Features

net.wars: Buy ten backhoes

It's been kind of amazing to read about this week's denial of service attacks on the baker's dozen root servers that form the heart of the Internet. Not their nature: this kind of thing has been foreseen in broad outline for a long time. The amazing thing is that despite the foresight no one seems to have done much to stop them from happening.

Consider: all the pieces have been in place for years. In 1997, a large chunk of the Net was cut off when Network Solutions, then the monopoly registrar of .com and now a subsidiary of Verisign, bungled a zone transfer and a corrupted version of the file that maps domain names to IP numbers was propagated to the root servers. Also in 1997, domain name dissident Eugene Kashpureff managed to divert (briefly) traffic for a Network Solutions site to his own. In 1998, Jon Postel briefly had about half of the root servers getting their database updates from him rather than from Network Solutions.

He did this simply enough, by asking the root server administrators to put through the change. Postel said later that he was carrying out a test in preparation for the revamping of the domain name system. In 2000, we saw distributed denial of service attacks launched against some of the Net's biggest businesses, briefly blocking them from carrying out their main activity of the time, losing money. (Hm. Were the perpetrators frustrated shareholders?)

At a panel at the 1998 Computers, Freedom, and Privacy conference , AT&T researchers Matt Blaze and Steve Bellovin talked about these incidents in part answer to the question: If you were going to drop a bomb on the Internet, how many bombs would you drop and where would you drop them? They figured there were far more efficient ways of killing the Internet. These incidents have tended to fade from memory, since none of them have been repeated. Postel was a one-off: someone whose motives everyone trusted; he'd been handing out Internet names and numbers since he'd helped createthe domain name system in 1984. There is probably no one now who would be in a position to make such a request or who could get it acted upon if it did.

Even so, it's slightly alarming how much the Net still shows its research origins: routers all trust each other, and anyone on the Net has what Blaze called "powerful" remote access to any other device on the Net. We still don't know who pulled off this week's attacks, but Wired News noted plans for something of the kind a few months back. The outage the other day hit nine of the root servers for about an hour, and Net users noticed nothing (though they would have if it had gone on longer).

The underlying situation has changed little since 1997. We continue to become increasingly reliant on the Internet for a level of service and security it wasn't engineered for. The mythology that it was designed to withstand a bomb outage is a powerful reason why: we tend to behave as though the Internet can survive anything.

In 1997, Simson Garfinkel speculated on the fifty best ways to crash the net . Oddly, the one I thought I remembered from that article isn't there: "buy ten backhoes." One of the issues the country code top-level domain registrars have been fighting about with the Internet Corporation for Assigned Names and Numbers is service level agreements: they want them. So, presumably, do the huge businesses being run from Web sites. No one buying ADSL in Britain gets a service level agreement, either: a business ADSL connection goes out, and it's out for a week, and because BT makes no distinction in terms of technical support or repair for business customers, there's no way to get it fixed faster no matter how much money you're losing or how loud you scream.

A conversation with Esmeralda Swartz, "director of strategic marketing" for Avici this week reinforced some of these points. Blaze commented in 1998 that no computer ever built has been engineered to anything like the fault-tolerance of the telephone network. Swartz says the same in 2002: voice switches on the telephone network are expected to be down only five minutes a year; traditional routers, 1200. So everyone has two, and no one can promise service levels. To be fair, many other things can go wrong with Internet connections: power outages, custard in the server, company collapse

But even if you fix the equipment reliability problem - which of course is what Avici wants to do by selling people its specially designed routers - you're still left with the fact that political wrangling , the need for backwards compatibility , and a world full of people with fat pipes, some time on their hands, and some malicious instincts mean that these kinds of attacks are going to happen. What makes the Internet interesting and special is exactly that powerful remote access: it's likely to be almost impossible to find ways to limit the damage people can do to the Net without also limiting what Net.freedoms they have. So the trick is going to be working out ways to minimize damage when an attack happens.

What I want to know is: where was ICANN in all this? Shouldn't that organization's "technical oversight" include some thought about protecting the root servers?