On the ’09 Infrastructure Security Radar
In considering the past year and what’s in store for 2009 and beyond, there’s a broad spectrum of Internet infrastructure security related issues that are sure to make for absorbing times in the coming years. Given that security, availability, performance, reliability and stability all go hand in hand, some of the [roughly ordered] things on my ’09 radar include:
- IPv4 exhaustion on the doorstep: In the event that you’ve been living under a rock: IPv4 addresses are running out. The Internet Assigned Numbers Authority (IANA) will have exhausted it’s pool of available IPv4 addresses in only two years, and the Regional Internet Registries (RIRs – ARIN, APNIC, LACNIC, RIPE and AFRINIC) just a year subsequent to that. Native IPv4 hosts can’t speak to native IPv6 hosts without some intermediary device or function to translate, and this creates lots of problems. Infrastructure today barely forwards IPv6 packets, much less reports on then, and studies such as this by SSAC in late ’07 put IPv6 security capability at just 25% parity with that of IPv4. Furthermore, no direct tie-in to allocation and assignment of addresses to routing means that IPv4 address trading markets may emerge, which has left the RIRs and Internet network operations community scrambling to find ways to control this (if it occurs), and fostered some much needed investment in work on Resource PKI (RPKI) – a repository infrastructure that will provide a formally verifiable mechanism to verify who is authorized to announce reachability for what Internet address space (amazingly, even today on the Internet there is still NO formally verifiable mechanism to identify who is authorized to use what IP address space!). In short, lots of work to be done here, by lots of folks.
- Routing system as insecure as ever: Many events in 2008, from the Youtube hijack by Pakistan Telecom, to the nearly unnoticed L-root name server identify theft for nearly 6 months, illustrated just how insecure we (those paying attention) have all known the routing system is. For those that didn’t, some folks even provided an inter-domain proof of concept of MITM attacks by manipulating an insecure routing system. However, absent an authoritative database for who is authorized to advertise what IP address spaces (i.e., the RPKI above), and an ever-increasing number of meat computers with admin access to BGP speaking routers on the Internet, incidents (accidental & malicious) in this area are only sure to increase.
- Internet DNS overload: The 13 root name servers, arguably the weakest link in today’s Internet system, have proved time and time again to be impressively resilient. However, with the L-root incident mentioned above, and the expanse of not only IPv6, but the introduction of DNSSEC, Internationalized Domain Names (IDNs), and some unspecified amount of flattening of the name space with new gTLDs, when will the Internet DNS system start feeling the pain? The truth is, no one knows, and the loose model with which today’s roots are operated gives rise to many concerns about transparency, security and stability of the Internet DNS. Furthermore, DNS (in)security at all levels continues to garner much attention; from malware that changes end system resolver settings (directly or via gratuitous DHCP messages), to resolvers compromised with new cache poisoning attacks, to root identity theft on the operational side, all that, coupled with an ever-expanding registrant, registrar/reseller, and registry attack surface, means we’ve got lots of work in store for us in these areas.
- Bots: Continued natural evolution on all vectors; wider compromise, continued namely through additional client-side techniques, more resilient command and control infrastructure to further marginalize the whack-a-mole efforts akin to those of RBN, Intercage and McColo. Continued study of new botnet employment vectors would seem worthy of this list as well, as amazingly, when you think miscreants exhausted all avenues, some new vocation emerges yet again, another way to molest and monetize their compromised assets.
- DDoS: Just more of the same; increases in frequency, scale and attack source distribution, as we’ve seen for over 8 years now. More application-layer attacks that exploit transaction-heavy (e.g., AJAX) interfaces and back-end properties. Expect to see more on the surgical and topologically optimal mitigation front, especially for a growing number of application layer attacks, as well as click fraud and the like. Also, more automation of communication between source and target networks that enable attack source (e.g., bot / victim) attribute communication and automated ‘clean up’ by ingress network operator. And, of course, operators and their customers aiming to optimize capital expenditures and existing infrastructure and minimize forklift upgrades, seeking better utilization of existing resources.
There are many other topics of interest, in particular on the R&D side of the house, but those listed above seem to top my list, given the current trajectory of things.