acm-header
Sign In

Communications of the ACM

Inside risks

The Physical World and the Real World


Most of us rely on the Internet for news, entertainment, research, communication with our families, friends, and colleagues, and myriad other purposes. What if it went away?

Precisely that happened to many people in early February, in the wake of the failure of several undersea cables. According to some reports, more than 80 million users were affected by the outages. Both the initial failure and the subsequent recovery have lessons to teach us.

The first lesson, of course, is that failures happen. In fact, multiple failures can happen. Simply having some redundancy may not be sufficient; one needs to have enough redundancy, and of the right types. In this case, geography and politics made life more difficult.

The geographical issue is obvious when viewing the region on a map: there aren't many good choices for an all-water route between Europe and the Persian Gulf or India. And despite this series of events, cables are generally thought to be safer on the seabed than on land. (There is a standing joke in the network operator community, the essence of which is that you should bring a length of fiber-optic cable with you when going hiking in the wilderness. If you get lost, throw it on the ground. A backhoe will soon show up to sever it; ask the driver how to get home.)

The obvious answer is to run some backup cables on land, bypassing the chokepoint of the Red Sea. Again, a glance at the map shows how few choices there are. Bypassing the Red Sea on the west would require routing through very unstable countries. An eastern bypass would require cooperation from mutually hostile countries. Neither choice is attractive.

From this perspective, it doesn't matter much just why the cables failed. Cables can be cut by ship anchors, fishing trawlers, earthquakes, hostile action, even shark bites. Regardless of the cause, when so many cables are in such a small area, the failure modes are no longer independent.

For this problem, there are no good solutions. Anyone whose business depends on Internet connectivity through this region must take this into account.

The dangers aren't only physical, as several recent incidents will attest. The last few months have also shown that a 1999 National Research Council report was quite correct when it warned of the fragility of the routing system and the domain name system used for the Internet.

In one highly publicized incident, a routing mistake by a Pakistani Internet service provider knocked YouTube off the air. There was a lot of speculation that this was deliberate—the government of Pakistan had ordered YouTube banned within the country; might someone have tried to "ban" it globally?—although later analysis strongly suggests that it was an innocent mistake. An outage affecting such a popular site is very noticeable; there was a great deal of press coverage. By contrast, when a Kenyan network was inadvertently hijacked by an American Internet service provider, there was virtually no notice. Quieter, deliberate misrouting—say, to eavesdrop on traffic to or from a small site—might go completely unnoticed.

The DNS-related incidents are scarier because they do reflect deliberate actions, with the force of the U.S. legal system behind them. In one case, the Wikileaks.org Web site was briefly deleted from the DNS by court order, because a bank claimed the site contained stolen documents. (The site owners had apparently foreseen something like that, and had registered other names for the site in other countries: the .org registry is located in the U.S.) In a second incident, a U.S. government agency ordered the names of some non-U.S. sites removed from .com (again, located in the U.S.) because they violated the embargo against Cuba.

What can we learn from these incidents? The moral is simple: the Internet is a lot more fragile than it appears. Most of the time, it works—and works very well—without government interference, routing mistakes, or outages due to occasional fiber cuts. Sometimes, though, things go badly wrong. Prudence dictates that we plan for such instances.

Back to Top

Author

Steven M. Bellovin ([email protected]) is a professor of computer science at Columbia University.

Back to Top

Footnotes

DOI: http://doi.acm.org/10.1145/1342327.1342345


©2008 ACM  0001-0782/08/0500  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: