Jewish World Review

Internet's foundations shaken by dispute | (KRT) DULLES, Va. Viruses have spread through personal computers like sniffles through a kindergarten. But at the Internet's foundations, a debate is underway about whether profit or prestige does a better job preventing more crippling diseases.

VeriSign Inc., a $1.2 billion telecommunications infrastructure company, argues for profit. ICANN - the Internet Corporation for Assigned Names and Numbers, a nonprofit coalition of businesses, academics and engineers - argues for prestige.

Last week, VeriSign took the argument to court and sued ICANN for blocking its commercial ambitions. ICANN responded by lamenting, "VeriSign has again chosen confrontation over consensus."

VeriSign officials cite an unusual cyberattack from October 2002 to assert that profits make for better security.

The denial-of-service attack hit at the Internet's 13 root servers, the bedrock address books of the World Wide Web.

Nine root servers housed at universities and research centers were overwhelmed with malicious, inane inquiries arriving 70,000 times a second.

Had all 13 gone down, decay would have started spreading through the Internet's memory like Alzheimer's.

Eventually, users could have been lost in cyberspace.

VeriSign, which operates two of the root servers in northern Virginia, had enough excess capacity to stay in business.

"Those who may or may not have been viewing this as less than an Olympic sport realized there are people who want to take the Internet down," said Ken Silva, VeriSign's vice president for security.

Last September, VeriSign set off an uproar of its own by introducing a commercial guide on the .com and .net domains, which it also manages.

Anyone misspelling a Web site or looking for an unregistered one in those domains was routed to VeriSign's SiteFinder and a sprinkling of advertising.

Donate to JWR

"It's like calling directory assistance and, instead of being told that number is not listed, they refer you to a marketing pitch," said Steve Crocker, chairman of ICANN's security advisory committee.

SiteFinder disrupted filters that block spam e-mail. It disabled anti-pornography controls on computers used by the Tennessee school system.

Crocker's security committee warned ICANN that SiteFinder "considerably weakened the stability of the Internet" and set off "an escalating chain reaction of measures and countermeasures that contribute to further instability."

Stratton Sclavos, VeriSign's chairman, fired back.

"You have a quasi-government organization, ICANN, made up of purists and attorneys. You have an incredibly overzealous vocal minority that thinks everything should be free. And then you have everybody else that uses the Internet every day and doesn't know what ICANN is," he told CRN, an Internet news service. "I think this is a broken model."

After a couple of weeks of angry e-mails and the threat of legal action, VeriSign took down SiteFinder.

VeriSign's lawsuit filed Thursday in Los Angeles alleges that ICANN is interfering in its business.

Sclavos is right about one thing. This scuffle over who is the better guardian of the Internet has been offstage for ordinary Internet users.

The October 2002 attack on the root servers had no impact on routine operations. Most users also had no idea anything was happening when SiteFinder was introduced.

But both episodes took place at the Internet's foundations, where the vulnerabilities can be far more serious than the viruses that plague companies and individual users.

The Internet depends on address books that translate words and letters into strings of numbers, and then sends users to the right place.

Each Internet service provider has one.

Each Web site has at least one.

Each top-level domain (.com, .net, .org, .edu and so forth) has several.

The address book with the most fundamental information - where to find all 244 of the top-level domains - is a root server.

VeriSign operates the "A" server, a black-faced shelf of computers, in a nondescript suburban office building.

"You're probably wondering what would happen if you tossed a grenade in there," Silva said.

VeriSign's control room - where bioscans are used to keep out unwanted visitors - would be damaged in an explosion, but there would be no impact on the Internet.

Another set of VeriSign computers and connections would spring into action "instantaneously," Silva said.

One bomb or even 13 bombs hitting all the root servers at once would not take down the Internet, because back-up memory sites would take their place, agreed Crocker.

"It's pretty robust. Nothing else in the world has as much redundancy, not even the telephone system," he said. "No natural set of events would affect that many places all at once."

Silva said VeriSign's investment in security, excess capacity and redundant servers ensures the survival of the domain name system, from both virtual and physical attacks. He's not sure the other custodians of root servers are able to make those same investments.

Labs, universities and government researchers operate the root servers on a voluntary basis. Nobody gets paid to run a root server.

A tight web of consensus and peer review keeps everyone together on technical specifications and operating procedures.

This collegial arrangement was challenged on the afternoon of Oct. 21, 2002, when a denial-of-service attack was launched against all 13 root servers.

Root servers normally answer about 7,000 address queries a second. In the attack, which lasted more than two hours, questions flooded in at a rate of 70,000 per second. Eventually, technical teams installed filters that deflected the malicious queries.

The White House National Security Council, the FBI and Homeland Security officials scrambled to deal with the attack. They are still investigating to determine who was responsible.

After that, security concerns prompted VeriSign to move the "J" server from its Dulles office to another northern Virginia location.

And ICANN was pressured by many countries to create a more international system for managing Internet specifications and addresses.

One response has been to share the prestige.

"Mirrors" or clones of the root servers are coming online in other parts of the world, including South Africa and the United Arab Emirates.

They run in tandem to the 13 original servers and can take over if anything goes wrong.

Making a profit off these address books has been difficult. A government-sanctioned monopoly sold Web site addresses until 1998.

Other companies have now entered that business, though the availability of addresses is still handled by the original firm, Network Solutions Inc.

In 2000, VeriSign bought Network Solutions in a stock transaction valued at more than $15 billion. After struggling to find a way to make the acquisition more profitable, VeriSign sold 85 percent of the company last year for $100 million.

SiteFinder's appearance was widely viewed as an attempt to recoup some of VeriSign's losses.

"They want to make money," said Elana Broitman, policy director with, a company that sells Web addresses.

Broitman is chairwoman of ICANN's registrar constituency, which includes 50 of the 200 or so companies that sell Internet addresses.

The constituency passed a resolution in September saying SiteFinder had jeopardized Internet security and undermined competition by attaching itself to every unsold Internet address.

One registrar filed suit against VeriSign, claiming SiteFinder had pre-empted its own, less disruptive site guide by going deeper into the domain name system.

VeriSign has denied the charges, and says SiteFinder is a helpful tool.

"The graceful way to handle an error (in typing a Web site) is to help you get through the error," Silva said. "In our surveys of users, SiteFinder was well received by the general population using the Internet."

Crocker, however, says VeriSign "crossed an extremely important line."

"The Internet was deliberately built with the minimum amount of smarts at the core, and the maximum amount at the edges. That's what makes possible explosive innovation," he said.

"So, one of the ground rules is, don't build things too tightly to the core. But that's what they've done with SiteFinder."

Appreciate this type of reporting? Why not sign-up for the daily JWR update. It's free. Just click here.

Comment by clicking here.


© 2004, The Dallas Morning News Distributed by Knight Ridder/Tribune Information Services