Slashdot Mirror
Akamai DNS Outage Messes up Net
katre writes "Checking all my favorite sites this morning, I saw that about half a dozen seem to be offline. Trying to figure out why, I found an interesting article on the front page at http://isc.incidents.org/. Seems that the problems at Akamai are screwing over Yahoo, Google, Microsoft, Fedex, Xerox, Apple, and others. Whatever happened to my decentralized net with no single point of failure?"
but I believe the centralized concept of the 'net is something that is coming to an end, much to our loss. I'm pretty bothered by the fragility of this system. How many of you can't work without web access?
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
provider of real time market data...
hope the al quedas aren't taking notes on this..
Its still there, and you're using it. The only organizations affected by this are those who chose to use a service that acts as a single point of failure.
trustedworlds.net - gaming, security, and the gunk that lives in between
Whatever happened to my decentralized net with no single point of failure?
Its there. Get out your old Usenet reader. See, you still have your porn.
Know what I like about atheists? I've yet to meet one that believes God is on their side.
Whatever happened to my decentralized net with no single point of failure?
Never existed. Internet myth. The robustness is only for routing around damage.
DNS dying on you? Just throw it on the pile of other connection problems
;)
I think everyone has several "single" points of failure -- my cable modem dies at least twice a month and my wireless router conks out at least twice a day
Yahoo is already resolving through scd instead of akamai. I didn't check any of the others.
If you clear your cache, you will probably get the new entries, unless your ISP hasn't caught onto the problem yet.
vague explanation, just a link to the ISC's Incidents website and not the article, and now that site is inaccessible courtesy the slashdot effect. Nice job, now we cant even find out what's going on!
How ya doin', Al?
...I can't even get to http://isc.incidents.org/
You could still access Slashdot, couldnt you?
Be very, very careful what you put into that head, because you will never, ever get it out. - Cardinal Wolsey
Hmmm.
The web happened my dear friend, and it was based on the predominant distributed computing model at the time: client/server. Even DNS, with its highly distributed spread of processing and data, has a set of (overloaded) root servers with the commensurate single points of failure. The solution? Peer-to-peer.
:)
Too bad even the term P2P raises so many red flags with certain Associations of America.
This should cause some problems for akami, they had an outage may 24th. Once can be overlooked twice? these are some big companies they are going to be calling them. I bet there is some sweating techs in the cool noc right now
War isn't about who's right. It's about who's left.
You would think that the root DNS servers would be kept up to date with critical information. Just what happened, and how did Akamai get knocked around this? Did they screw with their DNS information and change their nameserver addresses or something?
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
Do we know if this at all related to the Linux kernel 2.4.2x/2.6 DoS exploit discovered yesterday?
I am unable to access the server listed above from various server locations spread across the country & using different ISP's.
That's not the DNS outage problem -- the site is simply slashdotted.
Rule #1 -- Politics always trumps technology.
My Yahoo Email is down this morning, first time I can remember this happening. At least gotapex, techbargains and dealmac still work, otherwise I'd have to actually start working!
My primary point of failure is my router, the damn clip that keeps the cat6 cable plugged in the router always falls out.
:(
My central point of failure...
When Akamai's system was first announced, most people thought this was a great idea. It made sure that the sites that used this technology would always have the bandwidth they needed, when they needed it. Like with everything else in life, there's always a trade-off between preformance and reliability...
------------------
"Never Attribute to malice what is adequately explained by stupidity..."
The problem, as I understand it, is that Yahoo, Google & co. "outsourced" their DNS service.
I could have accepted that medium-big sized IT companies don't want to run their own DNS servers, but giants Google & co. should have enough money to do so instead of relying on servers located somewhere else.
Funnily enough www.google.com still works for me (thanks to DNS caching I guess)
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
I don't think this had anything whatsoever to do with any of the root servers. This has to do with Akamai's DNS servers, and the companies (domains) that are using them.
how they can screw up there entire DNS, and it's still down. It started as far as I can tell right after 8:30 or so, the last outage was due to a software update on there own site. It's now nearly 11am and it's still not working.. Man, I would think you could restore from backup at least in that time frame, and have something up for people.. Wonder if there will be an credit on the account this month...
What ticks me off about this incidents (and I suspect that there have been several in the last 6 months) is that there is absolutely no notification given, either during or after the event. During this outage, some news outlets were still reachable (including Slashdot), and a simple notification would have saved hours (* 10s of thousands of network dudes worldwide) of time and much grief from the big bosses who couldn't reach Yahoo Finance, I mean critical business web sites.
Are these guys so convinced of their omnipotence and indispensibility that they don't feel the need to communcate with the world about what is going on?
sPh
that the /.'ers aren't trying to take credit for slashdotting the entire WWW.
"Facts are meaningless. You could use facts to prove anything that's even remotely true!" -- Homer Simpson
Pwned by CNAME to Akamai?
(You can't have CNAME records for the base domain, hence google.com would have had an A record instead, whilst www.google.com would have been a CNAME to akamai)
Either things are fixed, or they've been routed around.
,you helped created a whole now one!
Amusingly enough, of all the things in the post, only incidents.org isn't working.
Way to go slashdot! You not only reported a problem
... a way to blame the outage on Microsoft instead of (or in addition to) Akamai?
(come on, it's funny. at least I didn't suggest blaming SCO...)
Akamai is a distrubuted server platform they are all over a hard target, but they are prone to software updates and virus. =)
War isn't about who's right. It's about who's left.
They are windows users. They like the blue screen of death.
When I was in grad school at Cornell, my O/S professor went on a rant about the evils of Akamai. No one believed him. Now we know he was right.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
It's not truely decentralized...
The root nameservers are the most obvious example...
The most obvious example? The fact is that there are 13 of them, in widely scattered locations across the globe, and it's not decentralized?
Damn man, what exactly would you consider "decentralized" then?
Root servers go down all the time. It's not particularly unusual. There's THIRTEEN of the things. Up to 8 have been down at once with no major effects on the network, IIRC.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I can see the logic that went into this plan:
"Well, Akamai has a few million DNS boxes, if we put everything there we'll be fine! That's not a single point of failure!"
Yeah, about that... multiple vendors may have been a good idea in retrospect instead of just one monolithic provider.
Time to re-examine the definition of Single Point of Failure.
Let's see so far today.. We had a report on Yahoo... They're down. A report to a virus linked to Symantec.. they are up and down. We always link to Google, they are having problems... wooo. Now we just need another patent from Microsoft to bring them down... which by my records shouldn't be too long.
Hmmm.
The way to solve it is get more companies out there who provide the same sevices, something not easy after the dot bust era when people dont want to take such risks.
"Slashdot, where telling the truth is overrated but lying is insightful."
The Net is decentralized... however, if several *LARGE* sites happen to be resolved through one DNS server and it crashes, people think that the 'net is down'... IIRC, Helldesk people bitch about this - people calling up and saying 'I can't get to www.mytimewastingbullshitpage.com, is the net down?' Not realizing that just becuase one or two or thirty sites are down, the net is still up....
FWIW, I missed google for all of 10 minutes, and figured it was my work ISP....
Checking all my favorite sites this morning...
Microsoft, Xerox and FedEx are some of my favorite sites too! But due to the outage I'm stuck slumming it here on Slashdot...
It's only a sinlge point of failure if you can't get to *ALL* of yout websites, instead of some.
Yeah, google didn't work and we didn't know what to do. We tested and determined the problem was akamai within a minute. So I used AIM to ask a friend who could still resolve google what the ip was. he passed it to me over aim using gaim encryption no less. We then created an alias for google on our dns server. google.ourdomain.com.
We also developed a new DNS protocol in the process. ESEDOIM: Extremely slow encrypted DNS over instant messenger. Who wants to write an RFC?
The GeekNights podcast is going strong. Listen!
I run a small ISP and we happen to have 3 of their linux boxes on our network. I've never experienced a problem with them before today. For the hack of it we decided to just reboot their servers and now things are working correctly.
For those that were wondering why it would affect DNS; Akamai somehow tinkers with DNS and BGP to redirect content to their edge servers.
As for Akamai being outdated, it still seems to me that its a good idea for Yahoo and some of the high traffic sites on the net. Akamai has thousands of distributed servers colocated with ISPs and NAPs. And they do seem to absorb nasty bursts in traffic (ie Star Report) better than a centralized server farm. But for their own sake, they better hope to not have another repeat of todays events.
It's not like a092156fg.akamai.net is in Seattle and k1039665.akamai.net is in Saskatoon. Instead, all of *.akamai.net goes to whatever cluster is "closest" to the requesting IP (based on BGP, Colonel's Secret Recipe, etc)
So if Akamai's DNS gets screwed up, I would expect major weirdness. And as more sites join EdgeSuite (where you host your entire domain on Akamai's servers & DNS) the effect must magnify.Of course, I could be completely wrong. I'm not a routing god, just a guy who thinks Akamai is a cool hack.
From NANOG:
From here neither www.google.com, nor www.apple.com work. Both seem to return CNAMES to akadns.net addresses (eg, www.google.akadns.net, www.apple.com.akadns.net), and from here all of the akadns.net servers listed in whois are failing to respond.
I wonder why these companies wholly switched their nameservers over? Why not have #1 and #2 be Akami, and #3 & #4 be your own nameservers? Preferably on different coasts or in different countries.
This would seem an obvious solution. You are allowed to have many nameservers you know...
Natural != (nontoxic || beneficial)
I was thinking about this while scrambling to answer the phone, check outage reports, and generally calm down customers.
:) )
If a product or service, such as Akamai, does their job very well, everybody will want to use them. If everybody uses them, you create a single point-of-failure. Any design flaw in that product or service becomes a disaster, simply through volume. Does this mean a successful product or service can actually be a bad thing for people?
Other examples include just about anything from Microsoft, older versions of Sendmail and BIND (worm-of-the-week problem), and Firestone tires.
(I'm not trying to advocate communism, excessive government regulation, or anything like that. So fanatical libertarians, conspiracy theorists, etc., can put down the rant-o-matic flamethrowers.
Comments?
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
- Whatever happened to my decentralized net with no single point of failure?"
[Homer] Welcome to the internet my friend, how may I help you?CB
free ipod and free gmail!
Akamai didn't mess up the net. Akamai messed up some web sites that are akamai customers. Remember kids, www is only a subset of the internet, and akamai customers a small fraction of the www.
The real cost of a web site dropping is a lot more difficult to figure out than you might imagine. Say Amazon goes down for a couple of hours. Are all those potential sales lost forever? I doubt it. Some people will just come back and order later. The firm is unlikely to see any long term impact unless the outage becomes habitual. Non-retail sites probably have even more flexability. About the only area in which an outage could have a real, long term adverse impact would likely be in financial services. If Schwab goes down for half a day they will suffer big time for a long time. If you're talking "the economy" as in the big picture economy" suffering - forget it. Web based commerace isn't that important yet.
most big sites have changed their DNS CNAMEs to point directly to one of their datacenters rather than relying on Akamai to route users to the "nearest" datacenter.
SIGUSR1
Judging by the response time of isc.incidents.org, I'd say slashdot is the single point of failure.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
Whatever happened to my decentralized net with no single point of failure?
You didn't pay the rent.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
Later they can post an 'incident report' on the slashdotting they're experiencing right now!
I noticed this problem this morning when I was hunting for an updated version of YahooPOPs. I wasnt getting replies from Google. I opened another FirePanda window and my homepage, slashdot, was working fine (Hey look at that on the homepage, Yahoo changed their mail service today, no luck for YahooPOPs). I tried yahoo, altavista, even msn in different tabs but I wasnt getting anywhere.
I tried pinging google and I was getting a reply so my first thought was, there is something terribly wrong at verizon DSL. I must make the most of what fragmented connection I have now before its down all day and I'm stranded actually doing work.
Thats when I started opening every story on slashdot's homepage in different tabs and setting them all to threshold 3, threaded... Just incase.
Come to think of it, I'm going to change my slashdot bookmark from slashdot.org to 66.35.250.151 just incase of DNS failure.
Need my SlashCrack
Im dreaming ofa big bndwdth, That can resist the
Seriously we need a *.sht domain.
So I wasn't the only one who couldn't get to Google the Great. Fortunately, Dogpile still worked. I used that meta search engine until Google started getting big and beating all the others in turning up relevant search results.
I wonder if Google will now turn to fully manage all their assets themselves...
Please correct me if I got my facts wrong.
It appears that, at around 8:30 AM EDT (US Eastern Daylight Time), Akamai's DNS network experiened some kind of major failure. All of their DNS servers (that anybody could find) were not responding to DNS queries. It appears that Akamai started to come back online at around 10:00 AM EDT.
Since a great many big name sites use Akamai, this effectively made large parts of the Internet unreachable. The destination servers themselves were up, but clients were unable to turn names (like www.example.com) into network addresses (like 192.0.2.42).
As Akamai maintains dozens, if not hundreds, of DNS servers across the globe, it is extremely unlikely that this was due to a normal equipment failure or DoS attack. Some kind of internal system trouble is much more likely. Whether a deliberate attack, or an accident, is unknown to me at this time. It could just be an internal configuration change blew up in a really bad way. Sh*t happens.
I do not know if this was just an Akamai DNS problem, or if other Akamai services were also affected.
Due to the way Akamai is usually implemented, it happened that, in many cases, the second-level domain names (like example.com) worked, but subdomains (like www.example.com and mail.example.com) did not. This is because most organizations put in CNAME records (pointing to names in *.akadns.net) for the subdomains. You cannot use a CNAME record for a domain that has other records, though, so most domains still had traditional A records, on their own nameservers, at the second-level.
The following sites/organizations are known to use Akamai: Yahoo, Google, Microsoft, Altavista, FedEx, Xerox, Apple
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Not too long after 9/11, I was surfing the net and needed to look up something at the Library of Congress for one of my classes. It wouldn't connect. At first I thought we'd just lost DNS (not so uncommon an occurance at my university in those days), but found I could still connect to slashdot.org and some other sites.
.edus mostly.) The ones that replied, I plotted on a US map based on their DNS LOC. (A project I wrote for a previous class.)
Being a geek, I thought up a list of about 30 sites to ping, scattered across the US. (.govs and
I freaked out a bit when the mid-atlantic seaboard came up missing. I crossed my fingers hoping that it was just some idiot who'd accidently cut one of the main fibers (which it what it ended up being) and not that Washington DC was now a big hole in the ground.
A preposition is a terrible thing to end a sentence with.
I remember when people were bashing Microsoft for using Akamai caching to avoid Windows Update getting hit by the first RPC worm (the one that was patched two months beforehand), since Akamai used Linux and it was somehow amusing that Microsoft chose that caching service.
If Akamai was running on Windows servers, I guarantee it would have been mentioned in both the headline and in the article summary today. But instead it's just mysterious "DNS issues." It's kind of like how when that Windows source code was stolen, Slashdot reported on it yet neglected to mention that the code was stolen from a hacked Linux computer at a company called Mainsoft.
Just little slants in reporting I can't help but notice.
Take a look at what internic.net gave me on some of these domains....
F REAK.ORG.RULEZ.AND.DIOX YTECH.NET.DELETED.GANDI.NET. SIMPLECODES.COMA USE.LINUXISGOD.CO M
M ICROSOFT.COM.OHMYGODITBURNS.COMV ES.JU1C3.COMO MM O FT.COM.IS.GOD.BECOUSE.UNIXSUCKS.COMM .IS.A.STEAMING.HEAP.OF.FUCKING-BULLSH IT.NETC ROSOFT.COM.HAS.ITS.OWN.CRACKLAB.COMM .HAS.A.PRESENT.COMING.FROM.HUGHESMISS ILES.COMC OM
MICROSOFT.COM.CAN.GO.FUCK.ITSELF.AT.SECZY.COMC ROSOFT.COM.ARE.GODDAMN.PIGFUCKERS.NETC OM.AND.MINDSUCK.BOTH.SUCK.HUGE.ONES.AT. EXEGETE.NET
. COM.TWIXTEARS.COMB CENTER.COMM S .1337.AS.SEARCH.GULLI.COMM . COM
7 .AS.SEARCH.GULLI.COM
T H.SEARCH.GULLI.COM I NE .THAN.SECZY.COM
Microsoft.com
----
MICROSOFT.COM.SUX.BUT.PYRO
MICROSOFT.COM.SMELLS
MICROSOFT.COM.SHOULD.GIVE.UP.BEC
MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA
MICROSOFT.COM.LO
MICROSOFT.COM.LIVES.AT.SHAUNEWING.C
MICROSOFT.COM.IS.NOT.AS.COOL.AS.SIMPLECODES.CO
MICROSOFT.COM.IS.IN.BED.WITH.CURTYV.COM
MICROS
MICROSOFT.CO
MICROSOFT.COM.HAS.TEH.GAY.OMFGLOL.COM
MI
MICROSOFT.CO
MICROSOFT.COM.FLINGS.POO.AT.MONKEYCORE.
MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET
MI
MICROSOFT.
MICROSOFT.COM
Yahoo.com
---
YAHOO.COM.WANADOODOO.COM
YAHOO
YAHOO.COM.TW
YAHOO.COM.SUPERC
YAHOO.COM.SG
YAHOO.COM.PURRFURRED.CO
YAHOO.COM.OPTIONSCORNER.COM
YAHOO.COM.IS.N0T.A
YAHOO.COM.DALLARIVA.CO
YAHOO.COM.BR
YAHOO.COM.BERKELEYNATURALBEAUTIES
YAHOO.COM.AU
YAHOO.COM
Altavista.com
---
ALTAVISTA.COM.IS.N0T.AS.133
ALTAVISTA.COM
Apple.com
---
GOOGLE.COM.SUCKS.FIND.CRACKZ.WI
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENG
GOOGLE.COM
DNS was designed to be robust enough. Not one root server but many (ok, that's the weak point, we've all seen many DDoS against them, but it's not THAT bad). All zones are handled by their own servers, and (in theory) multiple servers for each zone. All in all, it's not a bad design.
If what happened was that someone put all the servers behind one link, it's not DNS' fault, the BOFH there screwed up (and considering it's akamai, they should not have done that).
(If that's not what happened, sorry, I couldn't RTFA, it's slashdotted or there's some sort of DNS problem there too).
GPG 0x1B479C78
If you want to have a true dialogue instead of fingerpointing with "nah-nah" gibes, you'll have to actually state which films you're talking about and what were the quotes that are "out-of-context".
Newsfollow.com
From NANOG mailing list again:
Google pulled references for akamais dns servers a short period ago. they are presently serving their own dns requests.
Also:
People seem to be getting around this by changing their DNS entries.
E.g. www.yahoo.com always used to be a CNAME for www.yahoo.akadns.net. But
now:
# host www.yahoo.com
www.yahoo.com is an alias for www.dcn.yahoo.com.
www.dcn.yahoo.com has address 216.109.118.64
www.dcn.yahoo.com has address 216.109.118.65
www.dcn.yahoo.com has address 216.109.118.66
www.dcn.yahoo.com has address 216.109.118.67
www.dcn.yahoo.com has address 216.109.118.68
www.dcn.yahoo.com has address 216.109.118.69
www.dcn.yahoo.com has address 216.109.118.70
www.dcn.yahoo.com has address 216.109.118.71
www.dcn.yahoo.com has address 216.109.118.72
www.dcn.yahoo.com has address 216.109.118.73
www.dcn.yahoo.com has address 216.109.118.74
www.dcn.yahoo.com has address 216.109.118.75
Which is owned by Yahoo! (via HotJobs.com).
Whatever happened to my decentralized net with no single point of failure?
Outsourcing and consolidation.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Handlers Diary June 15th 2004
m sg05267. html
Updated June 15th 2004 14:31 UTC (Handler: Lenny Zeltser)
Akamai DNS outage
Akamai DNS problem
Starting at around 8:30 am EDT (12:30 UTC), a number of sources started to report a widespread Akamai DNS issue. Large web sites, which use Akamai for its DNS service, did no longer resolve. Effected sites are Yahoo, Google, Microsoft, Fedex, Xerox, Apple and likely many others.
At this time (10:30 am EDT), some effected domains removed the Akamai DNS servers and are reachable again using their own DNS servers.
Typically, the domain itself (e.g. 'google.com') still resolves, but popular hostnames, like 'www.google.com' will not resolve. As a result, the web site is no longer reachable.
The effect appears to be world wide. Some of the Akamai servers do respond to pings, but do not respond to DNS queries.
posts to the NANOG mailing list regarding this issue:
http://www.merit.edu/mail.archives/nanog/
It's never too late to have a happy childhood.
Hmmm, corporate whore much? Slashdot, Debian and my own two sites seem to be working just fine. Maybe the sites you choose to visit just don't get the 'net and it's decentralized nature.
Nathan's blog
Comment removed based on user account deletion
For 10 years I was a net junkie. If I didn't get my email, news, laugh, or enough time on my fav mmorpg then I was twitchy and grouchy.
:)
:) But while I'm here in the states, I *need* to be connected. I think because everybody else is.
Then, two years ago my wife and I decided to take a year off and go tour SE Asia, mainly Viet Nam.
Yes, they have Internet there but it is mainly in Internet cafes, which are hot, crowded, and quite slow. There are dialups but once you've lived on broadband for such a long time the dialup becomes something you use only when you have to. And so that was what happened. Internet became something that was used when needed. I still checked my email regularly but instead of every hour it was every 2 or 3 days, same with Slashdot.
I had a few personal (programming) projects I was working on which fit nicely onto the laptop, along with a good 20gig of mp3s. I was amazed at how fast I detached from the net. My productivity shot thru the roof, namely because my concentration was focused.
Even here in the states I have yet to reach that state of Zen again primarily because, even though I try, I know the net is right there. The little net thoughts nag at you.
But, back to the topic. You would be amazed at how much technical work you can accomplish without the net being there.
Would I give up what I have now and go back? You bet. Would I miss it? Nope. Broadband is used for P2P or games. That's all I use broadband for anyway.
On a global scope, 99% of all the really cool groundbreaking stuff in the last 100 years, computer or not, was done detached from the net.
and folks often do... witness the onerous "personal contracts" you have to sign to get into the music business, where you are essentiall a creative wage slave and don't own your stuff. non-compete and discoveries-belong clauses in your work contract also sign your rights away to The Man. similarly, if you register your DNS information independently and run your own servers, your ISP and its uplines do the same, and so on including all the sites you visit, you theoretically should not be captive to any of the commercial DNS services.
as I understand it, akamai is a distributed content hosting/caching service that also does DNS server services. they put a blade in your local ISP under contract, and popular pages from their customers serve off the local akamai server cache. they handle the DNS for those sites as I understand. if their blade caches get fed evil data, you get evil data, and www.fartblossom.org may disappear.
you can kill DNS by screwing up your own router, too. lots of ways to kill a distributed service that requires everybody to cooperate on a common set of standards and parameters.
if this is supposed to be a new economy, how come they still want my old fashioned money?
The problem is that those sites created their own single point of failure by all using Akamai for DNS. When Akamai DNS fails, sites that depend on it for their own DNS fail.
It used to be nearly impossible for this to happen. The original rules for DNS were that you had to have at least 2 nameservers for your domain, preferrably 3 or more, and they couldn't be on the same physical networks. With that rule having a single network go down rarely made any domain unresolvable (backbone networks whose outages could render dozens or hundreds of other networks unreachable being the exception). Maybe we should put the old nameserver-diversity rules back into place.
This was years ago (3? 4)... I set up a novell server and setup dns on it as a forwarder and pointed workstations to my novell server for dns.
One of the neat things was the log screen that showed dns actions and you could follow the trail of dns requests to see how they were resolved. what makes this not O/T is that i beleive that this went into a log.
The reason that I think about that is, if DNS stopped working, i'm not sure that i have cached numbers that i could easily get to....
eric
You know, in hawaiian, "akamai" means smart...
I was only pointing out that his example was bad.
.com traffic goes to Verisign's control, etc, etc.
In this case, Akamai had some sort of major issue. Okay, fine. Fair enough.
But the root servers themselves are a bad example to point to for a "single point of failure". They're not. The root servers, by themselves, are very robust, widely scattered, and any one of them can, in theory, handle the whole load. Admittedly, for the root, that load ain't a heck of a lot by comparison.
Now, the DNS system itself has several thousand single points of failure, depending on how you define failure. Like you said, all
The root servers, however, are not one of these points of failure. They do what they were meant to do.. to be the root DNS servers. Several can fail and the root lives on.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I guess seeing things like "PWD=/usr/ms/win2k_sp1/private/security/msv_sspi" isn't enough to convince this troll. So do a Google search, like I said. The code was taken from one of Mainsoft's hacked Linux machines. This was already reported in the past on other sites.
Robert
Unless the server that lives at IPaddress W.X.Y.Z only hosts 1 server, and that server has it's documents in the server root folder. Most webservers any more use virtual name services to map HTTP requests to the right "web server" and set of documents.
My personal server runs 7 domains with 12 or 13 sites. Some have real docroot folders, some use the default "you aren't looking in the right place" set of docs. But using an IP address to access a web site probably won't work in these days of many servers per machine.
This space for rent. Call 1-800-STEAK4U
My god... with google down my effective IQ is 12!
Who promised you THAT?
I wouldn't presume they use any for their dns funtionality, but fact of the matter is Akamai does have a small proportion of windows servers in their distributed clusters. Seen 'em with my own eyes.
It is misleading to refer to the box as a "Linux" box. Was it really the kernel that was at fault for the machine being cracked, or was it a bug in one of the daemons that the machine was running? There are differences between a Linux box that runs BIND and another that runs EZ-DNS (or whatever).
How about this: Instead of labelling the Akamai boxes that have problems as "Linux" boxes, label them as "BIND" boxes, or whatever DNS server it is that it runs. Perhaps there's a FreeBSD machine in there that is having similar problems.
It is allowable, though, to refer to a Windows box as just that. MS ships an all-in-one product, and seldomly do admins use Windows to run BIND, Apache or other OSS servers.
All of this hand-ringing in an effort to paint "Linux" as bad, or as "just as bad" is dopey. One might as well point a finger at the administrator of the machine that was hacked, the services that were running on it, etc. Most Windows problems are caused by the same thing too. It is wiser to point at the admin (and the services one chooses to run) than to point at the OS, or the kernel.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
I've been on-line a lot today and didn't even know those sites were down. Didn't effect me in the least. The internet, by it's nature, will always be plagued by the occasional downtime of various services here and there. But in the end, the Internet keeps moving right along.
Think about the worst thing that's ever happened to the Internet and how much that really impacted your daily activity. I don't know about you, but it's always been local connectivity failures that have caused me the most trouble. The occasional site being down really doesn't make a big difference.
This sig has been temporarily disconnected or is no longer in service
...according to this story at washingtonpost.com The story says it was a distributed denial of service attack against Akamai, among others.
...because you never know who you're dealing with.
They are telling me that it was indeed an attack, but an attack aimed not only at them but other companies as well.
I wonder what really happened and who else was attacked..
umm...have you forgotten what article thread you're posting in? :-P
...and that's the way the cookie crumbles.
Summary:
Between approximately 8:30 AM ET and 10:45 AM ET (GMT +4 hours) on Tuesday, June 15, 2004, some Akamai customers using Global Traffic Manager (FirstPoint), NetStorage (Akamai Content Storage), and Akamai services that utilize Global Traffic Manager and NetStorage experienced performance and availability issues.
This incident resulted from a sophisticated, large-scale attack on Internet infrastructure. This attack impacted Akamai's Internet naming functionality (Domain Name Service or DNS), and resulted in delays in DNS name resolution and, in some cases, timed-out DNS requests. Some end users trying to reach affected sites would have experienced slow responses from the Akamai name servers, potentially resulting in page time-outs. The attack did not cause an outage in Akamai services, as Akamai continued to serve DNS requests. However, the amount and nature of attack traffic created degradation in performance.
The problem was quickly detected by Akamai's automated monitoring systems, and Akamai personnel identified the root cause as a large Internet attack. The attack was mitigated by a combination of actions by Akamai to adjust our infrastructure in response to the attack, along with working with network partners to shut down the source of the attack.
As result of these actions, all Akamai services had returned to normal operating performance by 10:45 AM ET.
Akamai is continuing to work closely with several network partners and legal authorities around the world to identify both the nature of the attack and its intended targets.
We regret any inconvenience this may have caused you or your users. Please contact your Akamai Customer Care representative at 1-877-4-AKATEC (1-877-425-2832) if you have any questions.
Service Note: One of the actions taken during the attack was to temporarily increase the DNS TTL (time to live) on responses being returned from Akamai. This action is helping end-users cache successful responses for longer, thus improving service.
Pretty cool stuff, to be sure.
But all of the proprietary stuff means that there's only one implementation. There's no RFC describing what they do. There's no alternate implementations that might show flaws. There's no cross-checks that outsiders might provide.
Like others have said, it's a mono-culture. And they've done it so well, there's been no interest in creating a set of standards or IETF working group to try and create the multiple, compatible offerings that might guard against mono-culture (and give customers a chance to avoid vendor lock-in.)
The Register must be wrong about this. I used to work at Akamai, and I feel pretty damn sure that no one crashed those servers by getting *on* them to run the 20-line snippet of code that locks the kernel (assuming we're talking about the kernel lock exploit that was being widely discussed recently; it requires shell access).
What is much more likely is that somebody found a way to DDOS the Akamai top-level name servers, or that configuration files containing incorrect/conflicting/nefarious information were pushed out to the top-levels.
Knowing how many stages and checks there are in the Akamai deployment procedures, and how much monitoring there is of the network health, I would be astonished if someone managed to foobar the top-levels with a bad configuration. A co-wortker of mine did it once, a long time ago, so I guess it *could* happen, but it was one of those perfect-storm sorts of things. And even then, it just slowed things down a little - certainly not enough to make the news like this.
(Score:5, Insightful, right...) Actually, it was. If Google et al were all using a single Akamai backbone TCP/IP routers and they went down, they would be affected as well.
Google was using some DNS servers as their DNS servers (NSs for their domain zone). Their servers went down and then Google was unreachable because their DNS was down, nothing more. Nothing magical about DNS per se. TCP/IP routing was working but this hardly means DNS is any more "centeral point of failure" than TCP/IP. Google should not rely on a single network of DNS servers and it would be fine, because DNS is designed in such a way and has been for over twenty years.
The problem here is the bastardization of DNS standard by Akamai. DNS records should be cached on recursive name servers. Google is used everywhere. If Google had sane TTL and expiration times set for their zone, their zone would be cached by every ISP in the world and their DNS servers could be down for a week and no one would even notice.
This is how DNS should work, can work, and have been working for literally decades. Please read RFC 882: DOMAIN NAMES - CONCEPTS and FACILITIES (P. Mockapetris, November 1983), RFC 883: DOMAIN NAMES - IMPLEMENTATION and SPECIFICATION (P. Mockapetris, November 1983), RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES (P. Mockapetris, November 1987) and RFC 1035: DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (November 1987).
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."