14 DAY TRIAL // Nation-state actors are calibrating cyber-weapons in case they ever need to take down the Internet, not just in their country, but in the whole world.
This is the opinion shared by security expert Bruce Schneier, who cites several reports disclosed to him in private by companies that run some of the Internet's core infrastructure.
Schneier, who is a board member of the Electronic Frontier Foundation and the TOR Project, is in the position to receive this information and is also one of the loudest voices when it comes to security topics and user privacy.
DDoS attacks used to probe for failure points
He says that unknown parties have been probing critical Internet servers with well-planned DDoS attacks, trying to discover the point at which these servers go down.
Attacks are being carried out in incremental values in different phases. Attackers start at one DDoS volume, increase to another point and then stop. The next attack starts from the last point and goes up to another point, then it stops. DDoS attacks are also varied, using different types of packet floods.
Schneier says that all of this looks like someone is taking aim at core Internet nodes one by one and trying to discover how fast the companies behind them are answering, what defensive procedures they are deploying, and the amount of DDoS traffic they need to shut down that particular infrastructure.
A few well-aimed DDoS attacks is all you need
The Internet is like a big giant node graph, similar to a tree. Websites are just small leaves. Attacking a website does nothing except bring that specific website down. Attacking core Internet servers, usually managed by Internet Service Providers (ISPs), is like chopping off an entire branch.
Attacking a particular set of servers, in a particular way or at a particular time, would even chop down the entire tree, shutting down the Internet.
These "special servers" include core DNS servers and Internet core routers. Since all these servers have an IP, they can be reached via DDoS attacks, just like regular websites.
Attackers use more than DDoS attacks
But the attackers don't limit themselves to DDoS attacks alone. Schneier says that this group is also testing companies for their ability to respond to DNS and BGP hijacking.
DNS hijacking attacks occur when an attacker changes the IP address at which a website can be reached, sending users to a server under someone else's control, which can spread false information by serving a clone website.
BGP hijacking occurs at the core router level. An attacker can tell other core routers that a set of IP addresses can be found on its network, when it's not. This sends massive amounts of traffic into a black hole, shutting down Internet traffic for affected users.
Nation-state actors suspected
"We don't know who is doing this, but it feels like a large a large nation state," Schneier says, "China and Russia would be my first guesses. [...] It doesn't seem like something an activist, criminal, or researcher would do."
"The data I see suggests China, an assessment shared by the people I spoke with," the expert also adds. "On the other hand, it's possible to disguise the country of origin for these sorts of attacks."
Schneier also says that this probing is standard military espionage practice. In June, NATO officially declared Cyber as a warfare battleground, next to air, land, and sea. Since NATO is getting ready to fight wars in cyberspace, this means that all involved actors are now mapping out its weak spots in case we ever reach the sci-fi scenario of a cyber-war.