Taking down the internet: possible but how probable?

Unknown players – probably a nation state – are probing the defenses of the core infrastructure of the internet. How worried should we be?

The hack of the Democratic National Committee this past summer, allegedly by Russia, prompted a political firestorm, but didn’t cause even a ripple in the US economy.

But imagine the economic firestorm that would result if online attackers brought the entire internet down, even temporarily.

You may not have to imagine it, according to Bruce Schneier, CTO of Resilient Systems, cryptography guru, blogger and international authority on internet security. In a recent post titled, "Someone is Learning How to Take Down the Internet," he wrote that he had been told by multiple sources that, ““someone has been probing the defenses of … some of the major companies that provide the basic infrastructure that makes the Internet work.”

But according to some of his fellow security experts, you don’t really need to imagine it, since the chances of the internet really being taken down are remote. And even if it happens, it won’t cause catastrophic damage. Several commenters on Schneier’s post wondered why even hostile actors would want to take down the internet, since if they do, they won’t be able to use it either.

Whatever the reality, it has prompted some energetic discussion.

Schneier said the probing has been done mainly with calibrated Distributed Denial-of-Service (DDoS) attacks, which overwhelm a site with so much data that it cannot respond to legitimate traffic.

DDoS attacks are nothing new – activist and criminal hackers use them all the time. What distinguishes these is their profile.

Schneier said he had spoken with leaders of several companies – who all demanded anonymity – that operate elements of the “backbone” of the internet, and they had all told him similar stories.


Bruce Schneier, CTO of Resilient Systems

“These attacks are significantly larger than the ones they're used to seeing,” he wrote. “They last longer. They're more sophisticated. And they look like probing.”

That, he said both in his post and a later interview with CSO, is because of their “style” – over time, the volume of the attack increases, to the point of the defense system’s failure. They also employ multiple attack vectors, “so they force the companies to use all their defenses at once.”

He suggested it was the digital version of what the US did during the Cold War, when the US would fly high-altitude planes over the Soviet Union to force them to turn their air defense systems on, which would then let the US map their capabilities.

“We didn’t do it because we’re evil,” he said. “We just wanted to know – just in case.”

He said these attacks look like they’re coming from a nation-state – probably China. While some responses to his post have said it may be the US National Security Agency (NSA) doing a sort of “stress test” on the internet, Schneier doubts that. “It feels like China,” he said. “You can hide the origin of a lot of attacks, but it is harder to hide the origins of a DDoS. And this doesn’t seem like their (the NSA’s) style.”

Dan Kaminsky, security researcher and chief scientist at White Ops, agreed. “I don't think the NSA is doing it, because it'd very much surprise me if they needed to,” he said.

Schneier also pointed to a recent quarterly report from Verisign, the registrar for many popular top-level Internet domains, like .com and .net., which reported a 75 percent increase in attacks, year over year, with an average peak attack size of 17.37Gbps (Gigabits per second), an increase of 214 percent.

That pales in comparison with the recent record 620Gbps DDoS attack against the website of security blogger Brian Krebs, and Schneier said the Verisign report doesn’t have the level of detail he got from the anonymous industry leaders he spoke with, but he said, “the trends are the same.”

He added that since his blog post, he has heard from three other companies that support the Internet’s “backbone,” and they have also told him they are seeing same thing.

So how worried should the US be? Is this just some cyber Cold War maneuvering, or a potentially catastrophic threat?

Most experts say they think it needs attention, but see it more as maneuvering than an imminent increase in danger to the integrity of the internet.

Sam Curry, chief product officer at Cybereason, said based on his observations, “risk levels haven't changed. It's an interesting hypothesis that needs more data points, but watch out for confirmation bias going forward.”

sam curry

Sam Curry, chief product officer, Cybereason

There is little disagreement, however, that a massive DDoS attack could disable portions, or even all, of the internet for some period of time.

Kaminsky called Schneier a “highly credible source,” and said he believes some hackers actually can take down the internet, in part because, “the damage from cyberattacks keeps growing and the risk perceived by attackers keeps shrinking.”

This, he said, applies especially to nation-states, which have figured out that, “while their militaries might be trivially overrun, their hackers aren't.

“Cyberwar has become like real war, except you can wage it, and possibly win it, in the sense that you can extract political concessions not to fight it at all,” he said. “And the capital investment is tiny – no tanks, no fuel, just talent, time, food, and access.”

It has also become easier to launch much larger DDoS attacks because so many internet of things (IoT) devices can be so easily compromised and used as part of a botnet. Krebs, in a post on the DDoS attack that took down his site, noted that they are, “protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or – in the case of routers – are shipped by ISPs to their customers.”

Paul Vixie, CEO of Farsight Security and previously president, chairman and founder of Internet Systems Consortium (ISC), agrees that the internet is vulnerable, but always has been. “The threat is old and well known,” he said. “The internet was built in a lab for eggheads who all trusted each other, and so it has no defense against its own users.”

But he said he thinks Schneier needed to be much more precise about what he meant about taking down the internet. “Down for who, and for how long?” he asked. “There's no way to break the internet permanently, since the same activities that gave rise to it and which reinvent it every day will eventually recreate a new infrastructure that works mostly the same way the old one did.”

garymcgraw 1

Gary McGraw, CTO, Cigital

Gary McGraw, CTO of Cigital, sees it much the same way. “The internet was designed to survive a nuclear war,” he said. “It was set up so the network could remain alive, even if parts of it get blown up. Even if the ‘great server in the sky’ got taken down, it would be replaced instantly.”

Schneier said he agrees with much of that. “I’m not convinced it will go down,” he said, “and if it does, it will be temporary. A DDoS attack needs the internet to work. It eventually eats its own tail.”

But even a temporary takedown could cause great damage, Vixie said. “In a thought experiment, a bunch of us got together and brainstormed ways to make the internet unavailable to the G-20 for 72 hours.

“This was because an attack of that kind, had it been pulled off on Sept. 10, 11, and 12 of 2001, would have vastly amplified the terror and confusion of the terrorist attacks on 9/11,” he said.

McGraw agrees that the potential for damage is very real. “If you have a critical system, you need to pay attention,” he said. “I’d hate to be having remote surgery when the internet goes down and there’s a scalpel sticking out of my chest. “

But he said horror stories like planes falling out of the sky, “aren’t going to happen. That’s ridiculous.”

Some comments on Schneier’s blog have suggested that the DDoS attack isn’t the real attack – that it is meant to be the digital version of “covering fire,” so the hackers can get something like an advanced persistent threat (APT) into a system without detection.

“I thought of that,” Schneier said, “but I didn’t write about it because it would be too speculative.”

What to do about it draws even more of a mixed response. Schneier has said he doesn’t know what should be done, but did call for a “national strategy” on DDoS attacks, “because a lot of this is critical infrastructure. The question is what do we do when critical infrastructure is in private hands. We don’t have a good way of dealing with it.”

Kaminsky said he thinks the US needs, “an NIH (National Institute of Health) for cyber.” He also called for more resources. “More nerds, more resources, more structure, absolute bureaucratic firewall against the offense guys,” he said.

Israel Barak, CISO at Cybereason, said it will take more of what Congress and the Obama administration have called for with the Cyber Information Sharing Act (CISA), but which still is not a reality.

Rapid detection and response, “requires tight cooperation, integration and information sharing between a large number of Internet Service Providers, CERT organizations, law enforcement, and government agencies,” he said, “backed up by supporting government regulation related to the permitted scope of lawful interception and privacy regulations. We’re very far from this today.”

Join the CSO newsletter!

Error: Please check your email address.

More about APTCSOCybereasonNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place