Here in San Francisco, where the San Andreas fault shifts the ground beneath our feet, most of us try to ignore the fact that the Big One is coming. At VeriSign offices down the road in Mountain View, they worry about a different kind of Big One -- namely, a cataclysm that wipes out the Internet. Not only that, they pin all the responsibility for survival on a single guy: CTO Ari Balogh.
A key part of Balogh's survival plan is a $100 million global initiative called Project Titan. The goal behind Titan is to build out VeriSign's Internet infrastructure by a factor of 10 by 2010; specifically, that means pushing capacity from 400 billion DNS queries per day to 4 trillion, and pushing speeds from 20Gbps to 200Gbps. At the same time, Balogh and his team work continuously to harden the infrastructure against new kinds of attacks.
"One of the things different about Internet infrastructure is that, unlike the roads or the telephone network, you have a really intelligent group of people that are looking to tear it down for their own benefit," Balogh notes. "They're incredibly smart."
In fact it was a "mind-blowing" new attack that sparked the launch of Project Titan, Balogh says. "We keep a road map of the kinds of things we think we're going to see in the wild eventually," he explains. "And for once, we were kind of surprised. Something that we thought would happen in 2009 or 2010 actually happened in January of last year."
Describing the threat as both very sophisticated and alarmingly simple, Balogh believes it had the capacity to overwhelm all but a handful of DNS sites. "We're talking 30Gb or 40Gb or 50Gb worth of inbound traffic," he estimates. "It would take out just about everybody but two or three or four [sites] in the world."
The immediate response was to come up with more sophisticated monitoring, pattern matching, and clustering techniques for identifying ever subtler threats, some of which masquerade as legitimate Internet traffic. VeriSign also became determined to expand the physical footprint of the infrastructure. A little more than a year later, Balogh and company have converted 10 of VeriSign's 15-plus 1Gbps and 2Gbps sites to full-on 10Gbps installations.
"We decided we needed to be a substantial enough fraction -- this was a big aha -- of the Internet capacity and bandwidth that, if we're seeing a problem that's starting to hurt us, other people are already out of bed, working on the problem, because it's killing them," Balogh explains, referring to the big carriers.
"Because if you're the only one feeling the pain," he adds, "it can be really hard to rouse people in the middle of the night."