|
The
recent (Oct 21, 02) Distributed Denial of Service (DDoS) attack
on all the 13 root domain Nameservers highlighted one of the vulnerabilities
of the Internet. Fortunately, the attack ceased before causing any
noticeable performance problems. However, all except 4 or 5 of them
failed. This is the first time all the root Nameservers were under
attack simultaneously.
The DDoS attack is a three step process. The first step is either
setting up or commandeering (unprotected) computers on the Internet
for launching the attacks. The next step is loading these computers
with malicious programs (viruses). The third and final step is turning
on the viruses to generate artificial packets. These artificial
packets flood the network systems, causing normal functions to degrade
or stop. As the Internet grows there are more and more unprotected
(usually home use) computers connected to the Internet that are
vulnerable to be used these type of attacks, with the owners themselves
potentially unaware of its use in these attacks. While the attack-process
is well known, the countermeasures and protection are not easy.
When you need to find the phone number of person, you call the
operator (or 411) to get the number. Domain Nameservers provide
an equivalent function for computers to get the address of other
computers it is trying to communicate with using the domain names.
This is known as DNS, or Domain Name Service. The computer systems
that provide this service are known as Nameservers.
Thus when the Nameservers are under DDoS attack, they are processing
the artificial packets and are not able to perform their normal
function of answering address requests. When the computers requesting
the addresses cannot get the responses, they are not able to communicate
to the computer they are trying to. Normally when there is failure,
the systems retry, and after a certain number of retries they stop.
When there is large number of such failures, the Internet stops
functioning normally.
In addition to degraded normal usage, the attacks cause another
critical problem. Proper functioning of the network depends on control
packets (data that manage the systems) that are able to propagate
without bottlenecks. When the control functions fail, the result
is general failure. This is similar to the traffic jams that are
created when traffic lights are not working.
What is the solution? This type network problem has been solved,
but not for the Internet. Problems caused by network flooding do
not affect the normal operations of the telephone network, when
there are too many simultaneous phone calls. Even though calls above
the available capacity do not get through, the network functioning
itself is not affected. This is because the control functions for
telephones are performed by a completely different network, the
Signaling System 7 (SS7) network. When you make a phone call, your
voice goes through one network. But the dialing, billing and other
call related information goes through a separate SS7 network. This
dual architecture is a key reason for the reliability of the phone
network.
In the case of the Internet, both user data and control packets
go through the same network paths. This single-threaded structure
of the Internet is a critical limitation in its present form. Resolving
this issue is necessary for increasing the reliability and stability
of the Internet.
There is widespread acceptance that the Internet is to be the
universal platform for all network needs. This is known as Convergence
(merging of voice and data networks into one network). The recent
DDoS attack and the underlying issues it highlighted should give
pause to uncritical acceptance of ideas that have major impact on
the viability of the information economy.
Full resolution of the issues highlighted by the incident require
action at two levels. First is technical -- developing and deploying
the technical capability to achieve the level of reliability that
is necessary for maintaining expected level of service for the Internet,
so that the risks are mitigated.
The second is far more complex and difficult to resolve. The free-market
system has demonstrated tendency to fall into the "bandwagon-phenomenon",
time and again. The challenge is developing structural capabilities
that dilute the bandwagon-effect without loosing the efficiencies
provided by free-market systems.
George Mattathil (george.mattathil@ieee.org)
founded the Strategic Advisory Group (www.strategygroup.net)
as an organized channel for providing access to the network of experts
and professionals he has developed. Mr. Mattathil has developed
high-impact insights into the future of communication infrastructure
and related industry trends. The strategic and innovative approaches
he developed for addressing organizational and management issues
is part of the core content of the workshops.
Strategic Advisory Group (www.strategygroup.net)
bridges the capability (knowledge) gap for resolving the open issues
created either by new business opportunities or by challenges. Their
goal is to help you become self sufficient by gaining knowledge
and required skills. Registration information about their seminars
and workshops are available at www.acteva.com/go/strategy/.
| 
