Russia planting attack servers in server farms???

I've recently been working with someone, who has contacts with a company in Russia. They've been putting servers in a local server farm. I as a computer consultant was highly alarmed by what I saw. These servers have special cards in them which allow anyone with the right information to reload these servers from scratch without being physically present. I wondered why this Russian company needed something like this in the US. What if the Russians are planning to use these machines and others spread throught the contry on the backbones to take down the US internet in some form or attack? This company wanted to put in 10 racks of the 1U custom servers. That is a LOT of servers. Just one of these servers could support most small companies with less than 500 employees.

Well, honestly, the ability to completely rebuild a server remotely sounds pretty groovy to me. I can understand the ability to use it for nefarious purposes, but honestly, it follows the same analogy as a gun. A gun is not a lethal weapon unless it is used as a lethal weapon.

What *would* disturb me is if companies start using these specially equipped servers as virtualization hosts. The reason this bothers me is that most virtualization hosts actually house 2-3 virtual servers. So wiping the hard drives on the hosts can take 2-3 (minimum) machines down at a time. And given that many IT managers are not up to speed with their security training, this would leave a huge gap in the vulnerability of corporate networks.

Where exactly are you talking about, and can you describe the "card"

I'd like to hear more about this.

Originally posted by carolina1737
I've recently been working with someone, who has contacts with a company in Russia. They've been putting servers in a local server farm. I as a computer consultant was highly alarmed by what I saw. These servers have special cards in them which allow anyone with the right information to reload these servers from scratch without being physically present. I wondered why this Russian company needed something like this in the US. What if the Russians are planning to use these machines and others spread throught the contry on the backbones to take down the US internet in some form or attack? This company wanted to put in 10 racks of the 1U custom servers. That is a LOT of servers. Just one of these servers could support most small companies with less than 500 employees.

Hi carolina,
Firstly, which company is it?
Secondly, do you know anything about what type/brand the servers are and what Operating System they are running?

It sounds like a Distributed Computing Center where they Cluster all the computers together and make one big super computer.

Tying this in with the recent DDOS (Distributed Denial of Service) attack against Twitter, Google and Facebook, i would suppose they are using it for these purposes.

Any link or extra information would be excellent.

Cheers

Reminds me of the bad Police Academy Movie 'Mission to Moscow' the Russian mob boss puts a trojan in hit hit video game sequel called 'the new game'.



Maybe they are setting up hardware based backdoors so they can remotely upgrade firmware? Or so they can take over infrastructure.

I can't reveal what company unless it were directly to a US government agency. I wouldn't feel good about doing so otherwise. However I can say that the "card" is the SIM1U. It is a KVM type card that can mount drives, act as a kvm, remote control and you name it. Supermicro sells it.
I really do believe these things are being set up to do denial of service attacks and just generally choke the internet if needed. Spend a paltry million or so bucks on "near backbone" rack space and servers through private companies off the radar and viola "soup de useless internet". This could be used at any time, however I am nearly positive WWIII is coming down the pipe. The Russians and the Chinese are hiding an arms buildup. I have absolutely no doubt about this FACT. The company in Russia is sending the parts to us from within the US, and having us assemble them and drop them off at the server farms. What better way to avoid the US government. They are not entire servers, and the govt might ask questions like: "Excuse me Russia, why did you order 5000 servers and place them in all the main backbone server farms across the country?" Doing this avoids anyone thinking they are complete servers, and I'm sure this might be to avoid the checks and balances in the shipping companies to spy/monitor goods and materials.

Believe me, the Russians know they can not defeat America on the conventional battle field. Under those circumstances, cyber war has maximum denielably. They may postulate that the next battle field will begin with disruption of things like the internent, to screwing up our GPS systems. If such events happen, I;m going to live in my bomb shelter.

Oh and DISA if this is useful to you, or this info saves the US some headache. I could use some extra cash, or help with my mortgage....recognition, etc

The Chinese were recently caught putting additional chips and code in the Network Interface Cards of Server components they were selling to U.S. Manufacturers. The DoD issued an alert about this and ran an audit to root out any affected systems. Although this was brought to light, the practice still occurs on part of the Chinese. It sounds like the Russians are not far behind.

The Russian Business Network is perhaps the single largest Internet body, even more so than Google. This Crime Syndicate is responsible for the vast majority of Identity Theft, Fraud, and BotNets on the Internet. They are very technologically advanced and represent a multi-billion dollar empire. Due to corruption within the Russian government, there is little that can be done externally to stop them.

A backdoor into a KVM Switch is a pretty serious security vulnerability. This allows Root Access to all of the Servers attached to that interface (as many as 20 if the KVM Switch is installed in a Blade Chassis). I don't know many people that use SuperMicro Servers to build their Server Farms, but as they are on the low-end of the Server Market, they appeal to Start Ups and Mom-and-Pops. I own two SuperMicro Servers myself that I keep Co-Located at one of the four Data Centers I manage.

However, if one runs a tight Data Center, and has restrictive rules on their Router/Firewall between the Servers and the Internet, even a vulnerability such as this becomes a non-issue. Only 3 IP Addresses are allowed through the Firewall at all of our Data Centers for the KVM Ports (most KVM devices can be accessed either through Telnet or by a High-Range Port for the Web Interface). Any Cisco Admin worth his salt should be able to lock down the KVM from unauthorized access, even with a backdoor in the chip.

I think these things may be kamakazie attack servers. Of course any good admin would see this happening. But it might take them a while to notice or intercede if remote support won't work, and there is nobody onsite. If they activate everything at once, it wouldn't matter how many admins caught it. The attack would still take down the US internet as a whole. If there were a lot of these out there. If your planning a surprise attack, this concept would prove really handy, just launch all your missiles and turn on the attack servers and communication would degrade to the point of useless. Both on the internet and the telephone. Military installations would have little usefulness unless they had a protected network.

reply to post by carolina1737


Firstly the whole of the internet wouldn't be affected, only the servers with the attached dodgy KVM cards and anything relying on them would be affected.

What or who are these servers for? It's not going to be anything related to the military as their being installed in a local server farm. Military comms wouldn't be.

Secondly the military does have its own communication systems in place and I'm pretty sure that even if every single computer connected to the Internet was destroyed the military would still be able to communicate.

Thirdly you mentioned about them attacking the back bones of the internet but yet these servers are being installed in a local server farm?

Backbones of the internet are IXP's such as LINX.

fraterormus said it correctly that a smart IT admin would put measures in place to prevent an attack like this happening.

Also while he mentioned Cisco I'd like to point out that its possible to connect to any cisco router remotely and wipe its configuartion.

[edit on 13/8/09 by Death_Kron]

I hypo'ed a massive black out in Silicon Valley during the energy thing...
do you know what I found out... even with our servers running on backup power and battery power... if the power went off for just 2 seconds... it would take down the internet with all the computers rebooting and signing back on.... with all the RIP traffic, ICMP's etc etc... would eat all the bandwidth up in less than 5 mins... and systems overload would happen when the servers needed more juice because of all the requests were being fullfilled with backup systems which could not provide that extra juice. started the crash... and then that exasperated as time went on... and we should be back fully functional and connected within 1 - 2 hours... or a life time on the web,..... Silicon Valley is where May West is located downtown San Jose, CA. and that is why the valley is for computers... its the main line as we say... the brain of the web.... any how... a bug on the servers ... well, not that much of a threat.(CRC changes are easy).. but you never know... Melissa (the Virus) took the FBI all of 4 hours to locate & arrest the perf... so ... what does that say. I dont know ... someone may have found a way... it would be tough and easy to spot if they did...

I re-read your thread and ... yes, if the put a OS chip on the Motherboard. as extended bios .. then yes - this is very possible.

[edit on 13-8-2009 by BornPatriot]

[edit on 13-8-2009 by BornPatriot]

[edit on 13-8-2009 by BornPatriot]

Of course military installations usually have a protected network. However they don't have a total reliance on this. Local telephones would go down, and things would just start sucking. If there were hundreds of these sites across the country it could very well take down the internet. They could fill the pipes with so much fast data the backbone would start slowing down. Then if they started and external attack, combined with botnets going off the entire internet would melt. It would take days or weeks to get it back to anything useful. There is absolutely no way to stop all of these methods at once. Heck our internet here was almost useless the week that North Korea set off their MYDoom variant. But it didn't take it down, there were just temporary service outages and it was slow. The whole idea would be to stuff as much traffic in as possible, and sit back and see what happens. There must be a saturation point!!! To attack the internet the backbone would need to be neutralized. It would need attacks from multiple sources both inside and out. Those fiber optic links could be saturated if there servers sitting as near to those backbones as they could with as much capacity as they could generate. Can a rack of servers produce 45 mbps of data attacks. Id say yes. There are not that many large network links. oc-48 is probably the max long distance link speed It would only take 4 links at 600mbps to kill it dead.