'Coordinated attack' downs services with cut lines

a reply to: xuenchen

Perhaps a more insidious, but more effective exploit would be to partially compromise (rather than cutting) a link by inserting a firmware modified router which malformed its data packet headers to appear that it was routing data faster than any other router (which would move the malign router up to the top priority of the routing tables in other connected routers). You could then delay or otherwise manipulate specific data as you wished (perhaps keeping the exploit hidden until the exploiters are ready to move).

If this were applied to a time critical business (like a stock exchange) it could significantly disrupt normal commerce or could give a commercial advantage to the people controlling the compromised router.

The detection of such a 'bad' router would be made more difficult after the data had been passed through legitimate routers out to the wider network. In this way a compromised router could remain in the network hidden until the compromise is performed. You would have to look for, and detect the malformed packets on the section between the compromised router and its directly connected good routers.

a reply to: chr0naut

That wouldn't work...

Most (if not all) inter site fibre optics is not router to router. You can't just plug a router into a fibre in the middle of nowhere for many reasons, not least it wouldn't know what to do with the traffic being fed into it, assuming of course you've overcome the other reasons why it wouldn't work.

a reply to: xuenchen

Is there any possibility in this being one of the J.H. exercises?

a reply to: xuenchen

What time roughly was this? in australia at about 11:30pm and for a few hours I couldn't access several sites but my internets was connected.

Just to add to the strangeness:
although I live in the affected area, my internet service has not been interrupted, however one of my relatives, who lives just 20 miles east of me has spent this 100+ degree day without power.

According to Pacific Gas & Electric, her service provider, they are investigating a power outage resulting from "unknown causes".

Coincidence?

I have comcast, and am in West Virginia. My cable tv and Internet are both currently down.
So there's that...

This is clearly because net neutrality rules wen't into effect. Coincidence, I think not.

Joking, but I'm curious if anyone or any corporation will try to use this disruption of service a consequence of net neutrality going into effect. I wonder which Republican candidate will step up to the plate with this by mistake.

interesting to see how this pans out.

originally posted by: SheepDipped
I have comcast, and am in West Virginia. My cable tv and Internet are both currently down.
So there's that...

Nah, that is just typical comcast.

originally posted by: stumason
a reply to: chr0naut

That wouldn't work...

Most (if not all) inter site fibre optics is not router to router. You can't just plug a router into a fibre in the middle of nowhere for many reasons, not least it wouldn't know what to do with the traffic being fed into it, assuming of course you've overcome the other reasons why it wouldn't work.

I guess you'd need to pre-load a routing table in the compromised router.

BGP spoofing - why nothing on the internet is actually secure - ZDNet

NSA Laughs at PCs, Prefers Hacking Routers and Switches - Wired

Persistent OSPF Attacks .pdf

a reply to: chr0naut

That's just one problem - as I said, most (if not all) intersite fibre will be carried over the transmission network (SDH/SONET/DWDM) and routers aren't geared up to translate those signals.

I'll give you an example - on our new optical network in the UK, we have Cienna 6500's which have multiple different tributary cards which take various signal types, be it ethernet, SDH, PDH etc. These are then muxed up into a DWDM line system via optical filters which can squeeze 88 x 100Gbit channels over a single fibre pair. Plugging a router into that fibre pair in the middle of nowhere will not yield anything useful (the router won't know what to do with it and will probably have a loss of frame alarm) not to mention being immediately obvious something is up to people like me monitoring the network as we have a whopping great optical line fail alarm.

a reply to: Granite

was just telling my wife about that and how it might of been a test run

originally posted by: xuenchen
Internet services were apparently choppy when several key backbone lines were cut.

They seem to think this was a coordinated "attack".

Is the U.S. Internet system vulnerable?

What would "people" do if the internet was chopped off for a week?

'Coordinated attack' downs services with cut lines

see map for details...

Internet providers suffered disruptions Tuesday in what a West Coast internet provider said appeared to be a coordinated physical attack on three high-capacity "backbone" lines in California.

Wave Broadband said three major fiber-optic cables in the Sacramento area were "physically severed in what appears to be a coordinated attack on multiple internet carriers."

Wave spokesman Mark Peterson said the company's subscribers in the suburban Sacramento area were suffering outages, and crews were working to restore the connections, which were severed at 4:20 a.m. local time. Peterson said Wave itself is a customer of the two backbone companies apparently targeted, Level 3 and Zayo. Both backbone companies are based in Colorado.

Was anybody affected?

Strange things happen

At the risk of sounding paranoid, I would not dismiss the possibility of it having something to do with Jade Helm at least retraining Americans to believe that they do not have a reliable internet service and never did have. Such 'interruptions' like this might start to happen more frequently.

originally posted by: babybunnies

Many of those backbones are shared between the major providers - ie Sprint or Shaw BigPipe might run in one part of the country, and is shared with Comcast, Time Warner, etc, then Time Warner etc might put in fibre in another part of the country and it's shared with Sprint, Comcast etc.

There are a LOT of fibre lines all over the USA, but all those networks need to be connected for it to really work. If you take out a few fibre lines across the Midwest, no traffic would be communicated between East and West. Shortly after 9/11, ONE undersea cable was cut in the Mediterrean and took out internet services to almost the entire Middle East.

The Internet is a much more fragile system than a lot of people realize.

I don't agree that if you take out a few fiber lines in the midwest no traffic would flow east west.

Here you have only 4 networks. And there are more out there.



if you cut fiber in the north. it can and will be re routed via other links in the south.

And in this day and age most large companies have datacenters in multiple locations for sakes of redundancy.

But what would this accomplish, in the vein of "terrorism" besides inconvenience?
Financial terrorism? What would be the "casualties"?
a reply to: babybunnies



Could be sand worms punishing us for mining spice.

a reply to: xuenchen

Something like that could have more than one purpose. One, just to test and see f they could do it, and watch how people react. Two, to make it so locals could not go online for information, to perhaps cover up something else. I wonder if anything else odd happened in that area yesterday.

originally posted by: auroraaus
a reply to: xuenchen

What time roughly was this? in australia at about 11:30pm and for a few hours I couldn't access several sites but my internets was connected.

You know, now that you mention it, I had some sites I couldn't access at all yesterday. Some worked, but some, it delayed too long, and I am talking not big news sites or anything; just some car information. Nothing that would be so busy you'd expect that sort of thing. I'd forgotten till you mentioned that.

Nowhere neat the west coast, either.

originally posted by: stumason
a reply to: chr0naut

That's just one problem - as I said, most (if not all) intersite fibre will be carried over the transmission network (SDH/SONET/DWDM) and routers aren't geared up to translate those signals.

I'll give you an example - on our new optical network in the UK, we have Cienna 6500's which have multiple different tributary cards which take various signal types, be it ethernet, SDH, PDH etc. These are then muxed up into a DWDM line system via optical filters which can squeeze 88 x 100Gbit channels over a single fibre pair. Plugging a router into that fibre pair in the middle of nowhere will not yield anything useful (the router won't know what to do with it and will probably have a loss of frame alarm) not to mention being immediately obvious something is up to people like me monitoring the network as we have a whopping great optical line fail alarm.

What, de-muxing is not possible? What about the compromise using 6500's themselves (perhaps a 6500-2, if they stole it & its modules, it wouldn't even be a cost)?

What about if the team of people who instigate the hack, are your co-workers? The payoff could be extremely lucrative.

Or perhaps a GCHQ Tempora implemented compromised link could itself be further compromised by third parties.

Or perhaps there could be an "accidental" cable cut elsewhere, perhaps closer to a depot (so any OTDR would locate it first), that would give someone time to splice equipment in at a second (more distant and secluded) location.

Or perhaps the compromise could be staged in an escalation of compromise (first capturing data and buffering it prior to 'cutting in' to insert and control data). If the punch in were rapid enough, are you sure that you'd get a loss of frame?

There are, no doubt, several more ways to achieve a compromise. I think you are not thinking deviously enough. The published documents and those who are already misusing cable clamps (like the FOD 5503) to capture data, definitely shows that the intent is there.

Edward Snowden's revelations would indicate that what I am describing is physically possible.

originally posted by: chr0naut
What, de-muxing is not possible? What about the compromise using 6500's themselves (perhaps a 6500-2, if they stole it & its modules, it wouldn't even be a cost)?

What about if the team of people who instigate the hack, are your co-workers? The payoff could be extremely lucrative.

Or perhaps a GCHQ Tempora implemented compromised link could itself be further compromised by third parties.

Or perhaps there could be an "accidental" cable cut elsewhere, perhaps closer to a depot (so any OTDR would locate it first), that would give someone time to splice equipment in at a second (more distant and secluded) location.

Or perhaps the compromise could be staged in an escalation of compromise (first capturing data and buffering it prior to 'cutting in' to insert and control data). If the punch in were rapid enough, are you sure that you'd get a loss of frame?

There are, no doubt, several more ways to achieve a compromise. I think you are not thinking deviously enough. The published documents and those who are already misusing cable clamps (like the FOD 5503) to capture data, definitely shows that the intent is there.

Edward Snowden's revelations would indicate that what I am describing is physically possible.

Hang on - you suggested going into the middle of nowhere and just splicing into the cable then plugging in a router - now you want to put a 6500 in the middle? It was a stupid idea with the router, but now it's just silly.

By inserting any equipment into our optical network, you will affect so many things alarms will be going off left and right. Not least, you span loss will change (the 6500's monitor this) and they also use a DOC - Domain Optical Controller - any device not in the DOC's area will cause big problems and likely cause the whole line system to fail.

And those are the two obvious reasons why your idea won't work. There are many, many more technical reasons, but these two kill it dead anyway. It seems to me you're trying to be clever without really knowing what is involved. Your comments about "punching in quick enough you won't get a LOF"? You didn't even understand what I was saying - if you have a DWDM system, as many of these backbones are, the router is going to be unable to pick out the frequency of the channel that it is interested in, it will just see the whole line system glaring at it and it will be just rubbish to it.

What you're on about with the NSA/GCHQ is them having monitoring points inside exchanges/hub sites, usually with the knowledge of the company. This is easier to do as by then traffic is broken out.