Akamai: How They Fought Recent DDoS Attacks
yootje writes "Infoworld is running an interesting article about Akamai and the DDoS attack that hit the network of Akamai Tuesday. According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC." Yootje points to another article on this subject as well, this one at Internetnews.com. Update: 07/07 19:38 GMT by T : Note that Vixie's quote here is actually presented out of context; he was commenting by way of contrast on the diversity of the root DNS servers, not Akamai's content-serving system.
The diversity of hardware and software may be an IT nightmare but I think this shows how effective it really is. Now all we need is a concise cost/benefit analysis.
Sort of. You can know what they run, you can know you can exploit server A because it has a known vulnerability.
But servers B, C, D, E, F, G, etc are immune to your attacks on server A. To take down the root servers, you'd need to simultaneosly come up with 12 different exploits to knock each one of them out. Which makes it 12 times more difficult.
It's more proof of what I've always said, there is no "perfectly secure" OS in existence.
I don't need no instructions to know how to rock!!!!
This article has nothing to do with Akamai, other than pointing out that Akamai DNS is vulnerable to DOS.
Most of this "article" is a puff-piece (or paid advert) for one "CloudShield Technologies," pimping their (vaporware) "server for applications that do deep packet processing at gigabit-per-second rates."
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
I know you were trying to be sarcastic, but I bet that they indeed do prefer things this way.
When the pager goes off at 3AM that there's a suspected new worm attacking your dos-based systems, it's nice to simply turn them off and let the other systems handle the load until morning when you can investigate the problem at your leisure.
I wish the net was headed in the right direction, but it's not. No single site or company will ever "win". The resilience of the web lies in it's redundancy and distribution. What I see is continued centralization and creation of points of failure. As "Broadband" internet access is more monopolized and treated as a platform for mindless browsing, and smaller ISPs are destroyed, the net is being squeezed into fewer and fewer hands. This invites attacks that can not be protected against. The real solution is to let everyone run everthing they want. That's the only way to route around damage.
Friends don't help friends install M$ junk.
If you have not realized that every place is a classroom, then, my friend, you have not learned a single thing.
"I'm just here to regulate funkiness."
Paul should shut up about this topic. Companies should not go commenting about attacks made against their competitors - period.
His statement about the root servers is way off base. Only four of the 13 servers stayed up and the software running on them did not affect the outcome in any way. Most of the servers that went down were running a version of BIND as were two of the servers that stayed up. The other two roots were running ATLAS which is the ultimate in closed source proprietary systems, nobody outside VeriSign has seen the executable, let alone the source code.
I don't see how anyone could draw any conclusions either way on the basis of this sample. The distinguishing feature was the bandwidth available to the systems, not the software they run.
Paul should think more and speak to journalists less.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/