next up previous
Next: The Eternity Service Up: The Eternity Service Previous: Preventing Service Denial

Previous Work

Many papers purport to show that the average firm could not survive long for without its computers, and that only 20-40% of firms have properly tested disaster recovery plans. The authors of such papers conclude that the average firm will not survive when a disaster strikes, and that company directors are thus being negligent for not spending more money on disaster recovery services. The more honest of these papers are presented as marketing brochures for disaster recovery services [IBM93], but many have the appearance of academic papers.

They are given the lie by incidents such as the Bishopsgate bomb in London where hundreds of firms had systems destroyed. Some banks lost access to their data for days, as both their production and backup sites were within the 800 yard police exclusion zone [Won94]. Yet we have no report of any firm's going out of business as a result. A more recent IRA bomb in London's dockland area confirmed the pattern: it also destroyed a number of computer installations, yet companies bought new hardware and recovered their operations within a few days [Bur96].

So we can ignore most of the existing literature on availability, and indeed we have to look rather hard for respectable papers on the subject. One of the few of which we are aware [Nee94] suggests that availability has to do with anonymity -- anonymous signalling prevents denial of service attacks being selective. That insight came from studying burglar alarm systems, and it also makes sense in our publication scenario; if the physical location of the worldwide web site cannot be located, then the rich man's lawyers will have nowhere to execute their seizure order. But how could an anonymous publication service be realised in practice?

Ross Anderson
Tue Jun 17 15:08:09 BST 1997