Bringing Down The Internet

The speed at which viruses can spread is making it harder to fight them. It typically takes two or three hours to decode a virus once it's detected, says Mikko Hypponen, head of virus research at F-Secure in Helsinki. Slammer took 10 minutes to install itself on thousands of hard drives. A so-called flash virus would work even faster. A hacker would have to invest a few hours "scanning" the Internet for vulnerable computers, and then the virus could be dispatched directly to these computers in a matter of seconds. So far experts haven't detected any flash viruses, but there's plenty of scanning going on--it accounts for 10 percent of Internet traffic, by some estimates.

Viruses work on what experts refer to as the "edge" of the Internet--PCs and so forth. But computers that make up the guts of the Internet are also vulnerable to attack. For instance, when an e-mail message is sent or a Web page is called up, domain names (like NEWSWEEK.com) must be translated into numbers, or Internet-protocol addresses, which tell the information where to go. This is the job of root servers--a kind of master directory, without which Internet traffic would grind to a halt. Root servers are protected from physical attack by redundancy. There are 10 in the United States and one each in London, Stockholm and Tokyo; if all but one went down, the last one standing would still be able to keep the Internet running (albeit slowly). Security varies from one location to another. Whereas Server I, in Stockholm, sits 40 meters underground, London's Server K resides in an aboveground building surrounded by barbed wire and security guards. Root servers aren't the only physically vulnerable spots. A dozen or so big exchange points--the big traffic hubs of the Web--in the United States handle a --big chunk of the world's Internet traffic; an attack on these machines might also create a disruption big enough to spread overseas. Like much Internet technology, root servers and exchange points are protected as much by ignorance as by barbed wire, and some experts worry that they're potential targets for those who would try to bring the Internet down with some combination of viruses and bombs.

Viruses have already attacked root servers. In October 2002 a virus launched a "distributed denial-of-service attack" on Internet root servers--a flood of useless information from thousands of zombie computers--that crippled nine of the 13 root servers for up to an hour. Internet service was maintained through the remaining four servers. This past July, Cisco Systems--which runs about 80 percent of Internet routers--released a soft-ware patch for a security flaw that had left its hardware open to hackers.

Software is yet another problem area. Microsoft software, by virtue of its ubiquity, is a particular worry. Last August Dan Geer, a former chief technology officer for security firm @stake, helped draft a report arguing that Microsoft wasn't doing enough to make its software secure. "The more the monoculture is pervasive, the greater your exposure to catastrophic collapse," he says. Geer was sacked the next day, and @stake said that the report was "not in line" with its views. Geer is not the only one who's been critical of Microsoft. "The way Windows is designed, once a rogue hacker or virus gets into a system, it can do all sorts of malicious damage," says John Naughton, an Internet expert at Britain's Open University. "If I were Al Qaeda, I wouldn't waste time with nuclear weapons. I'd be going to Microsoft training courses." Microsoft says it is taking steps to improve the security of its existing operating systems and is making security a priority in developing Longhorn, its next-generation operating system.

The problem isn't just Microsoft. Internet protocols--the rules that govern the Internet--were devised by academics in the days when junk e-mail was considered rude. "We have commercialized something that was never thought of as being commercial. It was never designed that way," says the SANS Institute's Marcus Sachs, a former White House staff member. "Today's Internet really is based on a prototype." The Internet doesn't have an Achilles' heel so much as thousands of soft spots that a clever, multifaceted attack could exploit. "A successful attack, like a successful business plan, does not rely on a single bit of magic, or some single good idea," says Vixie. "There has to be a large number of small components that come together in a recipe that produces the ideal effect."

Preventing such a perfect storm may require an elaborate and expensive reworking of Internet protocols and the widespread adoption of encryption, even for routine e-mail. Some experts propose building a sort of parallel Internet, made of secure routers, that would handle sensitive information. Such measures might change the Internet beyond recognition. Imagine having to pay postage for e-mail. And imagine governments around the world coming together to regulate this medium, which conquered the world precisely because it was decentralized and open to all comers. It's hard to imagine summoning the political will to undertake such a project, unless some crisis makes the need for it apparent to all.

WITH SARAH SENNOTT, KAY ITOI, MIKE KEPP AND B. J. LEE

© 2003