Wednesday, December 16, 2015

No, you can't shut down parts of the Internet

In tonight's Republican debate, Donald Trump claimed we should shutdown parts of the Internet in order to disable ISIS. This would not work. I thought I'd create some quick notes why.

This post claims it would be easy, just forge a BGP announcement. Doing so would then redirect all Syrian traffic to the United States instead of Syria. This is too simplistic of a view.

Technically, the BGP attack described in the above post wouldn't even work. BGP announcements in the United States would only disrupt traffic to/from the United States. Traffic between Turkey and ISIS would remain unaffected. The Internet is based on trust -- abusing trust this way could only work temporarily, before everyone else would untrust the United States. Legally, this couldn't work, as the United States has no sufficient legal authority to cause such an action. Congress would have to pass a law, which it wouldn't do.

But "routing" is just a logical layer built on top of telecommunications links. Syria and Iraq own their respective IP address space. ISIS doesn't have any "ASN" of their own. (If you think otherwise, then simply tell us the ASN that ISIS uses). Instead, ISIS has to pay for telecommunications links to route traffic through other countries. This causes ISIS to share the IP address space of those countries. Since we are talking about client access to the Internet, these are probably going through NATs of some kind. Indeed, that's how a lot of cellphone access works in third world countries -- the IP address of your phone frequently does not match that of your country, but of the country of the company providing the cellphone service (which is often outsourced).

Any attempt to shut those down is going to have a huge collateral impact on other Internet users. You could take a scorched earth approach and disrupt everyone's traffic, but that's just going to increasingly isolate the United States while having little impact on ISIS. Satellite and other private radio links can be setup as fast as you bomb them.

In any event, a scorched earth approach to messing with IP routing is still harder than just cutting off their land-line links they already have. In other words, attacking ISIS at Layer 3 (routing) is foolish when attacking at Layer 1 (pysical links) is so much easier.

You could probably bomb fiber optic cables and satellite links as quickly as they got reestablished. But then, you could disable ISIS by doing the same thing with roads, bridges, oil wells, electrical power, and so on. Disabling critical infrastructure is considered a war crime, because it disproportionately affects the populace rather than the enemy. The same likely applies to Internet connections -- you'd do little but annoy ISIS while harming the population.

Indeed, cutting off the population from the Internet is what dictators do. It's what ISIS wants to do, but don't, because it would turn the populace against them. Our strategy shouldn't be to help ISIS.

Note that I've been focused on clients, because ISIS's servers they use to interact with the rest of the world are located outside of ISIS controlled areas. That's because Internet access is so slow and expensive, they use it for only client browsing, not for services. Trump tried to backoff his crazy proposal by insisting it was only in ISIS controlled areas, but that's not how the Internet works. ISIS equipment is world wide -- the only way to shut them down is a huge First Amendment violating censorship campaign.

Here's the deal. The Internet routes around censorship. Of the many options we have, censoring the Internet in ISIS controlled territories is neither something we can do or would want to do. Simply null routing AS numbers in BGP and bombing satellite uplinks would certainly not do it. Cutting the physical links is certainly possible, but even ISIS's neighbors, all of whom oppose ISIS, have not taken that step.

Update: In response to Weev's comment below, I thought I'd make a few points. The Pakistan goof did not disable all of YouTube, just areas with a shorter route to Pakistan than the United States, such as Europe. Also, while it's possible to create disruption, it's impossible to do so for a long period of time, as the Pakistan incident showed when after a bit everyone just ignored Pakistan. It hurt Pakistan more than YouTube. Lastly, ISIS has no ASN to null route. If you disagree with me, then name the ASN. Instead, the ASNs in ISIS controled areas are those from Syria, neighbors like Turkey and Iran, and possibly other countries like China. Trying to block them all would cause huge collateral damage.

Update: If you think you can wage war by spoofing BGP, then it means ISIS-friendly ISPs can retaliate by spoofing back. It's not a precedent you want to establish.


weevil eleatic said...

You are either unfamiliar with how BGP works and ignorant of the quite recent history of accidental BGP hijackings, or you are feigning ignorance.

In 2008 a podunk Pakistani ISP forgot to tag an internal route for YouTube no-export. It propagated and brought down youtube. YouTube tried announcing more specific routes (two /25s) to fix it, but it did not work due to the fact that anything more specific than a /24 gets filtered by most peers. The ISP had to be disconnected completely to restore YouTube's service. If Pakistan can bring down one of the Internet's 10 largest services, which pushes a unfathomably gigantic multiple of all the traffic of Syria and Iraq, you think we can't fuck up Syrian and Iraqi Internet? Get real. If we push a route in the DFZ, disconnection can't be done. People can't nullroute the transit providers in the DFZ. It's there and ISIS will have no more Internet.

This is absolutely unquestionably technically feasible. Liberals, libertarians, and other cucks will whine and bitch and cry and pretend it isn't, but you're all liars. We can wipe a national entity by jacking their shit and let people fucking try and stop us.

The Zumarek said...

Reverse works as well. Just saying...

Peter Barfuss said...

Okay weevil, tell me which sites ISIS uses so I can propagate nullroutes for them. And tell me why, unlike youtube, which wants to exist at a given site for recognition purposes, ISIS can't just create a new site, on a new IP?

This is literally a game of whack-a-mole at that point.

Peter Barfuss said...

Also, Rob, regarding "all of ISIS' neighbours being against them", for most of said neighbours that's true, but while Turkey *claims* to be against ISIS, Erdoğan and his group of bigoted hicks basically quietly do all they can to support them.

Jānis Jaunošāns said...

from a igp point of view, isis ia better than ospf.

B.J. said...

Since when is internet "critical infrastructure?" People won't die without internet access. I'm pretty sure in every war ever both sides try to disrupt each other's lines of communication. Cutting off internet seems like a valid tactic to isolate ISIS territory.

Jānis Jaunošāns said...

btw, title is screaming. doesnt reflect tye topic. parts of the internet can be shut down, ddos north korea :D

weevil eleatic said...

Rob, this isn't OSPF. BGP does not select the shortest route. It selects the longest prefix-- the most specific route. You can and will get BGP directing traffic over a route that is far longer than the current route, pushing it all across the planet by announcing a more specific route.

weevil eleatic said...

"Instead, the ASNs in ISIS controled areas are those from Syria, neighbors like Turkey and Iran, and possibly other countries like China. Trying to block them all would cause huge collateral damage."

Also, yes, and that's great. Collateral damage is explicitly desirable-- it will incentivize ISPs to never work with ISIS controlled areas and to do everything in their power to ensure they don't get nullrouted.

Hristos said...

Internet is an organism that unaware men think of as a physical entity...

The only thing Trump wants to do ( and can do ) is to display himself as a man of power, there is literally nothing more on whatever he says or does.

As mentioned in the Article, lots of guys do that by enforcing their control on others, again, history is full of examples on how this will turn out.

To relate this comment to the Article though, there is no question that such an idea is not remotely applicable to today's internet infrastructure, ESPECIALLY from trump.

Trumps businesses will collapse and, seriously, it is just not going to produce the outcome you want to have, end of story.

The whole point on trumps "idea" ( which is obviously not only his ) will eventually deflate on being a new anti-privacy legislation.

The terrorism fact remains, people are attacking others for a, what they consider, valid reason. Instead of focusing on reasoning what those reasons are, we are behaving like mindless calves searching for the most powerful man to follow so that we don't have to act on anything.

And i am wondering, where in a point of time has American potential transmuted to such a short-sighted, miss-informed mass of cowboys ?

sumue said...

Thank your for thinking about not just the technical issues on this topic but also some of the legal and ethical.

"Indeed, cutting off the population from the Internet is what dictators do. ... Our strategy shouldn't be to help ISIS."

You see people from all parts of the world jumping in to help IS. Their propaganda is excellent and very effective. So it seems to make sense to try to attack their possibility to spread propaganda (thank you Donald Trump for such a not obvious idea and well thought-out plan!!!) rather than just bomb their territorium where you will always risk harming civilians.

Why do we fight IS? Because they are brutal, because they essentially want a dictatorship ruled by them under their definition what should be "Islamic", because they have massacred civilians, have kidnapped, raped etc.

But if you fight someone because he has done something and then basically do similar things (or maybe not so bad things but things which according to your constitution you should not do) to them (and everyone else), you cannot morally justify it by saying you are better in any case, you are still pure and the good guys. If you use torture, put people into prisons without a fair try, lie to the public, persecute whistleblowers, fake evidence to start a war, spy on your citizens, bomb civilians, put people on a no-fly list at random, torture prisoners and obstinately refuse to participate in the ICC (international procecution against war criminals) etc. - where does this stop? Cutting off communication (or at least trying to do so) seems pretty moderate compared to some of the other things.

The problem is, if you use certain means that are undemocratic and more suitable to a dictatorship, you are not fighting terror, you are fueling it.

BTW, the best thing, Trump could do against terrorism, is to step down as a presidential candidate. I really don't know why he gets so much attention with his half-witted comments.