Akamai: How They Fought Recent DDoS Attacks

yootje writes "Infoworld is running an interesting article about Akamai and the DDoS attack that hit the network of Akamai Tuesday. According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC." Yootje points to another article on this subject as well, this one at Internetnews.com. Update: 07/07 19:38 GMT by T : Note that Vixie's quote here is actually presented out of context; he was commenting by way of contrast on the diversity of the root DNS servers, not Akamai's content-serving system.

Wow

"We wired a million dollars into the attackers' Swiss account."

That's shocking!

Trade-Off

[cynic10508]

The diversity of hardware and software may be an IT nightmare but I think this shows how effective it really is. Now all we need is a concise cost/benefit analysis.

Re:Trade-Off

[Pharmboy]

Even with our little network (2 T1s, several servers) we do the same thing. Different OS versions, Bind builds, even Apache implimentations. NS1 is dedicated on a slow but extremely robust dual cpu box, all other boxes have a primary task and act as a back up for other tasks. At this small level, its not THAT hard to do, although it takes some preplanning and maintenance. Even the outbound linux router has an offline spare with a different version of Linux and completely different firewall/NAT configuration in case the first gets taken down.

IMHO, when it comes to providing IT services, if you are not paranoid, you are crazy.

Re:Trade-Off

Akmai doesn't have a heterogeneous IT solution. It is the root nameservers that do. In fact, TFA says that the cost would be too high for them to do this.

Mod this whole story down "-1 incorrect".

Re:Trade-Off

[bastardadmin]

If you are Akamai, your uptime isn't everything, it is the only thing.

In their case maintaining a hybrid infrastructure makes perfect sense.
Remote exploit in IOS? No problem, the Juniper/Extreme/Linux/OpenBSD router in failover config takes over while patching goes on.

And if you are maintaining a massive hybrid infrastructure like that you will likely have the people and processes to handle security issues/patches.

Wow...

[kraksmokr]

They've achieved deliberately what happens naturally in a lot of other companies.

WRONG!

It says the root servers use different stuff, not akamai. RTFA.

Re:WRONG!

[Travis+Fisher]

Exactly! Correct quotes from the article:

• Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. ... [I]f Akamai tried to diversify the implementation of its large-scale content-delivery network, Vixie said, the cost would "drive their accountants crazy."

They never mention percentage of users impacted

[pornaholic]

Akamai claims over 1,100 customers and indicated that only 2 percent of them were noticeably impacted by the attack, such as not being available for about an hour.
Theo only statistic they ofer is the percentage of customers that were impacted. To me this hints of trying to play down the severity of the situation. When only 2 percent of your customers comprise (following is is a made up statistic since they didn't give me one) 80 percent of your traffic, you're lying by omission by only giving customer statistics.

Re:security by obscurity..

[stratjakt]

Sort of. You can know what they run, you can know you can exploit server A because it has a known vulnerability.

But servers B, C, D, E, F, G, etc are immune to your attacks on server A. To take down the root servers, you'd need to simultaneosly come up with 12 different exploits to knock each one of them out. Which makes it 12 times more difficult.

It's more proof of what I've always said, there is no "perfectly secure" OS in existence.

This is an ad!

[isaac]

This article has nothing to do with Akamai, other than pointing out that Akamai DNS is vulnerable to DOS.

Most of this "article" is a puff-piece (or paid advert) for one "CloudShield Technologies," pimping their (vaporware) "server for applications that do deep packet processing at gigabit-per-second rates."

-Isaac

Re:Sys admins

[ron_ivi]

different operating systesm ... Wow, your sys admins and help desk must LOVE supporting that!

I know you were trying to be sarcastic, but I bet that they indeed do prefer things this way.

When the pager goes off at 3AM that there's a suspected new worm attacking your dos-based systems, it's nice to simply turn them off and let the other systems handle the load until morning when you can investigate the problem at your leisure.

Gee-Wiz hardware will never win.

[twitter]

[description of magnificent gateway] For now the attackers are winning the arms race. The technology we'll need to monitor, react, and adapt in real time has yet to evolve, but it's headed in that direction.

I wish the net was headed in the right direction, but it's not. No single site or company will ever "win". The resilience of the web lies in it's redundancy and distribution. What I see is continued centralization and creation of points of failure. As "Broadband" internet access is more monopolized and treated as a platform for mindless browsing, and smaller ISPs are destroyed, the net is being squeezed into fewer and fewer hands. This invites attacks that can not be protected against. The real solution is to let everyone run everthing they want. That's the only way to route around damage.

Good old PR spin - nothing like it...

[stienman]

Boss: "Why did nearly half our service go down Friday?"

CTO: "Actually, sir, the real question is why did we lose less than half of our service. The answer is that I've, uh, been strategically using different systems and components throughout the enterprise on purpose to prevent drastic losses. No one else could have even kept 10% of their machines up under that DDOS."

Boss: "I knew I could count on you for the right PR spin job. Go back and think up some other good excuses."

-Adam

Diversity Doesn't Refer to Akamai at All

[SeinJunkie]

I RTFA, and it doesn't say that Akamai has a diversity of hardware at all, that was talking about BIND:

Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations," etc...

AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network.

Correct me if I'm wrong.

Re:Diversity Doesn't Refer to Akamai at All

[Zeinfeld]

AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network

Paul should shut up about this topic. Companies should not go commenting about attacks made against their competitors - period.

His statement about the root servers is way off base. Only four of the 13 servers stayed up and the software running on them did not affect the outcome in any way. Most of the servers that went down were running a version of BIND as were two of the servers that stayed up. The other two roots were running ATLAS which is the ultimate in closed source proprietary systems, nobody outside VeriSign has seen the executable, let alone the source code.

I don't see how anyone could draw any conclusions either way on the basis of this sample. The distinguishing feature was the bandwidth available to the systems, not the software they run.

Paul should think more and speak to journalists less.

Ummm..

[Sheepdot]

RTFA.

In the case of the Akamai incident, the vulnerable service was DNS. Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures," Vixie told Internetnews.com.

He's not talking about how great Akamai is. He's talking about how great everyone else is.

On another note: What the heck does this story have to do with Akamai operators fighting DDoS attacks? They more than likely sat with their thumbs up their rears contemplating how having such a structured and inflexible DNS system could possibly be in err.

Re:Quote misattributed

[2names]

The workplace is not a classroom, nor should it be treated as such.

If you have not realized that every place is a classroom, then, my friend, you have not learned a single thing.

Fuck

[yootje]

I'm sorry, next time I will read the article ten times before I post...