The following text is copyright 2002 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.


A resilient architecture


By Scott Bradner


September 11, 2001 was a generally quiet day on the Internet.  This was true even though the attacks in New York City destroyed some important facilities. It may not have looked that way to Internet users trying to get through to CNN and other news sources but those problems turned out to be local to the news sources.  There were also some disruptions of connectivity to a few countries, including South Africa due to poor design choices made in the past.  These are some of the conclusions reached in a recently released National Research Council report.  On a somewhat more worrisome note, the report indicates that the Internet might not fare so well if it was the direct target of a major attack.


The report, titled "The Internet Under Crisis Conditions: Learning from September 11", is available for on-line reading (through a crappy reader) or purchase at


The main reason that the Internet was largely unaffected by the events of September 11th is its underlying architectural vision.  This vision comes from some of the very early research that led to the ARPANET (see: On Distributed Communications: Introduction to Distributed Communications Network and the initial ARPANET design philosophy (The Design Philosophy of the DARPA Internet Protocols  The Internet consists of many highly interconnected individual networks, most of which are themselves highly interconnected internally.  This architecture means that the loss of major interconnection points or major communications links has little effect because the traffic just bypasses the outage through other links or interconnection points.


A few network outages did happen on September 11th where the connectivity was not as rich as it might have been or users were directly connected to network equipment that was destroyed in the attacks or which lost power in the aftermath. But these outages were isolated.  Less isolated were the very visible problems with a number of major news sites such as  These sites, or the links to them, quickly became overloaded as office workers tried to find out what was going on.  Most of these problems were fixed within a few hours as the sites did what they should have done in the first place and distributed their content among a number of redundant servers located around the network.  The same basic problem struck South Africa when it turned out that the country's name server was not replicated as it should have been, but instead was just located in New York City.


The report specifically does not attempt to predict how the Internet would perform if its infrastructure was the target of a sustained attack.  One hint came a few weeks ago when the root name servers were subjected to a denial of service attack.  In this case there was little effect, but we might not be so lucky in the future unless some of the known vulnerabilities get addressed.


This type of objective analysis of such a terrible day does make me feel funny, itŐs a bit like the FAA accident investigators saying that the engines were working just fine when the plane crashed.  It is needed, but it must not hide the human cost.


disclaimer: No joke this week.  I am not speaking for the University in the above.