Akamai: How They Fought Recent DDoS Attacks

yootje writes "Infoworld is running an interesting article about Akamai and the DDoS attack that hit the network of Akamai Tuesday. According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC." Yootje points to another article on this subject as well, this one at Internetnews.com. Update: 07/07 19:38 GMT by T : Note that Vixie's quote here is actually presented out of context; he was commenting by way of contrast on the diversity of the root DNS servers, not Akamai's content-serving system.

Wow

"We wired a million dollars into the attackers' Swiss account."

That's shocking!

Re:Wow

million dollars to code a new version of TFN2k ..lol

Trade-Off

[cynic10508]

The diversity of hardware and software may be an IT nightmare but I think this shows how effective it really is. Now all we need is a concise cost/benefit analysis.

Re:Trade-Off

[Ignignot]

Allow me to perform a concise analysis for you. Hmm... the benefits are that DDoS's have some trouble knocking you offline. What are the costs? Much higher IT costs. Also, the total number of holes in your security will be higher. Just keeping track of all windows security fixes is hard. Imagine doing that for windows, solaris, linux, osx, and bsd. On 100 different hardware setups. Some things are going to go unpatched. You're giving hackers / crackers more opportunities, not more problems.

Re:Trade-Off

[Pharmboy]

Even with our little network (2 T1s, several servers) we do the same thing. Different OS versions, Bind builds, even Apache implimentations. NS1 is dedicated on a slow but extremely robust dual cpu box, all other boxes have a primary task and act as a back up for other tasks. At this small level, its not THAT hard to do, although it takes some preplanning and maintenance. Even the outbound linux router has an offline spare with a different version of Linux and completely different firewall/NAT configuration in case the first gets taken down.

IMHO, when it comes to providing IT services, if you are not paranoid, you are crazy.

Re:Trade-Off

[Tony-A]

Now all we need is a concise cost/benefit analysis.

Life versus death?

What you want out of backups and backup systems isn't so much that they are as good as or better than the primary systems, but that they are as independent as possible. Backing up OpenBSD to Windows 95 is not as stupid as it looks.

Re:Trade-Off

[Crinos]

Okay, this may be off-topic, but it's always bugged me. What do big companies base "damage" estimates on? IIRC, some/one of the companies during the whole Kevin Mitnick deal claimed that he caused $80 million in damage... how is this number figured?

Re:Trade-Off

Akmai doesn't have a heterogeneous IT solution. It is the root nameservers that do. In fact, TFA says that the cost would be too high for them to do this.

Mod this whole story down "-1 incorrect".

Re:Trade-Off

[Jad+LaFields]

Reading your post "damaged" me and my productivity -- during that time I could have gone and bought a instant scratch-off lottery ticket and won.

I'll be expecting your $20 million in the mail if you don't want to be sued.

Re:Trade-Off

[lambent]

Basically, it works like this ... they make it up. Kindof. In the mitnick case, they took the product he stole (software), deemed it now unusuable because it was leaked, and said 'we could have sold 80$million to users ... now we can't.'

Also, man hours get factored in, sometimes two or three times over, including the man hours that were used to create the product in the first place, as well as to re-create the product again.

It's all very stupid, and nobody believes a word of it except the courts.

Cause they're dumb.

(shrug)

Re:Trade-Off

[cynic10508]

Allow me to perform a concise analysis for you. Hmm... the benefits are that DDoS's have some trouble knocking you offline. What are the costs? Much higher IT costs. Also, the total number of holes in your security will be higher. Just keeping track of all windows security fixes is hard. Imagine doing that for windows, solaris, linux, osx, and bsd. On 100 different hardware setups. Some things are going to go unpatched. You're giving hackers / crackers more opportunities, not more problems.

Fair enough. But what I was thinking of was more of a metric. What are the costs associated with various hardware and software systems? Then, at what point does the added complexity and cost overwhelm the security benefit?

Side note: the security benefit would have to be a metric unto itself also. Perhaps the number and severity of vulnerabilities per release, etc.

Re:Trade-Off

but, no single point of failure. A knock on one weakness in Akamai's network does not bring the whole thing down. That is probably a critical factor in Akamai's business plan.

Re:Trade-Off

[bastardadmin]

If you are Akamai, your uptime isn't everything, it is the only thing.

In their case maintaining a hybrid infrastructure makes perfect sense.
Remote exploit in IOS? No problem, the Juniper/Extreme/Linux/OpenBSD router in failover config takes over while patching goes on.

And if you are maintaining a massive hybrid infrastructure like that you will likely have the people and processes to handle security issues/patches.

Re:Trade-Off

We've got a web-server "cluster" of two systems running MONO's ASP.Net and Microsoft's ASP.Net.

'course we're doing it just to prove we can; but it's kinda cool.

Re:Trade-Off

I don't care what hardware or software your running. A Denial of Service attack affects them all equally. If someone jams your fat pipe your fat pipe is jammed Period. How many different kinds of hardware and software servers has slashdot, slashdotted, same difference.
To top it off many of the sites they serviced were frustratingly slow or unavailable due to timeouts so I think the attackers did exactly what they wanted to accomplish. I think their intent was to bend not break akamai and they did it until they decided to stop not when akamai or anyone else decided to stop them.

Re:Trade-Off

[freqres]

At least now in federal courts, any monetary damages used to determine sentencing must now be presented and supposedly proven in front of a jury during the trial. Much better than the federal prosecution creating huge dollar sum damages during the sentencing phase with little burden of proof. I guess the Supreme Court gets something right every so often (much like the blind squirrel and his nuts I guess).

Re:Trade-Off

So, in this case, not only did the submitter not read the article, but neither did the editors. I actually read the article and it was blatanly clear the the whole heterogeneous argument was *not* in reference to Akamai.

I just have one question: what exactly do the slashdot editors do? I thought they were there to screen incoming submissions. But obviously they don't. Basically, if that's their only job, they suck at it.

Re:Trade-Off

[johnnyb]

However, you are preventing your entire infrastructure to being nailed by a single exploit. With a monoculture, a single flaw exploited by a worm can destroy pretty much everything. With a mixed setup, although you have more possible entrances, each one allows a lot less damage.

If I have 1,000 troops, if I keep them all in the same fort, they will be a formidable force, unless I find the right weapon (like a nuke). If I keep them in 10 different forts spready throughout the country, although each one of them is more vulnerable individually, I have eliminated the possibility of everything being wiped out in a single blow.

Re:Trade-Off

[SpaceCadetTrav]

And if you are maintaining a massive hybrid infrastructure like that you will likely have the people and processes to handle security issues/patches.

Usually the opposite is true.

Re:Trade-Off

[DAldredge]

They look up the max their insurance will pay and use that number; ;->

Re:Trade-Off

you must read really slow

Re:Trade-Off

[cynic10508]

Akmai doesn't have a heterogeneous IT solution. It is the root nameservers that do. In fact, TFA says that the cost would be too high for them to do this. Mod this whole story down "-1 incorrect".

Except I never said it was Akamai. They do cite BIND.

Mod this however you choose.

Re:Trade-Off

[alib001]

Slightly faulty analogue there, IMO.

Distribution of troops isn't analogous to using different systems because they would still be vulnerable to the same kind of attack.

The equivalent of the heterogeneous approach used by Akamai would be more along the lines of the troops being equipped or trained differently and housed in different types of forts e.g. deep underground.

Re:Trade-Off

[Hatfieldje]

Unless you hit the planet with a Black Hole Generator, in which case, they's more than likely all affected.

Re:Trade-Off

[OneArmedMan]

Over specialize and you breed in weakness..

Its Slow death.

Re:Trade-Off

I said "mod this whole story", not "mod this post".

I was referring to modding down the entire Slashdot story (in a tongue-in cheek fashion), not your post, which was a perfectly valid response to the Slashdot summary.

Re:Trade-Off

True...unless you make a lot of use of proprietary protocols, there is no reason why you can't have two different core routers...IE a Juniper and a Cisco. I myself have found for some reason, the Juniper routers seem to handle these attacks much better than Cisco. I suspect that is due to the fact that Cisco routers are highly software dependant and the Juniper offers more of a hardware/ASIC based solution...which seems to be able to route packets at a faster rate. Extreme...well...they extremely suck. Had a couple of 3808 switches that sunk like a stone when faced with any kind of multicast at all. Even tiny amounts. Whole switch locks up. We finally tossed the darn thing. Just a thought for layer three...don't go extreme.

Re:Trade-Off

Just my opinon, but really, this goes back to what is the value of intellectual property? How do you determine the value of a idea, or in Mitnicks case (the little beast) the value of Solaris (I think it was worth 80 mill) source code prior to it becoming all that is Solaris. If memory serves, one of Mitnicks greatest treasures in his many expeditions (love Mitnick...don't care what anybody says) was Solaris itself from Sun. And as we all know, Solaris went on to be hugely successful and a huge part of Suns whole buisness model. Can't say I agree with what Kevin did, but it sure made one hell of a interesting story, and I think we can all relate on some level. Think of it this way...if Kevin had not been caught...can you imagine? What would have been next? And in this day and age...oh boy. People debate his skill level, which in my opinion, was quite good. You have to remember how long ago all that went down. That was back in the early days. Most of us were lucky to be screwing around with a Commodore when Mitnick was out plundering the world.

Re:Trade-Off

The Germans proved otherwise:
http://en.wikipedia.org/wiki/Blitzkrie g

Sys admins

[FortKnox]

'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'

Wow, your sys admins and help desk must LOVE supporting that!

Re:Sys admins

wtf would Akamai do with a help desk?

Re:Sys admins

[darthv506]

Talk about job security!

Re:Sys admins

[cephyn]

Its easy. the "You have a non-standard configuration" excuse applies to everyone.

Re:Sys admins

[ron_ivi]

different operating systesm ... Wow, your sys admins and help desk must LOVE supporting that!

I know you were trying to be sarcastic, but I bet that they indeed do prefer things this way.

When the pager goes off at 3AM that there's a suspected new worm attacking your dos-based systems, it's nice to simply turn them off and let the other systems handle the load until morning when you can investigate the problem at your leisure.

Re:Sys admins

And Microsoft hates them with a passion?

Re:Sys admins

Do you think the admins of Akamai are calling a help desk for troubleshooting routers, switches, and name servers?!?

Re:Sys admins

[SpaceCadetTrav]

Actually, at 3AM they're probably still awake, trying to figure out how to get all these different systems to behave exactly the same under normal operating conditions.

Re:Sys admins

Your reasoning is entirely wrong. Sysadmins love diverse networks only because they can pad their resume.

Re:Sys admins

different operating systesm ... Wow, your sys admins and help desk must LOVE supporting that!

I know you were trying to be sarcastic, but I bet that they indeed do prefer things this way.

When the pager goes off at 3AM that there's a suspected new worm attacking your dos-based systems, it's nice to simply turn them off and let the other systems handle the load until morning when you can investigate the problem at your leisure.

Actually, they love it because when the pager goes off at 3AM, they know the backups are able to take over so they can work on what is causing the problem, and have everything back up and running by 8:00am when the boss walks through the door. Otherwise they end up scrambling at 3:00am to get something, _anything_, up and running so your critical services can be restored BEFOR working on the problem at hand.

Re:Sys admins

I'd phrase that a bit differently. Sysadmins love diverse networks so the can broaden their skills.

Padding resumes is usually done via useless certs.

If these guys are actually administering the diverse systems, they're actually learning something, so I wouldn't call it padding.

Re:Sys admins

[LookSharp]

Can I ask an obvious question here?

Who the atech-ee-double-hockey-sticks runs "dos-based" systems anymore? I thought Microsoft abandoned the technology starting in 1995, and I personally submitted the "official end of life for DOS support" article to Slashdot several years ago.

We run heterogenious systems and support them because they provide different benefits and features for our many needs. Sometimes Windows OS servers actually are cheaper, more stable, and easier to support than their Unix counterparts. Sometimes not.

For instance, we have WebSphere running on Solaris and AIX as an app server platform, and it is great for high volume and failover. But we spend far more time (proportionally) troubleshooting that technology (and the hundred or so servers that run it) than the .NET application servers running on Windows 2000. As an app environment .NET is stable and actually quite fast, and run on much less expensive equipment. However there are only four of them and failover between boxes is sketchy, so on the rare occasion that there is a non-code related outage, it takes longer to get the environment back up to spec.

Just my anecdotal experience.

Re:Sys admins

[yerfatma]

Put people on hold.

Re:Sys admins

I think he was making fun of people who think a diverse set of operating systems means Win95 and WinNT. Kinda like the Windows Exec who was once quoted as saying something like

"it runs on all operating systems - MS-Dos, Windows3.X, Windows 95, and Windows NT"

I personally submitted the "official end of life for DOS support" article to Slashdot several years ago.
Oh! That was true? I remember that, but thought it was just another BSD-is-dead troll. :-)

Re:Sys admins

WebSphere running on Solaris and AIX [...] .NET is stable and actually quite fast, and run on much less expensive equipment.

Nice FUD. Doesn't WebSphere run on the identical "much less expensive equipment"? We run WebSphere on a PC. Are you saying .NET runs on something even lighter-weight than a PC!!!

Or perhaps you were thinking about the Novell/Mono implementation of .NET, which'll run on a cheaper linux box than WinXP'll run on such as an XBox. :)

Re:Sys admins

[mysticalreaper]

I know you were being funny... but you raise a good point. In reality the reason why the root servers are diverse is because they're run by different organizations Check it out: www.root-servers.org. That's why they have different server setups. And different locations, and etc.

So in reality the sys admins admin just one system (or copies of it in multiple loactions) and there isn't a helpdesk for the root servers. The sys admins KNOW their shit at the root servers. Can you imagine if they had a root-server helpdesk they could call... that would be wild.

Re:Sys admins

You, sir, are no heterogenious.

I also advise you to consult a dictionary to learn the meaning of anecdotal.

Re:Sys admins

[LookSharp]

heterogenious.

Your sad attempt at being "punny" is spelled wrong.

I also advise you to consult a dictionary to learn the meaning of anecdotal.

"Based on casual observations or indications rather than rigorous or scientific analysis"

I think I used the term right. And I can't believe I'm wasting my time replying to someone who can't even be bothered to identify themselves.

Wow...

[kraksmokr]

They've achieved deliberately what happens naturally in a lot of other companies.

Re:Wow...

[jallen02]

There is something to be said for a controlled chaos ;)

Jeremy

Re:Wow...

[BelugaParty]

like linux? ;)

Re:Wow...

Actually, in Akamai's case Linux is the "monoculture".

WRONG!

It says the root servers use different stuff, not akamai. RTFA.

Re:WRONG!

[Travis+Fisher]

Exactly! Correct quotes from the article:

• Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. ... [I]f Akamai tried to diversify the implementation of its large-scale content-delivery network, Vixie said, the cost would "drive their accountants crazy."

Re:WRONG!

And just think of poor Oliver Twist being taken advantage of by Akamai...err... wrong article.

security by obscurity..

[klang]

nobody knows what they run, so nobody can make a decent attack ..

Re:security by obscurity..

[stratjakt]

Sort of. You can know what they run, you can know you can exploit server A because it has a known vulnerability.

But servers B, C, D, E, F, G, etc are immune to your attacks on server A. To take down the root servers, you'd need to simultaneosly come up with 12 different exploits to knock each one of them out. Which makes it 12 times more difficult.

It's more proof of what I've always said, there is no "perfectly secure" OS in existence.

Re:security by obscurity..

[qtone42]

Oh, yeah. We got Death Star.

Re:security by obscurity..

[lambent]

couldn't you just launch 144 attacks simultaneously, knowing that at least 1 would work on each server?

Kind of like the old days ... you'd go into an irc channel, and just let the bots fly without doing any verification, because you knew at least one bot would work on most of the people.

Re:security by obscurity..

I know what they run, I used to work there, and no I will not tell you, their nondisclosure agreement is about 10 pages long.

it really isn't all that complicated, a lot of what is deployed is a minimum of 3 servers and a switch. Vendors of the servers varry, but all of them are major players in the server market at one time or another. Now what operating system is loaded onto each system varies greatly, and can be changed at any time. there are many different versions of a lot of different OS that might be on a system.

Re:security by obscurity..

**It's more proof of what I've always said, there is no "perfectly secure" OS in existence.**

huh? how does this prove that? it doesn't. there can be a perfectly secure os, the less the features the cheaper it would be to build - but it certainly is _possible_.

Re:security by obscurity..

Not really. You can assume that they run everything. The problem is that in order to have a massive impact you have to launch about a dozen simultaneous attacks.

Re:security by obscurity..

[cynic10508]

nobody knows what they run, so nobody can make a decent attack ..

Well, Kerkoff (sic) said in his principles of security to make the paranoid assumption that attackers will always be able to know what you have and/or how it works. So he says security only by obscurity isn't security at all. Kind of like the ostrich sticking its head in the sand and hoping the lion doesn't see it.

Re:security by obscurity..

[Cat_Byte]

But servers B, C, D, E, F, G, etc are immune to your attacks on server A.

Careful with that mindset. Many *nix zealots think this way & don't even think of things like being a haven for viruses to spread through the network. Get on server A, copy a few viruses, then wait for users on B-G to open one of them via NFS, Samba, ftp, etc.

Re:security by obscurity..

[Tarential]

Why has noone mentioned OpenBSD? I mean, yes, they have had *one* hole in eight years, which was *very* quickly patched. I'd say that at least deserves a mention here.

Re:security by obscurity..

Hmm... Not a bad idea...

New OFF/OS. Runs quickly, completely securely, and cheaply. Takes up 0MB of space, and runs on every platform with an on/off switch. It's even been ported to "Empty case".

Re:security by obscurity..

But servers B, C, D, E, F, G, etc are immune to your attacks on server A. To take down the root servers, you'd need to simultaneosly come up with 12 different exploits to knock each one of them out. Which makes it 12 times more difficult.

Actually, it's better than that. If the probabilities are all independent (taking down one doesn't help you take down another one) and if the probabilities are all equal (your chances of taking down one system are as good as any other), then it is not 12 times as difficult. Instead, your odds of success (which are always a number less than or equal to one) are raised to the power of 12.

So, if you have a 75% chance of success at taking down one server, the chances you could take down all twelve are only 3.17%. If you have a 50% chance of taking down one server, your chances of taking down all twelve are 0.024%. And if they are really vigilant about security and you only have a 10% chance of taking down each one, then your chances of taking down all twelve are 0.000000001%.

Re:security by obscurity..

[Fizzl]

nmap -P0 -O n1g.akamai.net

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on a194-251-253-69.deploy.akamaitechnologies.com (194.251.253.69):
(The 1548 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
376/tcp filtered nip
443/tcp open https
500/tcp open isakmp
1434/tcp filtered ms-sql-m

No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=2.54BETA31%P=i586-pc-linux-g nu%D=7/8%Time=40EC7A50%O=22%C=1)
TSeq(Class=RI%gc d=1%SI=1F401F%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd =1%SI=11EFD5%IPID=Z)
TSeq(Class=RI%gcd=1%SI=1F401 F%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++ %Flags=AS%Ops=MNNTNW)
T1(Resp=Y%DF=Y%W=16A0%ACK=O %Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y% W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T3(Resp=Y%DF= Y%W=16A0%ACK=O%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF= Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK= S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags =R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops= )
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E %RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 25.981 days (since Sat Jun 12 02:01:13 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 11 seconds

ms-sql-m filtered? Whatta... /Microsoft SQL Monitor, port 1434)
Come to think of it, might be just to ignore all that sql worm spam.

Quote misattributed

[RML]

Unfortunately, the ""We deliberately use different operating systems, different name server implementations..." quote is from Paul Vixie, president of the Internet Systems Consortium, and it's about the root name servers, not about Akamai.

Re:Quote misattributed

[tcopeland]

> Quote misattribute

Exactly. And Vixie goes on to say that Akamai can't do that because "the cost would 'drive their accountants crazy.'".

But I'm not sure having diverse bits of gear is such a huge cost. Wouldn't it instead be a way for sysadmins to broaden their experience and learn more about which tools are best for which jobs?

Re:Quote misattributed

[jj_johny]

I noticed this too. Do you have to read the article to get your topic posted on /. or can you just put together random quotes that seem interesting?

Re:Quote misattributed

Meanwhile, is business getting done then? And does a business CARE that Sysadmin Joe is REALLY getting smart at that Dynix system when the transaction server is down better than 10-20% of the time?

The workplace is not a classroom, nor should it be treated as such. Yes, you'd better learn there, but you learn as you go, and always with an eye to doing your job.

Re:Quote misattributed

[NekoXP]

Having your sysadmins LEARNING how to use new architectures, procedures and so on costs money - because their time is on salary, you pay for that learning process, their lack of knowledge in the beginning adding time to solving problems, and bringing in help costs more because you'd prefer they'd have that broad experience already.

Remember.. [insert product here] is free if your time is worthless.

Neko

Re:Quote misattributed

[tcopeland]

> is business getting done then?

Yes.

> the transaction server is down
> better than 10-20%

I'm not sure that necessarily follows from having a diverse collection of gear.

> The workplace is not a classroom,
> nor should it be treated as such.

Of course it is, and it should be. Usually it's referred to as "on the job training".

> you learn as you go,

Right on.

Re:Quote misattributed

[nacturation]

Do you have to read the article to get your topic posted on /. or can you just put together random quotes that seem interesting?

The editors don't read the articles, so why should the submitters be subjected to the same burden?

Re:Quote misattributed

[2names]

The workplace is not a classroom, nor should it be treated as such.

If you have not realized that every place is a classroom, then, my friend, you have not learned a single thing.

Re:Quote misattributed

[maduro55]

Random quotes work well in the absence of fact and substance.

Re:Quote misattributed

[johnnyb]

The problem is not really the costs, its the accounting. When you have a large enough company to have an accounting department, a lot of wierd things start happening. Not all of it is bad, it's just that managing large amounts of money and equipment is a lot different than handling small amounts of money and equipment.

Accounting has to be able to cost-justify purchases, otherwise they would be open to easy abuse. Therefore, you have to show that they need sufficient load on the servers to justify the expenditure. On top of that, the expenditure has to be written off periodically across 3 years for tax purposes. Therefore, it is going to come off the bottom line a little at a time for the next 3 years.

Anyway, dealing with accounting is a funny process, and reason does not always win out.

Re:Quote misattributed

[crache]

somedays I don't even read the blurb. Just glance at the title and troll accordingly.

Re:Quote misattributed

[Paul+Jakma]

it's about the root name servers

No, it's about "one" particular root nameserver, F-root, which is the root ISC operate. It's one IPv4 address, but actually a whole bunch of machines located across the world.

Re:I R 0wn j00

[FortKnox]

When you say "It didn7 w0rk" are you talking about the "Post Anonymously" checkbox?
Just askin you big hacker, you.

Lack of diversity

[phasm42]

If I read it right, one of their problems was their lack of diversity -- they all use Akamai's proprietary DNS.

Re:Lack of diversity

[phasm42]

Also, Paul Vixie is the founder of ISC, not ITC. What a shoddy article write-up -- two blatantly obvious mistakes I caught by skimming the articles got front-paged.

Re:Lack of diversity

[KarmaMB84]

Not doing so would inflate costs dramatically.

Re:Lack of diversity

[phasm42]

I was talking about the write-up -- the quote was attributed to Akamai's servers, when it was actually talking about ISC's servers (ISC, not ITC as the write-up says).

Re:Lack of diversity

This would be true except that there is currently no hint of what the attack actually was. According to at least one report from the folks at one of the big sites using Akamai, the attacks were against big customers like Google and Microsoft.com, not directly against Akamai, so smaller sites remained online using Akamai services.

Whether that report is true, it's clear that you can't make claims about "what made Akamai vulnerable" when neither they nor the analysts have published a single word about the nature of the attack.

Re:Lack of diversity

[Russian+Voyeur]

sure

intentional or not

[cjwl]

I have to wonder if the diversity of systems was an intentional choice of theirs way back to face these kinds of attacks or if it just grew that way from rapid growth and having their systems spread all over.

They survived the attack and "Oh yea, we MEANT for it to happen that way".

I think it's spin.

Re:intentional or not

[Radon+Knight]

I think it's spin.

Maybe so, but there's a kernal of truth there. Diversity in biological systems produces robustness. If you have a rich genetic code in a species, you're more likely to have a subset of the population that will survive a new virus, disease, etc. Given the complexity of networked computer systems, is it really that surprising that we're finding certain survival techniques which work well in nature work well when applied in alternative environments?

That idea's not new, and it's not well-defined. However, I would certainly like to see it made more precise and analyzed so that we can see just what, really, lies at the bottom of that otherwise vague analogy.

Re:intentional or not

[Gyorg_Lavode]

I do find it interesting that software has grown to a diversity and distribution among an interrelated network that we can now start treating it as biological diversity. I wonder if there are any other coorilations and possibly assertions we can make with reguard to this relationship.

Re:intentional or not

[Demonspawn]

I had an extremely deep conversation with a co-worker once about computer virii and life. We came to the conclusion that if we define biological virii as 'life' then we must define computer virii as 'life' as well. They both mutate, they both propigate by infecting hosts. The only main difference we could find was one was carbon based and the other was electron based (we equivilized inactivity due to the computer being shut down with cryogenic stasis of a biological host).

--Demonspawn

Re:intentional or not

[NeoSkandranon]

An intersting consideration.

However, I can't imagine why else they would create such a morass of systems and implementations (Gotta be a support nightmare among other things)

Speeking of...

[after]

I don't know how related these two things are, but the AfterNET IRC network has been ^H^H^H^H^H^H^H is being flooded with SYN packets and is -down-.

Is this related to these DDoS attacks?

Re:Speeking of...

[downbad]

I doubt it. IRC networks get DDoSed all the time.

Re:Speeking of...

[joeldg]

like Afternet
they are totally hosed right now due to a huge ddos.
see http://www.afternet.org/ for all gory the details

Re:Speeking of...

Who cares about some tiny irc network no one ever uses anyway

Re:Speeking of...

[jo42]

> IRC networks get DDoSed all the time.

Why?

Re:Speeking of...

[downbad]

I'm not sure. All I know is that a lot of IRC networks I've been on have suffered crippling DDoS attacks, and a lot of sysadmins I've talked to don't allow their users to run IRC servers because it usually results in them being hacked/DoSed.

They never mention percentage of users impacted

[pornaholic]

Akamai claims over 1,100 customers and indicated that only 2 percent of them were noticeably impacted by the attack, such as not being available for about an hour.
Theo only statistic they ofer is the percentage of customers that were impacted. To me this hints of trying to play down the severity of the situation. When only 2 percent of your customers comprise (following is is a made up statistic since they didn't give me one) 80 percent of your traffic, you're lying by omission by only giving customer statistics.

Re:They never mention percentage of users impacted

[gl4ss]

how many percent of their customers customers noticed something to be 'wrong' would be the more meaningful stat..

Re:They never mention percentage of users impacted

[NekoXP]

Only if your made-up statistic is correct.

If Akamai's 2% of affected customers only comprised, for example, 5% of their total traffic, it would still be not-a-big-deal, wouldn't it? Since you have no accurate statistics on Akamai's total traffic, number of customers or anything like that either, why bother to err on the side of negativity?

Is it Slashdot policy to see conspiracy in every situation?

Re:They never mention percentage of users impacted

[freqres]

why bother to err on the side of negativity?

Because that's what makes it Slashdot (me puts on tinfoil hat and underpants).

Re:They never mention percentage of users impacted

[merlin_jim]

you're lying by omission by only giving customer statistics.

There are lies, damn lies, and statistics.

Believe me, you can take any set of numbers and put whatever spin on them you want; one small fact can not paint a picture by itself. The real question is how accountable are you to the people you're quoting statistics to... in this case, the audience of the message is their current customerbase, in hopes of retaining them, and potential customers, in hopes of not scaring them away.

In both cases you have an ethical responsibility to represent the facts as fully as possible... the proper, ethical way, to represent this kind of statistic is to provide several different views of the data. Oh and no charts. It is surprisingly easy to lie with charts... there are several how-to style books on the subject, both from the point of view of creating and recognizing such. I'm sure amazon search would be happy to help you find it.

Re:They never mention percentage of users impacted

[DA-MAN]

When only 2 percent of your customers comprise (following is is a made up statistic since they didn't give me one) 80 percent of your traffic, you're lying by omission by only giving customer statistics.

I would bet that anyone who has services from akamai is fairly high traffic, otherwise what is the point. Akamai's not cheap, and people wouldn't be using Akamai if there wasn't a need!

That said, I doubt 2% of their customers would be responsible for 80% of the traffic. . .

What do they do?

[BlindSpy]

What does this company do and if there "different hardware" deffence is so good, why'd they get attacked?

Re:What do they do?

[Tmack]

For not knowing about the recent Akamai attacks, you must have just joined /. or been hiding in a cave for the past few months. Basically, a bunch of the recent worms that have been going around have a client built into them for targeted DOS attacks, and most of them target various servers in Akamai's network. For not knowing who Akamai is, you are just lazy. Try www.akamai.com. Akamai is a large hosting company (they estimate 15% of ALL internet traffic goes through them), hosting sites such as Microsoft. As for why the attack? Why does any site get attacked? Akamai is also a very large target, this attack just happened to disrupt service to 2% of its customers for a short time. And since you probably didnt RTFA, it was due to their DNS implementation. The rest of the article read like an ad for a new beast of a security server, and the article as a whole was rather uninformative and boring. The "Akamai got attacked" part was only in the first few lines.

tm

Re:What do they do?

The article was fairly confusing, true, and did seem to advertise a honking hardware fix for DDOS. But try actually reading the Akamai website. They are *NOT* a hosting company. They run a sophisticated web proxy and distributed web streaming service. They won't call it that, for various marketing reasons, but that's all it really is.

Re:What do they do?

Um, no offence, but you sure come off as a arrogent jerk, FYI.. "You should know everything.. if you don't, you should have looked. If you didn't, you don't deserve to breath.."

The submitter is WRONG.

[TheAmigo]

The submitter's description of the article was completely incorrect and backwards.

Diversity of hardware makes ROOT DNS SERVERS more defensible. Akamai is NOT diverse, and they do not want to be.

Re:The submitter is WRONG.

[BlindSpy]

aah - thats what I was asking in my post right above yours.

Re:The submitter is WRONG.

[stratjakt]

You're right. Akamai runs that shitty linux system. No wonder they were so easily knocked out.

Re:I R 0wn j00

[lambent]

Some people aren't afraid to make a crappy joke using their own name, just as some are not afraid to run it into the ground.

Submitters and Editors, RTFA!

[adavies42]

The quote on diversity is by Vixie wrt the roots servers--it's a criticism of Akamai! Jesus H. Christ, it's in the first paragraph!

Re:Submitters and Editors, RTFA!

[yootje]

The only thing I can say is that I'm sorry. I'm just fucking stupid, that's it.

MacOS classic?

[bluethundr]

I've often wondered how a Mac running Classic on a beefy box as a server would stand up to an attemp to h4x0r it. To really get at it, seems to me you would have to get to the base underpinnings of the OS on some level. Which are arcane and hard to master, even (I'm told) to seasoned Mac programmers.

Not that I'm implying that it would be invulnerable to some attacks (like DDOS) but surely it seems that many of your other bases would be covered.

Re:MacOS classic?

[192939495969798999]

I have used macs since they came out, and I never saw a virus on a "happy mac" (Mac Classic or earlier). You used to see SE/30's and such running file / print servers for years and years,with no probs. They're like tiny mainframes, but with a sweet GUI. And yes, I still have one, yes it still works, including the original mac carrying case!

Re:MacOS classic?

[freqres]

a Mac running Classic on a beefy box

You mean like a Quadra 950 (~35lbs.) or a pallet of hamburger helper?

Re:MacOS classic?

[rpbailey1642]

I remember reading an article about the US Army using classic Mac for their webservers for just that reason. Hey, an URL: http://www.wired.com/news/politics/0,1283,21725,00 .html

Re:MacOS classic?

Back in the System 6 days, viruses like WDEF and NVIR were really common. At least in the college labs I was in.

You can bet a hostile AppleTalk programmer could DoS and hack those things to hell. They're great for trusted networks tho.

Re:MacOS classic?

[Lohrno]

I remember Several, init/cdev A, init B, etc.

Re:MacOS classic?

The problem with old-world Mac OS is that once you own it, you really do own it.

If you can exploit a buffer overflow in old-world Mac OS you can do anything : you can access any memory, you can do any system call, no questions asked. I have never been a Mac programmer but I've seen the Mac system call interface, and I don't see any reason why an overflow payload couldn't do anything it wants.

Re:MacOS classic?

[Lohrno]

Augh! CDEV was not a virus, it was another name for those startup things... Oh well, I guess it is kind of hard to keep arcane jargon straight. :)

Re:MacOS classic?

[TheTranceFan]

Yep, you're right. Shared memory space, no memory protection. But finding buffer overflows is so hard, compared to just getting the trusting user to just run your code for you.

One way we (a bunch of Apple engineers and the author of VirusRx) thought of, back in the day, but never saw, was to embed a virus in a pr0n QuickTime movie, which allowed embedded codecs. All the victim has to do is have a peek at the QT movie, and bang - 0w3nd. For all I know this is still possible.

Re:MacOS classic?

[bluethundr]

Augh! CDEV was not a virus, it was another name for those startup things... Oh well, I guess it is kind of hard to keep arcane jargon straight. :)

In MacSpeak CDEV is also known as a "control panel" and init is an extension. Those are the little icons that marched across your screen when you were booting up.

By the way, very interesting comments all. Does anyone care to clue me in as to why my original post on this topic was modded completely down? Must admit to being a little clueless on that one. Might be a dumb question ,but I had to ask.

Re:MacOS classic?

"...embed a virus in a pr0n QuickTime movie, which allowed embedded codecs. All the victim has to do is have a peek at the QT movie, and bang - 0w3nd. For all I know this is still possible."

Doubtful.

I believe that used to be one of the deep dark secret. (Disinfectant's author found some too). I captured an undocumented Trojan+boot virus on System 7.5.5, 68k Quadra Mac in a similar way - it was an amazing thing to see, it even owned the SCSI boot sectors - reinstalls were meaningless. Emulationed processes and passed messages in Icon files, wrote on the clipboard to AppleScript.
It was an education to observe.
After months of trying to capture (fool it) anything more than a floppy I found a RS 6000 emulator from a MackHack CD an ran it, It then was sidetracked enough that I burned the system to CD.
A VERY interesting little OS, with a lot of secrets.

Keywords here are:
MacLinkPlus and IRIX 6.5.5 documentation CD
(nevermind ;-)

Classic and Bazaar.

Sign Me,
Anonymous Coward

This is an ad!

[isaac]

This article has nothing to do with Akamai, other than pointing out that Akamai DNS is vulnerable to DOS.

Most of this "article" is a puff-piece (or paid advert) for one "CloudShield Technologies," pimping their (vaporware) "server for applications that do deep packet processing at gigabit-per-second rates."

-Isaac

Re:This is an ad!

[Jeff+DeMaagd]

I wondered what was amiss. I think that fits.

What the heck is "deep" packet processing anyway?

afternet

[joeldg]

maybe that is what afternet should do..
they are totally hosed right now due to a huge ddos.
see http://www.afternet.org/ for all the details

sucks

Re:afternet

"are" or "will be" after everyone clicks on your link? I sure ain't gonna contribute though, 'tis mean!

Re:afternet

[NemosomeN]

I clicked on his link but nothing happened.

I Think you dropped these: <A HREF=", ">, Afternet, and </A>

Re:afternet

LOL, you couldn't figure out that wasn't a link, but just text to cut and paste? Back to internet grade 1 for YOU!!!

Re:afternet

[wulfmans]

I as a Afternet Server Admin lost my colocation to this DDos. Of all the ISP's that the DDos came from that i have mailed with logs only one has removed the ip address/account from the internet that was telus.net. Why do the ISP's punish the Victim of an attack. we all need to ask this question of our providers. maybe we should point our DNS at Microsoft.com while the DDos is going on so windows machines can attack other windows machines after all all the machines that were doing the DDos were infected windows boxes on fat pipes. maby the FBI would get an interest. as it is the FBI said they really did not care about the DDos.

Authors should try readin the article

[rgmoore]

According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC.

Actually, according to the article the diversity approach is part of what's used to defend the DNS root servers, not Akamai. Vixie specifically mentions that this approach is not practical for an ordinary content provider like Akamai because, 'the cost would "drive their accountants crazy."' I'm dubious about just how helpful diversity would be against a DDoS attack in the first place. Diversity won't solve the problem of requests coming in faster than they can be processed.

Re:Authors should try readin the article

[elrusoloco]

Correct - the diversity in this case pertains to the root-node servers, not Akamai's own.

Re:Authors should try readin the article

[mysticalreaper]

Diversity won't solve the problem of requests coming in faster than they can be processed.

You're correct, rgmoore. For DDoS you get big phat internet pipes and routers in front that can absorb the extra load. Plus you can anycast the servers. Also, you make the server not a single server, but a high-performance cluster of servers, capable of handling severe loads.

And believe me, the root servers have done all these things, and more. The root server performance is really one of the best things about it. It just doesn't fail. And the operators continue to be vigilant, and take their responsibility seriously.

Anyway, diverstiy helps against platform-specific attacks, and the roots have other systems in place for other types of attacks.

Re:Trade-Off - TCO

[axis-techno-geek]

MS products running on MS hardware with MS support contracts gives the best cost/benefit.... to MS :)

Just ask MS, they will tell you.

Re:Never heard of syn cookies or what?

[Burdell]

SYN cookies are for TCP connections (because TCP uses a three-way
handshake to set up a connection). DNS uses (primarily) UDP traffic,
which is connectionless (there is no "stateful" connection with UDP).
SYN cookies do no good when your DNS servers are under attack.

Bad Link?

[cephyn]

I love how the "ITC" links to www.isc.org

Re:Bad Link?

[Shachaf]

No, bad word. It IS ISC, and the link is correct.

Re:Bad Link?

[cephyn]

right. 8) thats what i meant.

SYN cookies for UDP?

As the name imples SYNC cookies is about TCP. DNS is mostly UDP, and that is likely what was used to attack Akamai. Dumb ass.

Uh, poster got it wrong

[GreyPoopon]

According to this article one of the defenses of Akamai is the big diversity of their hardware...

Erm, I think the poster made a mistake here. This diversity is attributed to the 13 root servers. Akamai's services do not employ such techniques due to the unsupportable cost. Based on the problems we saw during the DDoS, I can't say Akamai had much to offer in its arsenal.

Or am I the one who misread?

Slashdotted!

We have been slashdotted several times, so we knew what to do when we got hit with the DDoS attack.

Your Karma can go down when trying to be funny, but cannot go up. If you are going to try to be funny, post anonymously or be sure you have Karma to burn.

Re:A stable version of BIND

[stratjakt]

IIRC, TinyDNS can integrate with LDAP, then you can SSH in and use an ldap browser/client to modify and add records..

It's a better solution, on paper, since LDAP is optimized for the fastest retrieval, at the expense of write time. RDBMS's are generally the other way around, or at least balanced.

Of course, you can have OpenLDAP use mysql as a backend if you really want to bring that abomination into the equation.

You Morons

Security through Obscurity != Security

run Woody.

[twitter]

Bind9 in Woody never dies.

Re:run Woody.

Is that a host name in your pocket or are you just happy to see me?

Re:Never heard of syn cookies or what?

There == Over there.
Their == It's their server.
They're == They are not enabled by default.

Re:A stable version of BIND

[drinkypoo]

Any suggestions?

Yeah, stop doing whatever you're doing, and do something else. I've never had a problem with any version of bind on any operating system.

Re:A stable version of BIND

You might want to investigate DNSMASQ which has a few DNS-like features and is under development. It's *not* a full DNS implementation but if your target is a moderate-sized LAN (and especially if that LAN uses DHCP) it's a nice, lightweight solution.

Re:A stable version of BIND

[Chicane-UK]

I ran BIND9 on Red Hat 7.2 for about 2 years.. its still running now in fact. No random crashes on BIND ever in that time. It was rock solid...

or...

[Psymunn]

couldn't you just link to them on slash dot
that's been proven to be an effective, system independent DoS attack (even if the attack was unintentional or brought about by the owner)

Re:or...

They held up on 9/11. I know because I was there. So believe me, Slash won't even make their radar.

Different OS's?

[doombob]

Is that like using Windows 98 and Windows ME?

Akamai diversity?

[Cramer]

Moderators, please correct the lead-in... BIND and the global DNS system is what has the diversity. The problem with Akamai was their lack of diversity on top of their proprietary hacks to DNS.

So what they're saying is...

[teamhasnoi]

'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'

...That their entire operation is really based out of a bunch of Computer Renaissance stores and pawn shops run by cheap managers that don't talk to one another.

It sounds like a recipe for success!

wtf?

Vint Cerf was NOT talking about akamai's diversity, exactly the opposite. He was talking about the BIND/root server community.

Re:wtf?

[stratjakt]

Not only that, Vint Cerf's name is Paul Vixie!

When will /. editors learn.

Re:wtf?

[glenstar]

Not only that, Vint Cerf's name is Paul Vixie!

No, no, no... it's just pronounced "Paul Vixie" but the correct spelling is V-I-N-T C-E-R-F.

Security through obscurity..

[CokoBWare]

A valid tactic... it mitigates the problems with a unified vendor, but it costs lots more...

Re:Security through obscurity..

[jelle]

Diversity is not the same as obscurity. Diversity is the same as inhabiting a planet with strong coldblooded animals and weaker warmblooded animals and see which turn out to be the dinosaurs and which will end up inventing the wheel.

Obscurity is hiding your dinosaur, hoping the meteorite won't see it.

Gee-Wiz hardware will never win.

[twitter]

[description of magnificent gateway] For now the attackers are winning the arms race. The technology we'll need to monitor, react, and adapt in real time has yet to evolve, but it's headed in that direction.

I wish the net was headed in the right direction, but it's not. No single site or company will ever "win". The resilience of the web lies in it's redundancy and distribution. What I see is continued centralization and creation of points of failure. As "Broadband" internet access is more monopolized and treated as a platform for mindless browsing, and smaller ISPs are destroyed, the net is being squeezed into fewer and fewer hands. This invites attacks that can not be protected against. The real solution is to let everyone run everthing they want. That's the only way to route around damage.

Re:Gee-Wiz hardware will never win.

mindless browsing

What? What the fuck are you talking about?

Attacking Akamai with a DDoS...

[Mr.+Neutron]

...is like trying to wipe out swarm of gnats with a shotgun.

Re:Attacking Akamai with a DDoS...

[pjt33]

So why did I go a few hours unable to get to Google a week ago?

Re:Attacking Akamai with a DDoS...

Nobody said a shotgun wouldn't work at all, it just wouldn't work very effectively.

Re:Attacking Akamai with a DDoS...

But many millions were unable to access popular websites, online banking, government websites, google, and hosts of other websites during the outage.

Rather effective, wasn't it?

Good old PR spin - nothing like it...

[stienman]

Boss: "Why did nearly half our service go down Friday?"

CTO: "Actually, sir, the real question is why did we lose less than half of our service. The answer is that I've, uh, been strategically using different systems and components throughout the enterprise on purpose to prevent drastic losses. No one else could have even kept 10% of their machines up under that DDOS."

Boss: "I knew I could count on you for the right PR spin job. Go back and think up some other good excuses."

-Adam

Re:Good old PR spin - nothing like it...

If that is the relationship of a boss and a CTO, then the CTO either doesn't deserve his title (IT manager maybe), or the CEO needs more respect for his fellow C-level management.

Diversity Doesn't Refer to Akamai at All

[SeinJunkie]

I RTFA, and it doesn't say that Akamai has a diversity of hardware at all, that was talking about BIND:

Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations," etc...

AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network.

Correct me if I'm wrong.

Re:Diversity Doesn't Refer to Akamai at All

[wo1verin3]

You are completely correct, I did a double take as well after reading the article...

Of course i DID read the article, I must be new here :) Still an interesting quick read though.

Re:Diversity Doesn't Refer to Akamai at All

That's how I read it too.

And as long as we are correcting things, the second article (from internetnews) states "The ISC operates 13 of the global public DNS root servers", which I didn't think was correct. Checking ISC's site (www.isc.org), I find "ISC operates one of the 13 root DNS servers as a public service to the Internet."

Re:Diversity Doesn't Refer to Akamai at All

[NoNsense]

Your absolutely correct. The article even goes on to point out that such a change would "drive the accountants crazy" at Akamai.

I wish the approvers of the stories would read the article before posting the summary.

John

Re:Diversity Doesn't Refer to Akamai at All

[dekemoose]

He was not talking about BIND at all, or even as the author of BIND, that was just a side note. He was speaking as the director of the ISC, which runs one of the root DNS servers, F root specifically. His comments were in reference to the varying architectures in the root zone, versus akamai's non-diversity. But yeah, the context on the quote was fubared, and so was the title. I didn't see one thing in the article referring to what akamai did, it was all about what akamai did not do.

Re:Diversity Doesn't Refer to Akamai at All

Better yet. Run nmap against their DNS servers, and determine if they're properly secured and running up-to-date versions of BIND or whatever their DNS server is, and test it for vulnerabilities. Run "host -t ns akamaitechnology.net" on a machine running BIND to get the list of their core DNS servers.

Also, bear in mind that no one has published the details of the recent Akamai DDOS, so we have no way to know if the crackers can still slam them in the same or a very similar fashion.

It's hardly the first time they've been attacked. And in any corporation that size, there has to be at least one idiot VP running Windows on their laptop for doing Powerpoint presentations, or one lazy helpdesk worker with an out-of-date Linux, to bring a nasty keyboard sniffer into their network and start stealing key data.

Re:Diversity Doesn't Refer to Akamai at All

[Cramer]

I had a "wtf" expression as soon as I read it... knowing just how "diverse" tje Akamai network is. (distributed? yes, but not diverse.)

Re:Diversity Doesn't Refer to Akamai at All

[Zeinfeld]

AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network

Paul should shut up about this topic. Companies should not go commenting about attacks made against their competitors - period.

His statement about the root servers is way off base. Only four of the 13 servers stayed up and the software running on them did not affect the outcome in any way. Most of the servers that went down were running a version of BIND as were two of the servers that stayed up. The other two roots were running ATLAS which is the ultimate in closed source proprietary systems, nobody outside VeriSign has seen the executable, let alone the source code.

I don't see how anyone could draw any conclusions either way on the basis of this sample. The distinguishing feature was the bandwidth available to the systems, not the software they run.

Paul should think more and speak to journalists less.

Ummm..

[Sheepdot]

RTFA.

In the case of the Akamai incident, the vulnerable service was DNS. Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures," Vixie told Internetnews.com.

He's not talking about how great Akamai is. He's talking about how great everyone else is.

On another note: What the heck does this story have to do with Akamai operators fighting DDoS attacks? They more than likely sat with their thumbs up their rears contemplating how having such a structured and inflexible DNS system could possibly be in err.

Re:A stable version of BIND

[sloanster]

I've never had a problem with any version of bind on any operating system.

I have seen the bind 9 problem - if you are using a single CPU system you may never see a problem but a heavily loaded bind 9 on an SMP redhat system does die fairly often, and leaves a suicide note about a failed assertion. We use a cron job to check bind for signs of life every 3 minutes and restart if need be.

I don't think I've ever seen the problem on SuSE linux though...

Re:A stable version of BIND

[upside]

Do a search on freshmeat.net. MyDNS also runs straight off MySQL.

Interesting...

[__aagmrb7289]

but why didn't it work? Or is this a case of "it could have been worse?" And if it is, then why does it even matter?

Obligatory Simpsons Reference

[Pharmboy]

Backing up OpenBSD to Windows 95 is not as stupid as it looks.

lol, you are correct! One of our backup solutions is having a win98 box with ActivePerl installed go grab a copy of the datafiles every night. In the event of data corruption, THAT is usually the copy I restore from, purely because it is fast to restore from and highly reliable. (Yes, reliable. It only crashes when you are doing something, so it gets rebooted often enough ;)

Not sure why, but that reminded me of the Simpson's episode where Burns and Smithers are going to the power plant's main switching system, and have to go through more locked doors and devices than the intro to a "Get Smart" episode, and once they get there, it has a broken screen door that is open to the outdoors and Burns runs off a dog that wandered in...

Re:Obligatory Simpsons Reference

[vsprintf]

(Yes, reliable. It only crashes when you are doing something, so it gets rebooted often enough ;)

That's it. My reading comprehension is gone. I'm going to bed now and hopefully not dream of anything remotely related to this Daliesque image.

Windows

[ryen]

With all this diversity in system, one would think that setting up decoy Windows boxes would serve as good bait for hackers as well.

I was way off...

[MisterMoney]

I thought we were disorganized here where I work, but it turns out we were just throwing up a good defense.

'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'

basic GRE logic failure

[timts]

they showed how they survived DDOS attack by using various platform and causing themselves trouble, but they failed to demonstrate that they can't do that without various platform, actually, that's doable.

Security through Stupidity

[EvilStein]

Make everything so ass backwards and broken that even if someone did get in, they couldn't do anything useful anyway. :D

Re:Security through Stupidity

[Cat_Byte]

"Hey I'm in!"
ver^M
MS DOS 6.22
"wtf?"

RTFA first, please...

[zx-6e]

The article summary is incorrect. Diversity was not a defense for Akamai, it is a defense for the 13 DNS root servers. In fact, in the article, Paul Vixie "charged that Akamai's proprietary approach to DNS makes it a single point of failure." The diversity approach is what is used to help prevent these kinds of failures in the global DNS system.

Oooops

[bozojoe]

According to this article one of the defenses of Akamai

please reread the infoworld article, as they are refering to the DNS root servers, not akamai

Yootje Points?

[Telepathetic+Man]

What the heck are those? Are they like bad karma points for articles that have overlapping information with other articles?

By the way, which one of the articles is it that says Akamai did anything right to fight attacks?

extra secure systems

[drakyri]

'We deliberately use different operating systems . . . .'

They called me crazy for using Windows 95, 98, 2000, CE and ME . . . I'm invincible! Bwahahaha!

Article isn't about the DDOS

[np_bernstein]

'It's about CloudShield Technologies ... recently announced CS-2000', and nothing but a fluff peice meant to sell some hardware. Sure, Akami's DDOS is discussed ("DDOSs are ba-ad, mmkay."), but then it just goes on to talk about the CS-2000.

Akamai Hardware/Software

I saw an Akamai server failing to boot in a continuous loop today.

I was a Dual 700MHz machine on a PIIX motherboard (K440 or something) with an Adaptec SCSI card and 4 Quantum SCSI disks.

It used a customised LILO and ext2 filesystems (which it kept having to fsck, but due to a H/W error the machine would crash and reboot before it could finish one of them).

It ran quite a few services which I didn't recognise such as "edgejava" and "buddy_".

nobody read anything

not only did the submitter not rtfa

the editors did not rtfa

and after the first five posts pointing this out, it was obvious that nobody was reading the responses either.

nobody was reading anything, and now we have a 1000 responses saying the same thing, it wasn't akamai, it was the root servers, blah blah blah.

Re:nobody read anything

I might agree with you, or I might not, but we'll never know, since I didn't bother to read your post.

Re:nobody read anything

[smithysrise]

Lets ask for a dupe.
Then we can start again on this one!

Re:Never heard of syn cookies or what?

Unfortunately, Burdell already beat me to it. Prepare your responses carefully, lest you be flamed by everyone else. Syn cookies are for TCP.

Speeking of... ^H^H^H^H^H^H^H

[TubeSteak]

I was going to ask what i thought was a n00b question: "wtf is ^H^H^H^H^H^H^H a reference to?" but then i searched around a little and came up with this. Turns out it's not so n00bish a question & that there's a bunch of history.

So now i finally get all those /. comments that didn't seem to make sense.

Re:Speeking of... ^H^H^H^H^H^H^H

[after]

In un-configures terminals you'll get a ^H when you hit backspace. So it's a way of saying that you went back, erased, and continued typing.

U R FOO KING WETAWDED

[router_ninja]

dumbass.

It's all relative

[The+Angry+Mick]

Akamai is, at best, being disingenous when they say only 2 percent of their customers were affected by the outage. Maybe 2 percent of their customers, but how many of their customers customers were affected?

2 percent may not sound like much on the surface, but if that percentage includes companies like Microsoft, MSNBC, Amazon, Yahoo, CNN, Lycos and other big-shot content providers then the relative number of "customers" affected by the outage is a lot more notable.

Fuck

[yootje]

I'm sorry, next time I will read the article ten times before I post...

Re:Fuck

Also please make sure it's not a paid ad for some ByMeNow-5000 product rather than an actual article.

Re:first post

A failure is yuo.

"deep" packet processing

[phyruxus]

I think it's when you do logic using reads from data beyond the packet header.

Packets are composed in layers. The lower ones have to do with transmission over the network. The higher ones have to do with the interpretation of the packet (like which application session etc it belongs to). And of course you have the payload, the data being sent, like the letter in the envelope.

Mu!

So how did Akami fend off what ever it was?

[Mozz+Alimoz]

But does anyone know what the attack was really comprized of and how Akamai fended it off? I'd like this information to defend my network too.

Now if the attack is a new type with no easy fix I don't neccessarily want them to publish it far and wide, but I'd at least like to know who are the relevant authorities Akamai says they've given the details to. Is there an FBI agent or case number I can make enquires to? Akamai is not very forthcoming.

Personally I think this attack was just a known exploit or a huge volume of spoofed DNS traffic and Akamai is hiding behind a veil here to protect its image.

Re:So how did Akami fend off what ever it was?

[the+frizz]

According to this article (or this cache link) one of the authorities Akamai reported this too is US-CERT.

It also has a quote from Akamai saying "The attack was a result of a virus or worm infiltrating a system".

Same cause as recent big electrical blackouts

[wsanders]

I have a feeling it was more like,

(BOFH types RETURN, followed by)

"Oh Shit!"

Re:Read the fucking article before submitting it

[yootje]

Dude, calm down. I'm sorry, I admit I wanted to have it fast on Slashdot, but not for my ego, but I like it to have it on Slashdot quick. You are talking to real persons, it was a mistake. Come on, it's not like your life depends on Slashdot.

Arrogant jerk?

Dude, it's the internet! It's full of arrogant jerks.

makes a difference if it's a....

[zogger]

... penetration or a simple DDoS attack. No one is immune from DDoS if the other guy has more bandwith than you do to use, doesn't matter the OS I would imagine.. Although with akami you would think that would be hard to pull off. Perhaps it was a big state sponsored attack? The details have been meagre.

seems reasonable to me!

[zogger]

I've seen in in the dumb mechanical world too. Machines are alive, I just know it! I had a little italian sportscar once,a raggedy old fiat, but I liked it. Anyway, I SWEAR it was alive and female and jealous. It worked great all the time until "date night" for zogger. Go to pick up my date, it would break down. Never missed.

And this comes from an expert in the field?

Security through obscurity is just one of the many tools in the swiss army knife of security. Obscurity doesn't ensure fullproof security, but it sure slows down anyone trying to figure it out. When your mission-critical work is on the line, you take every step possible. Just because you read the same old cliche every day on Slashdot doesn't make it bad.

Article is an ad for Vixie and his companies...

First, the root servers have different dns server software and OSes, not because Vixie thought of it, but because it is policy codified in the BCP RFC for root servers best practices. In fact, I think he was unhappy about other root servers using non-BIND software in the beginning.

Second, he is being disingenuous about his comments about patents, his company owns at least one patent related to the Verisign "Site Finder" service methodology. Nominum Patent I didn't see any statements by him disparaging his company when they applied for that patent. So it isn't that he doesn't like patents, it is that he doesn't like that Akamai is making money doing third party DNS without paying him money or homage. Note: His commercial, for profit dns server software company has a white paper enumerating the scalability and other problems with BIND, and they use an architecture more similar to DJBDNS than to BIND 9 - separate auth and resolving dns server packages, most modern dns server software uses this architecture to reduce code complexity and improve security and performance.

Third, if he wanted to be the pillar of dns server software that he supposedly is, he could have sent a few goons from Nominum over to Akamai and set up some boxes with his commercial, for profit, "scalable" dns server software and Akamai would have been able to see if his software was able to stand up to the ddos attack better than what they have. If it did, he probably could have gotten a sweet, lucrative contract out of it and been a hero for helping thwart the attack, rather than a hypocritical, self serving competitor hiding behind Open Source to appear credible.

Fourth, Akamai is a single point of failure because that is what they do - offload dns and content load from the biggest companies on the net life MS, google and ebay. No, I don't work there, but I would venture a guess that they carry more traffic than (maybe) any other company. So I am sure it is easy to armchair quarterback and say they should do this and that, but when the attacks are probably at 10's or 100's of GiB/s I am not sure what I would do.

Nominum is also involved in RFID stuff, so I will be interested to see what happens with him and his companies as that ramps up. And who knows what deals have already been made - "the future of DNS is right."

Some DNS software links:
nsd - high performance, uses BIND style files and authoritative only
They have an interesting testing procedure where they run nsd and BIND, have them build responses to the same queries and then analyze any differences: diff analysis
maradns
Powerdns, mysql and a pretty website
djbdns he's grouchy and the no license license thing freaks people out and pisses them off, but people become attached to the quirky but rock solid software.
nstx, ip over dns, yeah...

DOS

[beakburke]

Windows 95 and 98 were still DOS based (even ME, though they ripped out the command shell so the end user couldn't use it). Only the NT/2000/XP family isn't DOS based, strictly speaking.

Re:Read the fucking article before submitting it

Mobs are ugly, aren't they? If they had physical access to you, you'd probably be dead right now for the sin of misreading and misreporting an article - but at least your death would have meant something.

Re:A stable version of BIND

[drinkypoo]

By the time BIND 9 came out, I knew better than to mess with redhate.

sikkerhetsfirma

[trekiloslem]

new security company, fraud and ict sec.., I need help! wanna be my accomplice? Only open for the ict section, need folks who know nip, tcp/IP, ipSec, des/PGP, fourthfloor, nsk, an most urgent html security and programming.. check this out..
Helt seriost trenger jeg folk som snakker norsk ihvertfall, som kan deler av overnevnte, og/eller som har annen sikkerhets relatert bakgrunn innen hacker/cracker miljo.. dette er viktig for aa faa edge paa de andre etablerte firmaene som finnes allerede..

Give me a pip in tnys@start.no

Og folkens, vaer seriose da.. trenger ikke crapmail!!!!!!