Slashdot Mirror

← Back to Stories (view on slashdot.org)

Akamai: How They Fought Recent DDoS Attacks

Posted by timothy on from the malice-is-unbounded dept.

yootje writes "Infoworld is running an interesting article about Akamai and the DDoS attack that hit the network of Akamai Tuesday. According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC." Yootje points to another article on this subject as well, this one at Internetnews.com. Update: 07/07 19:38 GMT by T : Note that Vixie's quote here is actually presented out of context; he was commenting by way of contrast on the diversity of the root DNS servers, not Akamai's content-serving system.

36 of 231 comments (clear)

  1. Wow by Anonymous Coward · · Score: 5, Funny

    "We wired a million dollars into the attackers' Swiss account."

    That's shocking!

  2. Trade-Off by cynic10508 · · Score: 5, Insightful

    The diversity of hardware and software may be an IT nightmare but I think this shows how effective it really is. Now all we need is a concise cost/benefit analysis.

    1. Re:Trade-Off by Ignignot · · Score: 4, Insightful

      Allow me to perform a concise analysis for you. Hmm... the benefits are that DDoS's have some trouble knocking you offline. What are the costs? Much higher IT costs. Also, the total number of holes in your security will be higher. Just keeping track of all windows security fixes is hard. Imagine doing that for windows, solaris, linux, osx, and bsd. On 100 different hardware setups. Some things are going to go unpatched. You're giving hackers / crackers more opportunities, not more problems.

      --
      I submitted this story last night, and it didn't get posted.
    2. Re:Trade-Off by Pharmboy · · Score: 5, Insightful

      Even with our little network (2 T1s, several servers) we do the same thing. Different OS versions, Bind builds, even Apache implimentations. NS1 is dedicated on a slow but extremely robust dual cpu box, all other boxes have a primary task and act as a back up for other tasks. At this small level, its not THAT hard to do, although it takes some preplanning and maintenance. Even the outbound linux router has an offline spare with a different version of Linux and completely different firewall/NAT configuration in case the first gets taken down.

      IMHO, when it comes to providing IT services, if you are not paranoid, you are crazy.

      --
      Tequila: It's not just for breakfast anymore!
    3. Re:Trade-Off by Anonymous Coward · · Score: 5, Informative

      Akmai doesn't have a heterogeneous IT solution. It is the root nameservers that do. In fact, TFA says that the cost would be too high for them to do this.

      Mod this whole story down "-1 incorrect".

    4. Re:Trade-Off by bastardadmin · · Score: 5, Insightful

      If you are Akamai, your uptime isn't everything, it is the only thing.

      In their case maintaining a hybrid infrastructure makes perfect sense.
      Remote exploit in IOS? No problem, the Juniper/Extreme/Linux/OpenBSD router in failover config takes over while patching goes on.

      And if you are maintaining a massive hybrid infrastructure like that you will likely have the people and processes to handle security issues/patches.

    5. Re:Trade-Off by Anonymous Coward · · Score: 4, Insightful

      So, in this case, not only did the submitter not read the article, but neither did the editors. I actually read the article and it was blatanly clear the the whole heterogeneous argument was *not* in reference to Akamai.

      I just have one question: what exactly do the slashdot editors do? I thought they were there to screen incoming submissions. But obviously they don't. Basically, if that's their only job, they suck at it.

    6. Re:Trade-Off by johnnyb · · Score: 4, Insightful

      However, you are preventing your entire infrastructure to being nailed by a single exploit. With a monoculture, a single flaw exploited by a worm can destroy pretty much everything. With a mixed setup, although you have more possible entrances, each one allows a lot less damage.

      If I have 1,000 troops, if I keep them all in the same fort, they will be a formidable force, unless I find the right weapon (like a nuke). If I keep them in 10 different forts spready throughout the country, although each one of them is more vulnerable individually, I have eliminated the possibility of everything being wiped out in a single blow.

      --
      Engineering and the Ultimate
  3. Sys admins by FortKnox · · Score: 4, Funny

    'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'

    Wow, your sys admins and help desk must LOVE supporting that!

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
    1. Re:Sys admins by ron_ivi · · Score: 5, Insightful
      different operating systesm ... Wow, your sys admins and help desk must LOVE supporting that!

      I know you were trying to be sarcastic, but I bet that they indeed do prefer things this way.

      When the pager goes off at 3AM that there's a suspected new worm attacking your dos-based systems, it's nice to simply turn them off and let the other systems handle the load until morning when you can investigate the problem at your leisure.

    2. Re:Sys admins by LookSharp · · Score: 4, Insightful

      Can I ask an obvious question here?

      Who the atech-ee-double-hockey-sticks runs "dos-based" systems anymore? I thought Microsoft abandoned the technology starting in 1995, and I personally submitted the "official end of life for DOS support" article to Slashdot several years ago.

      We run heterogenious systems and support them because they provide different benefits and features for our many needs. Sometimes Windows OS servers actually are cheaper, more stable, and easier to support than their Unix counterparts. Sometimes not.

      For instance, we have WebSphere running on Solaris and AIX as an app server platform, and it is great for high volume and failover. But we spend far more time (proportionally) troubleshooting that technology (and the hundred or so servers that run it) than the .NET application servers running on Windows 2000. As an app environment .NET is stable and actually quite fast, and run on much less expensive equipment. However there are only four of them and failover between boxes is sketchy, so on the rare occasion that there is a non-code related outage, it takes longer to get the environment back up to spec.

      Just my anecdotal experience.

  4. Wow... by kraksmokr · · Score: 5, Funny

    They've achieved deliberately what happens naturally in a lot of other companies.

  5. WRONG! by Anonymous Coward · · Score: 5, Informative

    It says the root servers use different stuff, not akamai. RTFA.

    1. Re:WRONG! by Travis+Fisher · · Score: 5, Informative
      Exactly! Correct quotes from the article:
      • Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. ... [I]f Akamai tried to diversify the implementation of its large-scale content-delivery network, Vixie said, the cost would "drive their accountants crazy."
  6. security by obscurity.. by klang · · Score: 4, Insightful

    nobody knows what they run, so nobody can make a decent attack ..

    1. Re:security by obscurity.. by stratjakt · · Score: 5, Insightful

      Sort of. You can know what they run, you can know you can exploit server A because it has a known vulnerability.

      But servers B, C, D, E, F, G, etc are immune to your attacks on server A. To take down the root servers, you'd need to simultaneosly come up with 12 different exploits to knock each one of them out. Which makes it 12 times more difficult.

      It's more proof of what I've always said, there is no "perfectly secure" OS in existence.

      --
      I don't need no instructions to know how to rock!!!!
  7. Re:I R 0wn j00 by FortKnox · · Score: 4, Funny

    When you say "It didn7 w0rk" are you talking about the "Post Anonymously" checkbox?
    Just askin you big hacker, you.

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  8. intentional or not by cjwl · · Score: 4, Insightful

    I have to wonder if the diversity of systems was an intentional choice of theirs way back to face these kinds of attacks or if it just grew that way from rapid growth and having their systems spread all over.

    They survived the attack and "Oh yea, we MEANT for it to happen that way".

    I think it's spin.

  9. They never mention percentage of users impacted by pornaholic · · Score: 5, Interesting

    Akamai claims over 1,100 customers and indicated that only 2 percent of them were noticeably impacted by the attack, such as not being available for about an hour.
    Theo only statistic they ofer is the percentage of customers that were impacted. To me this hints of trying to play down the severity of the situation. When only 2 percent of your customers comprise (following is is a made up statistic since they didn't give me one) 80 percent of your traffic, you're lying by omission by only giving customer statistics.

  10. Submitters and Editors, RTFA! by adavies42 · · Score: 4, Insightful

    The quote on diversity is by Vixie wrt the roots servers--it's a criticism of Akamai! Jesus H. Christ, it's in the first paragraph!

    --
    Media that can be recorded and distributed can be recorded and distributed.
    -kfg
  11. Re:Quote misattributed by tcopeland · · Score: 4, Informative

    > Quote misattribute

    Exactly. And Vixie goes on to say that Akamai can't do that because "the cost would 'drive their accountants crazy.'".

    But I'm not sure having diverse bits of gear is such a huge cost. Wouldn't it instead be a way for sysadmins to broaden their experience and learn more about which tools are best for which jobs?

    --
    The Army reading list
  12. This is an ad! by isaac · · Score: 5, Insightful

    This article has nothing to do with Akamai, other than pointing out that Akamai DNS is vulnerable to DOS.

    Most of this "article" is a puff-piece (or paid advert) for one "CloudShield Technologies," pimping their (vaporware) "server for applications that do deep packet processing at gigabit-per-second rates."

    -Isaac

    --
    I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
  13. Authors should try readin the article by rgmoore · · Score: 4, Insightful
    According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC.

    Actually, according to the article the diversity approach is part of what's used to defend the DNS root servers, not Akamai. Vixie specifically mentions that this approach is not practical for an ordinary content provider like Akamai because, 'the cost would "drive their accountants crazy."' I'm dubious about just how helpful diversity would be against a DDoS attack in the first place. Diversity won't solve the problem of requests coming in faster than they can be processed.

    --

    There's no point in questioning authority if you aren't going to listen to the answers.

  14. Re:Never heard of syn cookies or what? by Burdell · · Score: 4, Informative

    SYN cookies are for TCP connections (because TCP uses a three-way
    handshake to set up a connection). DNS uses (primarily) UDP traffic,
    which is connectionless (there is no "stateful" connection with UDP).
    SYN cookies do no good when your DNS servers are under attack.

  15. or... by Psymunn · · Score: 4, Funny

    couldn't you just link to them on slash dot
    that's been proven to be an effective, system independent DoS attack (even if the attack was unintentional or brought about by the owner)

    --
    The Neo-Bohemian Techno-Socialist
  16. Gee-Wiz hardware will never win. by twitter · · Score: 5, Insightful
    [description of magnificent gateway] For now the attackers are winning the arms race. The technology we'll need to monitor, react, and adapt in real time has yet to evolve, but it's headed in that direction.

    I wish the net was headed in the right direction, but it's not. No single site or company will ever "win". The resilience of the web lies in it's redundancy and distribution. What I see is continued centralization and creation of points of failure. As "Broadband" internet access is more monopolized and treated as a platform for mindless browsing, and smaller ISPs are destroyed, the net is being squeezed into fewer and fewer hands. This invites attacks that can not be protected against. The real solution is to let everyone run everthing they want. That's the only way to route around damage.

    --

    Friends don't help friends install M$ junk.

  17. Attacking Akamai with a DDoS... by Mr.+Neutron · · Score: 4, Insightful

    ...is like trying to wipe out swarm of gnats with a shotgun.

    --
    dinner: it's what's for beer
  18. Good old PR spin - nothing like it... by stienman · · Score: 5, Funny

    Boss: "Why did nearly half our service go down Friday?"

    CTO: "Actually, sir, the real question is why did we lose less than half of our service. The answer is that I've, uh, been strategically using different systems and components throughout the enterprise on purpose to prevent drastic losses. No one else could have even kept 10% of their machines up under that DDOS."

    Boss: "I knew I could count on you for the right PR spin job. Go back and think up some other good excuses."

    -Adam

  19. Diversity Doesn't Refer to Akamai at All by SeinJunkie · · Score: 5, Informative
    I RTFA, and it doesn't say that Akamai has a diversity of hardware at all, that was talking about BIND:
    Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations," etc...
    AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network.

    Correct me if I'm wrong.

    1. Re:Diversity Doesn't Refer to Akamai at All by Zeinfeld · · Score: 5, Insightful
      AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network

      Paul should shut up about this topic. Companies should not go commenting about attacks made against their competitors - period.

      His statement about the root servers is way off base. Only four of the 13 servers stayed up and the software running on them did not affect the outcome in any way. Most of the servers that went down were running a version of BIND as were two of the servers that stayed up. The other two roots were running ATLAS which is the ultimate in closed source proprietary systems, nobody outside VeriSign has seen the executable, let alone the source code.

      I don't see how anyone could draw any conclusions either way on the basis of this sample. The distinguishing feature was the bandwidth available to the systems, not the software they run.

      Paul should think more and speak to journalists less.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  20. Re:MacOS classic? by rpbailey1642 · · Score: 4, Interesting

    I remember reading an article about the US Army using classic Mac for their webservers for just that reason. Hey, an URL: http://www.wired.com/news/politics/0,1283,21725,00 .html

  21. Ummm.. by Sheepdot · · Score: 5, Interesting
    RTFA.

    In the case of the Akamai incident, the vulnerable service was DNS. Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures," Vixie told Internetnews.com.

    He's not talking about how great Akamai is. He's talking about how great everyone else is.

    On another note: What the heck does this story have to do with Akamai operators fighting DDoS attacks? They more than likely sat with their thumbs up their rears contemplating how having such a structured and inflexible DNS system could possibly be in err.

  22. Re:What do they do? by Tmack · · Score: 4, Informative
    For not knowing about the recent Akamai attacks, you must have just joined /. or been hiding in a cave for the past few months. Basically, a bunch of the recent worms that have been going around have a client built into them for targeted DOS attacks, and most of them target various servers in Akamai's network. For not knowing who Akamai is, you are just lazy. Try www.akamai.com. Akamai is a large hosting company (they estimate 15% of ALL internet traffic goes through them), hosting sites such as Microsoft. As for why the attack? Why does any site get attacked? Akamai is also a very large target, this attack just happened to disrupt service to 2% of its customers for a short time. And since you probably didnt RTFA, it was due to their DNS implementation. The rest of the article read like an ad for a new beast of a security server, and the article as a whole was rather uninformative and boring. The "Akamai got attacked" part was only in the first few lines.

    tm

    --
    Support TBI Research: http://www.raisinhope.org
  23. Re:Quote misattributed by 2names · · Score: 5, Insightful
    The workplace is not a classroom, nor should it be treated as such.

    If you have not realized that every place is a classroom, then, my friend, you have not learned a single thing.

    --
    "I'm just here to regulate funkiness."
  24. nobody read anything by Anonymous Coward · · Score: 4, Insightful

    not only did the submitter not rtfa

    the editors did not rtfa

    and after the first five posts pointing this out, it was obvious that nobody was reading the responses either.

    nobody was reading anything, and now we have a 1000 responses saying the same thing, it wasn't akamai, it was the root servers, blah blah blah.

  25. Fuck by yootje · · Score: 5, Funny

    I'm sorry, next time I will read the article ten times before I post...

    --
    My photo's.