2007) discuss the potential for defending against denial of service attacks through the use of active intrusion detection systems. The premise behind an active detection system is that when the system detects potentially hostile activity on the network is automatically takes action to defend the network. While the authors work did not verify that active intrusion detection systems would be useful (due to false-positives) they did in fact uncover an interesting finding. During their research the authors discovered that it appears that most attacks actually occur in the evening hours, not daytime hours. For a business network this is good news, as companies could implement measures to protect servers by taking them offline, etc. However, for the Internet infrastructure this adds a further complication to the problem as the most likely time for and attack is also the time of the highest volume of valid traffic on the Internet.

Hernandez-Herrero and Solworth (2007) discuss the need to use a multi-perspective approach to solving providing protection against denial of service type attacks. Hernandez-Herrero and Solworth propose that multiple perspectives should be considered “including (1) a technical perspective that reconciles the network and endpoint needs, (2) an inter-organizational perspective that considers trust and commitments among the participating organizations, (3) a perspective ensuring incentives for the solution participants and (4) a perspective that considers the cost of deployment”.(2007, p121). We could easily apply this multi-perspective approach to solving the potential problem of a denial of service attack on the internet as a whole. Of specific use would be to develop a strategy that would provide incentives for the participants such as the telecommunication companies. In fact it would appear that the multi-perspective approach would be vital to attempting to reach any type of coordinated defense among the various companies that form the Internet Infrastrucre in the Untied States. These perspectives become less important when dealing with infrastructures that are controlled by a government or government agency.

The third type of attack that we are concerned with is the potential for the Internet Infrastrucre to either be compromised or used as a thoroughfare to take control of other critical Infrastrucre elements. While the companies that control the Internet infrastructure have an inherent motivation to provide security to keep the Internet on line they have very little motivation to provide any level of in-steam security. The burden of Internet security under the current system is placed squarely on the end user. Once again due to limitations on the collection of information it is very difficult to have any idea what the actual capabilities of the Internet infrastructure providers have in regards to identifying and preventing certain types of threats through the Internet. What we do know is that the internet is a key component in many wide are networks including many wide area networks that are used to control other components of the critical infrastructure of the Untied States and other countries. Even if an attack is not directed at the other critical infrastructure elements what happens when the wide area network between power grids goes down? The indirect effect of a failure of the Internet is beyond comprehension. Protection of the Internet Infrastructure against attack

The protection of the Internet infrastructure is primarily the responsibility of private corporations that own and control the majority of the assets. These are highly regulated industries however that the government can exert great control over if they desire. In this sense both Barnes, D. (2004) and Lichtman & Posiner (2206) evaluate the potential need to government intervention to hold Internet infrastructure providers and the market as a whole accountable for the security of the Internet as well as the infrastructure. Lichtman and Posiner specifically argue that “ISPs should to some degree be held accountable when their subscribers originate malicious Internet code, and ISPs should be also to some degree be held accountable when their subscribers propagate malicious code by, for example, forwarding a virus over email or adopting lax security precautions that in turn allow a computer to be co-opted by a malevolent user” (2006, p222). The problem is that all the authors are focusing on general security issues dealing with public users and not the actual infrastructure. While accountability in any area is likely to provide some help with advancing security of the infrastructure overall there seems to be almost no literature addressing the issue at the empirical level. To further discount this area of theory and research Lichtman and Posiner willfully admit that “Our position admittedly runs counter to recent legal trends” (2006, p223) yet they continue to push for justification why this trend should somehow be revered.

While the above articles appear to leave little hope for government intervention to help force accountability for the security of the internet infrastructure there is great attention being paid to the issue by the private market itself. Bertine, Faynberg and Lu discuss and research the efforts by the International Organization for Standardization, International Electrotechnical Commission thought Joint Technical Committee, International telecommunication Union and the Internet Engineering task Force in the area of providing global wide industry standards for the security of the Internet infrastructure (2004). Bertine, Faynberg and Lu specifically address the issues related to the organizations working together and “the interdependence of the efforts undertaken by these organizations (2004, p226). The efforts of these organizations are seen in more recent literature related to new protocols to increase internet security.

With industry organizations providing the research and input there have been some advances made in defenses for the Internet infrastructure from cyber attacks. Blyth and Thomas (2006) used the current technology involved with intrusion detection systems to create a system by which real-time assessments could be conducted in order to prevent and immediately disrupt attacks on vital nodes. Unfortunately like many solutions the complexity itself makes it difficult to implement. Blyth and Thomas note that “this method would require that the footprint detection system – or at least, a broadly interoperable and equivalent system – is introduced at several nodes in a global network of interest” (2006, p5340). When considering the scale of the Internet this solution could require the introduction of the footprint at thousands of nodes to provide effective protection for the internet infrastructure.

Another potential global solution to the threat seems to come from Domain Name System Security Extensions (DNSSEC) as evaluated by Friedlander, Mankin, Maughan and Crocker (2007). However, while DNSSEC has been promoted as a way to help secure the internet infrastructure Friedlander et al. admit that “DNNSEC offers no protection against well known denial-of-service attacks and in some instance may even increase the vulnerabilities of DNSSEC aware resolvers to attack” (2007, p49). Friedlander et al. further discuss several other weakness of the protocol an concludes with the acknowledgement that “DNSSEC is part of a suite of security protocols and measures ranging form those appropriate for individual users on small home office systems up through zone operators of infrastructure systems”(2007, p49). With this acknowledgement appears that there is no one current or near future solution to security the internet infrastructure form cyber attack.

The final area of concern for dealing with the defense of the Internet infrastructure is that of deterring or stopping a physical attack on facilities where vital nodes are located. There is very limited to virtually no literature available in this area of study. It appears that little or no empirical study has been done in regards to the physical security of the Internet infrastructure. While this may seem discouraging it may be for good reason. Grubesic and Murray note that “high security data centers have been fixtures in the telecommunications industry for nearly ten years. For example, companies such as Cable and Wireless and Equinix provide massive, carrier-neutral interconnection facilities with significant security infrastructure” (2006, p80). This would seem to indicate that in order to properly address the issue of physical security a literature review of the physical security of the telecommunications industry would be appropriate.

Areas for further Research

A review of the literature indicates that there are some serious limitations to the current research that need to be addressed. Specifically the potential for cascading failure between critical nodes additional research but will require the cooperation between multiple providers of the Internet infrastructure. Another area of concern for additional research is the affect that an Internet failure would have on other components of critical infrastructure such as power grids.

Summary

There is little doubt that the Internet is a part of everyday life in the United States and many other countries. The Internet is used for communications, banking, purchases, news, and a huge variety of other things. A substantial portion of business today is done by e-commerce and customers buy everything from pens and paper to cars via the Internet. With this in mind there is no doubt that a failure of the Internet, even for a very limited time, would have catastrophic effects not only on individuals but on the economy as a whole.

There is also little doubt that computers, networks and the Internet as a whole are subject to a variety of different types. In particular the Internet infrastructure may be subject to both physical and cyber attacks with the highest probability attack being a distributed denial of service attack in order to cause the Internet to fail.

In the United States, as in many developed countries, the Internet Infrastrucre is owned by private industry and this further complicates both conducting research on the issue and the actual process of securing the Internet infrastructure.

Current research indicates that (1) the Internet infrastructure is subject to attack (2) the Internet Infrastrucre will be attacked and (3) that currently there is no coordinated defense or reaction to attacks. It should be noted however that most researchers seem to believe that the current providers of the Internet Infrastrucre do have the system over provisioned to the point that catastrophic failure is highly unlikely. At the same time the all agree that any major disruption in the Internet, for 12 hours or 30 days, would be catastrophic and have a major effect on the country affected, their economy and other critical infrastructure elements. There is substantial additional research that needs to be conducted in this field in a timely manner in order to address the current concerns and problems.

Copyright © 2009 by Randy Bragg