Blaster, Code Red, Hybris, Goner, Klez, Nimda, Slapper, Slammer—chances are that at least one of these computer worms snarled your company's network even if they didn't take your system down completely. Servers can also choke under an unexpected spike in worm-fueled service requests from infected computers, causing network performance to slow to a crawl.

Unlike the innocuous creatures that they are named after, computer worms are nasty and fast. Computer viruses rely on human interaction to spread, but worms act independently. After being activated on a single host computer, a worm scans for other vulnerable machines on the Internet. When it finds one it sends out a "probe" to infect the target. If the probe is successful, the worm transmits a copy of itself to the new host, which also begins looking for new victims.

As more and more machines are connected to the Internet, worms can travel much faster. A well-coded worm can make a complete circuit around the world in 15 minutes, leaving thousands of infected machines in its wake and traveling far too fast for any service provider to bolster its networks by adding more servers. Worms are simply far more scalable than even the best server.

Any unexpected spike in demand, such as a widespread spam campaign, can also cause service providers' networks to stall. And like worms and spam, malicious denial of service (DoS) attacks make heavy use of the Domain Name Service (DNS) to find their victims. This results in DNS servers collapsing under the load even though they were not originally targeted. (DNS is responsible for translating a Web or e-mail address into the numbers that are used to route packets over the Internet.)

As spammers develop devious new tricks—such as releasing viruses that commandeer innocent users' computers and transform them into spam-spewing machines—service providers can no longer respond by simply blocking network access to the originating spammer.

"Your best customers can suddenly turn into your network's worst enemies if their systems are infected," says Chris Risley, president and CEO of Nominum, a Redwood City, California-based provider of enterprise-class IP address infrastructure solutions. "And you certainly can't cut off their access to protect your network. Chances are you'd be violating service-level agreements if you did so."

Time to Refresh DNS

So what's the solution? In order to avoid slow Internet Domain Name Service (DNS) resolution, and the accompanying slowdown in network services that customers experience, service providers typically add more name servers to their network infrastructure.

The problem is that to simply maintain performance under growth, much less increase it, providers face the creeping and substantial costs of maintaining an ever-expanding network of name servers.

This complex infrastructure may deliver adequate performance until an unexpected load exposes the true nature of the performance problem. When Web attacks, viruses, or other network crises occur, the additional surge of DNS requests can turn a minor performance limitation into a major network availability problem, says Risley.

Risley figures his company has the answer. Among its other offerings, Nominum has developed its Foundation Caching Name Server, a high-scalability, high-availability Internet name and address solution that screens all DNS requests for malicious or malformed packets. It also provides headroom to handle an enormous number of queries.

The company certainly knows DNS technology inside and out. Nominum's chief scientist, Paul Mockapetris, helped pioneer the Internet DNS through the Internet Engineering Task Force in 1983. He also designed the DNS architecture that is still in use today, wrote the specifications, and coded the first implementation. Mockapetris firmly believes that it's time to refresh DNS. He never expected DNS or BIND—the most widely used DNS software package for UNIX and Linux machines—to be used in today's complex telecommunications systems.

Although BIND software is free, purchasing and maintaining more servers on a regular basis starts to become an expensive proposition, even if you don't factor in the costs of necessary extensive load and performance testing, says Risley. "BIND was just never meant to handle the high-performance networks we're using it on now," he says.

Cutting the Ties That BIND

Communication service providers that use the Nominum Foundation Caching Name Server have seen significant improvements in speed and stability.

"With Nominum's solution, DNS look-ups are five times faster than BIND servers, allowing us to significantly increase our network performance and, in turn, reduce the need for additional expenditure on hardware," says Keith Oborn, DNS manager for NTL, the United Kingdom's largest cable company.

"In the past, we have suffered significant delays to our operations which were traced to the DNS," Oborn adds. "Illicit DNS traffic, caused by distributed denial of service attacks, viruses such as the Blaster Worm, and other malicious DNS packets, had placed enormous pressure on our network and caused disruptions to IT operations. We needed a DNS solution that would protect us from both external and internal network disruptions."

British Telecom is also using Nominum Foundation Caching Name Server, which runs on the Sun Solaris Operating System and UNIX. BT has more than 20 million residential and business customers in the United Kingdom.

"While evaluating the Foundation Caching Name Server, we noticed a dramatic increase in network performance, as well as security benefits, both of which provided the impetus for us selecting Nominum's software," says Jim Cavanagh, IP applications program manager at BT Wholesale. "The Foundation Caching Name Server proved to be five times faster than our existing BIND servers, allowing us to reduce future expenditure on hardware as we continue to expand our network."

In addition, Cavanagh says, the solution allowed BT to offer its customers greater improved speed and reliability. Ultimately, BT had a greater ability to grow its network by adding new customers and rolling out new services to existing customers.

Prepare for the Worst, Expect the Best

Of course, e-mail worms and spam blitzes aren't the only network disruptions service providers face.

U.K.-based Internet, television, and voice services provider Telewest Broadband deployed Nominum's Foundation Caching Name Server shortly before a transatlantic cable between North America and Europe was damaged in the summer of 2003.

As a result of the damage, DNS servers around the world got bogged down with name requests that needed rerouting. When DNS can't resolve names or URLs to IP addresses, it effectively takes down a network.

The problem completely overwhelmed Telewest's BIND servers, which were running at 100 percent of CPU capacity and had actually become "CPU bound," meaning that system administrators couldn't even log on to shut them off in order to reconfigure them. Meanwhile, unlike the BIND servers, Telewest's Nominum servers hadn't become CPU bound. And because Nominum's Foundation Caching Name Server supports on-the-fly configuration without a restart, Telewest administrators were able to deflect the problem immediately, without interrupting service.

Although undersea cable damage is relatively rare, other unplanned disruptions can cause similar spikes in DNS traffic that endanger network services.

"With Telewest, as with many communication service providers, the true cost of poor performance shows up not in end-user response time during normal loads, but in ongoing administrative costs and in performance under crisis," says Risley.

"But by implementing caching name servers with truly carrier-class performance capabilities, telecom providers can build more robust DNS infrastructure while reducing their overall costs."