Forgot your password?
typodupeerror
Security The Internet

Akamai: How They Fought Recent DDoS Attacks 231

Posted by timothy
from the malice-is-unbounded dept.
yootje writes "Infoworld is running an interesting article about Akamai and the DDoS attack that hit the network of Akamai Tuesday. According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC." Yootje points to another article on this subject as well, this one at Internetnews.com. Update: 07/07 19:38 GMT by T : Note that Vixie's quote here is actually presented out of context; he was commenting by way of contrast on the diversity of the root DNS servers, not Akamai's content-serving system.
This discussion has been archived. No new comments can be posted.

Akamai: How They Fought Recent DDoS Attacks

Comments Filter:
  • Wow (Score:5, Funny)

    by Anonymous Coward on Wednesday July 07, 2004 @02:12PM (#9633990)
    "We wired a million dollars into the attackers' Swiss account."

    That's shocking!
    • maybe that is what afternet should do..
      they are totally hosed right now due to a huge ddos.
      see http://www.afternet.org/ for all the details

      sucks
  • Trade-Off (Score:5, Insightful)

    by cynic10508 (785816) on Wednesday July 07, 2004 @02:12PM (#9633995) Journal
    The diversity of hardware and software may be an IT nightmare but I think this shows how effective it really is. Now all we need is a concise cost/benefit analysis.
    • Re:Trade-Off (Score:4, Insightful)

      by Ignignot (782335) on Wednesday July 07, 2004 @02:17PM (#9634058) Journal
      Allow me to perform a concise analysis for you. Hmm... the benefits are that DDoS's have some trouble knocking you offline. What are the costs? Much higher IT costs. Also, the total number of holes in your security will be higher. Just keeping track of all windows security fixes is hard. Imagine doing that for windows, solaris, linux, osx, and bsd. On 100 different hardware setups. Some things are going to go unpatched. You're giving hackers / crackers more opportunities, not more problems.
      • Re:Trade-Off (Score:2, Interesting)

        by Anonymous Coward
        but, no single point of failure. A knock on one weakness in Akamai's network does not bring the whole thing down. That is probably a critical factor in Akamai's business plan.
      • Re:Trade-Off (Score:5, Insightful)

        by bastardadmin (660086) on Wednesday July 07, 2004 @02:33PM (#9634212) Journal
        If you are Akamai, your uptime isn't everything, it is the only thing.

        In their case maintaining a hybrid infrastructure makes perfect sense.
        Remote exploit in IOS? No problem, the Juniper/Extreme/Linux/OpenBSD router in failover config takes over while patching goes on.

        And if you are maintaining a massive hybrid infrastructure like that you will likely have the people and processes to handle security issues/patches.

      • by SeinJunkie (751833) <seinjunkie@gmail.com> on Wednesday July 07, 2004 @02:47PM (#9634318) Homepage
        I RTFA, and it doesn't say that Akamai has a diversity of hardware at all, that was talking about BIND:
        Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations," etc...
        AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network.

        Correct me if I'm wrong.

        • by Zeinfeld (263942) on Wednesday July 07, 2004 @10:55PM (#9638556) Homepage
          AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network

          Paul should shut up about this topic. Companies should not go commenting about attacks made against their competitors - period.

          His statement about the root servers is way off base. Only four of the 13 servers stayed up and the software running on them did not affect the outcome in any way. Most of the servers that went down were running a version of BIND as were two of the servers that stayed up. The other two roots were running ATLAS which is the ultimate in closed source proprietary systems, nobody outside VeriSign has seen the executable, let alone the source code.

          I don't see how anyone could draw any conclusions either way on the basis of this sample. The distinguishing feature was the bandwidth available to the systems, not the software they run.

          Paul should think more and speak to journalists less.

      • Re:Trade-Off (Score:5, Insightful)

        by johnnyb (4816) <jonathan@bartlettpublishing.com> on Wednesday July 07, 2004 @03:00PM (#9634426) Homepage
        However, you are preventing your entire infrastructure to being nailed by a single exploit. With a monoculture, a single flaw exploited by a worm can destroy pretty much everything. With a mixed setup, although you have more possible entrances, each one allows a lot less damage.

        If I have 1,000 troops, if I keep them all in the same fort, they will be a formidable force, unless I find the right weapon (like a nuke). If I keep them in 10 different forts spready throughout the country, although each one of them is more vulnerable individually, I have eliminated the possibility of everything being wiped out in a single blow.
      • Re:Trade-Off (Score:2, Interesting)

        by OneArmedMan (606657)
        Over specialize and you breed in weakness..

        Its Slow death.
    • Re:Trade-Off (Score:5, Insightful)

      by Pharmboy (216950) on Wednesday July 07, 2004 @02:21PM (#9634094) Journal
      Even with our little network (2 T1s, several servers) we do the same thing. Different OS versions, Bind builds, even Apache implimentations. NS1 is dedicated on a slow but extremely robust dual cpu box, all other boxes have a primary task and act as a back up for other tasks. At this small level, its not THAT hard to do, although it takes some preplanning and maintenance. Even the outbound linux router has an offline spare with a different version of Linux and completely different firewall/NAT configuration in case the first gets taken down.

      IMHO, when it comes to providing IT services, if you are not paranoid, you are crazy.
    • Re:Trade-Off (Score:4, Insightful)

      by Tony-A (29931) on Wednesday July 07, 2004 @02:21PM (#9634097)
      Now all we need is a concise cost/benefit analysis.

      Life versus death?

      What you want out of backups and backup systems isn't so much that they are as good as or better than the primary systems, but that they are as independent as possible. Backing up OpenBSD to Windows 95 is not as stupid as it looks.
      • Backing up OpenBSD to Windows 95 is not as stupid as it looks.

        lol, you are correct! One of our backup solutions is having a win98 box with ActivePerl installed go grab a copy of the datafiles every night. In the event of data corruption, THAT is usually the copy I restore from, purely because it is fast to restore from and highly reliable. (Yes, reliable. It only crashes when you are doing something, so it gets rebooted often enough ;)

        Not sure why, but that reminded me of the Simpson's episode where
        • (Yes, reliable. It only crashes when you are doing something, so it gets rebooted often enough ;)

          That's it. My reading comprehension is gone. I'm going to bed now and hopefully not dream of anything remotely related to this Daliesque image.

    • MS products running on MS hardware with MS support contracts gives the best cost/benefit.... to MS :)

      Just ask MS, they will tell you.

    • Re:Trade-Off (Score:5, Informative)

      by Anonymous Coward on Wednesday July 07, 2004 @02:27PM (#9634154)
      Akmai doesn't have a heterogeneous IT solution. It is the root nameservers that do. In fact, TFA says that the cost would be too high for them to do this.

      Mod this whole story down "-1 incorrect".
      • Re:Trade-Off (Score:4, Insightful)

        by Anonymous Coward on Wednesday July 07, 2004 @02:58PM (#9634406)
        So, in this case, not only did the submitter not read the article, but neither did the editors. I actually read the article and it was blatanly clear the the whole heterogeneous argument was *not* in reference to Akamai.

        I just have one question: what exactly do the slashdot editors do? I thought they were there to screen incoming submissions. But obviously they don't. Basically, if that's their only job, they suck at it.
  • Sys admins (Score:5, Funny)

    by FortKnox (169099) on Wednesday July 07, 2004 @02:13PM (#9633999) Homepage Journal
    'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'

    Wow, your sys admins and help desk must LOVE supporting that!
    • Re:Sys admins (Score:5, Insightful)

      by ron_ivi (607351) <[moc.secivedxelpmocpaehc] [ta] [ontods]> on Wednesday July 07, 2004 @02:22PM (#9634105)
      different operating systesm ... Wow, your sys admins and help desk must LOVE supporting that!

      I know you were trying to be sarcastic, but I bet that they indeed do prefer things this way.

      When the pager goes off at 3AM that there's a suspected new worm attacking your dos-based systems, it's nice to simply turn them off and let the other systems handle the load until morning when you can investigate the problem at your leisure.

      • Re:Sys admins (Score:5, Insightful)

        by LookSharp (3864) on Wednesday July 07, 2004 @03:50PM (#9634952)
        Can I ask an obvious question here?

        Who the atech-ee-double-hockey-sticks runs "dos-based" systems anymore? I thought Microsoft abandoned the technology starting in 1995, and I personally submitted the "official end of life for DOS support" article to Slashdot several years ago.

        We run heterogenious systems and support them because they provide different benefits and features for our many needs. Sometimes Windows OS servers actually are cheaper, more stable, and easier to support than their Unix counterparts. Sometimes not.

        For instance, we have WebSphere running on Solaris and AIX as an app server platform, and it is great for high volume and failover. But we spend far more time (proportionally) troubleshooting that technology (and the hundred or so servers that run it) than the .NET application servers running on Windows 2000. As an app environment .NET is stable and actually quite fast, and run on much less expensive equipment. However there are only four of them and failover between boxes is sketchy, so on the rare occasion that there is a non-code related outage, it takes longer to get the environment back up to spec.

        Just my anecdotal experience.
        • by beakburke (550627)
          Windows 95 and 98 were still DOS based (even ME, though they ripped out the command shell so the end user couldn't use it). Only the NT/2000/XP family isn't DOS based, strictly speaking.
  • Wow... (Score:5, Funny)

    by kraksmokr (216277) on Wednesday July 07, 2004 @02:13PM (#9634011) Journal
    They've achieved deliberately what happens naturally in a lot of other companies.
  • WRONG! (Score:5, Informative)

    by Anonymous Coward on Wednesday July 07, 2004 @02:14PM (#9634019)
    It says the root servers use different stuff, not akamai. RTFA.
    • Re:WRONG! (Score:5, Informative)

      by Travis Fisher (141842) on Wednesday July 07, 2004 @02:20PM (#9634085)
      Exactly! Correct quotes from the article:
      • Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. ... [I]f Akamai tried to diversify the implementation of its large-scale content-delivery network, Vixie said, the cost would "drive their accountants crazy."
  • by klang (27062) on Wednesday July 07, 2004 @02:14PM (#9634021)
    nobody knows what they run, so nobody can make a decent attack ..
    • by stratjakt (596332) on Wednesday July 07, 2004 @02:18PM (#9634059) Journal
      Sort of. You can know what they run, you can know you can exploit server A because it has a known vulnerability.

      But servers B, C, D, E, F, G, etc are immune to your attacks on server A. To take down the root servers, you'd need to simultaneosly come up with 12 different exploits to knock each one of them out. Which makes it 12 times more difficult.

      It's more proof of what I've always said, there is no "perfectly secure" OS in existence.
    • Oh, yeah. We got Death Star.
    • nobody knows what they run, so nobody can make a decent attack ..

      Well, Kerkoff (sic) said in his principles of security to make the paranoid assumption that attackers will always be able to know what you have and/or how it works. So he says security only by obscurity isn't security at all. Kind of like the ostrich sticking its head in the sand and hoping the lion doesn't see it.

    • Make everything so ass backwards and broken that even if someone did get in, they couldn't do anything useful anyway. :D
    • nmap -P0 -O n1g.akamai.net

      Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
      Interesting ports on a194-251-253-69.deploy.akamaitechnologies.com (194.251.253.69):
      (The 1548 ports scanned but not shown below are in state: closed)
      Port State Service
      22/tcp open ssh
      80/tcp open http
      376/tcp filtered nip
      443/tcp open https
      500/tcp open isakmp
      1434/tcp filtered ms-sql-m

      No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

  • Quote misattributed (Score:2, Informative)

    by RML (135014)
    Unfortunately, the ""We deliberately use different operating systems, different name server implementations..." quote is from Paul Vixie, president of the Internet Systems Consortium, and it's about the root name servers, not about Akamai.
    • by tcopeland (32225) * <{moc.dnalepoceelsamoht} {ta} {mot}> on Wednesday July 07, 2004 @02:19PM (#9634072) Homepage
      > Quote misattribute

      Exactly. And Vixie goes on to say that Akamai can't do that because "the cost would 'drive their accountants crazy.'".

      But I'm not sure having diverse bits of gear is such a huge cost. Wouldn't it instead be a way for sysadmins to broaden their experience and learn more about which tools are best for which jobs?
      • by NekoXP (67564)
        Having your sysadmins LEARNING how to use new architectures, procedures and so on costs money - because their time is on salary, you pay for that learning process, their lack of knowledge in the beginning adding time to solving problems, and bringing in help costs more because you'd prefer they'd have that broad experience already.

        Remember.. [insert product here] is free if your time is worthless.

        Neko
      • by johnnyb (4816)
        The problem is not really the costs, its the accounting. When you have a large enough company to have an accounting department, a lot of wierd things start happening. Not all of it is bad, it's just that managing large amounts of money and equipment is a lot different than handling small amounts of money and equipment.

        Accounting has to be able to cost-justify purchases, otherwise they would be open to easy abuse. Therefore, you have to show that they need sufficient load on the servers to justify the ex
    • I noticed this too. Do you have to read the article to get your topic posted on /. or can you just put together random quotes that seem interesting?
    • it's about the root name servers

      No, it's about "one" particular root nameserver [root-servers.org], F-root [isc.org], which is the root ISC [isc.org] operate. It's one IPv4 address, but actually a whole bunch of machines located across the world [isc.org].
  • Lack of diversity (Score:2, Redundant)

    by phasm42 (588479)
    If I read it right, one of their problems was their lack of diversity -- they all use Akamai's proprietary DNS.
  • intentional or not (Score:4, Insightful)

    by cjwl (776049) on Wednesday July 07, 2004 @02:15PM (#9634037)
    I have to wonder if the diversity of systems was an intentional choice of theirs way back to face these kinds of attacks or if it just grew that way from rapid growth and having their systems spread all over.

    They survived the attack and "Oh yea, we MEANT for it to happen that way".

    I think it's spin.
    • I think it's spin.

      Maybe so, but there's a kernal of truth there. Diversity in biological systems produces robustness. If you have a rich genetic code in a species, you're more likely to have a subset of the population that will survive a new virus, disease, etc. Given the complexity of networked computer systems, is it really that surprising that we're finding certain survival techniques which work well in nature work well when applied in alternative environments?

      That idea's not new, and it's not well-

      • I do find it interesting that software has grown to a diversity and distribution among an interrelated network that we can now start treating it as biological diversity. I wonder if there are any other coorilations and possibly assertions we can make with reguard to this relationship.
  • by pornaholic (242268) on Wednesday July 07, 2004 @02:17PM (#9634049)
    Akamai claims over 1,100 customers and indicated that only 2 percent of them were noticeably impacted by the attack, such as not being available for about an hour.
    Theo only statistic they ofer is the percentage of customers that were impacted. To me this hints of trying to play down the severity of the situation. When only 2 percent of your customers comprise (following is is a made up statistic since they didn't give me one) 80 percent of your traffic, you're lying by omission by only giving customer statistics.
    • how many percent of their customers customers noticed something to be 'wrong' would be the more meaningful stat..

    • you're lying by omission by only giving customer statistics.

      There are lies, damn lies, and statistics.

      Believe me, you can take any set of numbers and put whatever spin on them you want; one small fact can not paint a picture by itself. The real question is how accountable are you to the people you're quoting statistics to... in this case, the audience of the message is their current customerbase, in hopes of retaining them, and potential customers, in hopes of not scaring them away.

      In both cases you ha
    • When only 2 percent of your customers comprise (following is is a made up statistic since they didn't give me one) 80 percent of your traffic, you're lying by omission by only giving customer statistics.

      I would bet that anyone who has services from akamai is fairly high traffic, otherwise what is the point. Akamai's not cheap, and people wouldn't be using Akamai if there wasn't a need!

      That said, I doubt 2% of their customers would be responsible for 80% of the traffic. . .
    • It's all relative (Score:3, Informative)

      Akamai is, at best, being disingenous when they say only 2 percent of their customers were affected by the outage. Maybe 2 percent of their customers, but how many of their customers customers were affected?

      2 percent may not sound like much on the surface, but if that percentage includes companies like Microsoft, MSNBC, Amazon, Yahoo, CNN, Lycos and other big-shot content providers then the relative number of "customers" affected by the outage is a lot more notable.

  • by TheAmigo (10935) on Wednesday July 07, 2004 @02:17PM (#9634054)
    The submitter's description of the article was completely incorrect and backwards.

    Diversity of hardware makes ROOT DNS SERVERS more defensible. Akamai is NOT diverse, and they do not want to be.

  • by adavies42 (746183) on Wednesday July 07, 2004 @02:17PM (#9634056)
    The quote on diversity is by Vixie wrt the roots servers--it's a criticism of Akamai! Jesus H. Christ, it's in the first paragraph!
  • This is an ad! (Score:5, Insightful)

    by isaac (2852) on Wednesday July 07, 2004 @02:19PM (#9634081)
    This article has nothing to do with Akamai, other than pointing out that Akamai DNS is vulnerable to DOS.

    Most of this "article" is a puff-piece (or paid advert) for one "CloudShield Technologies," pimping their (vaporware) "server for applications that do deep packet processing at gigabit-per-second rates."

    -Isaac
    • I wondered what was amiss. I think that fits.

      What the heck is "deep" packet processing anyway?
      • I think it's when you do logic using reads from data beyond the packet header.

        Packets are composed in layers. The lower ones have to do with transmission over the network. The higher ones have to do with the interpretation of the packet (like which application session etc it belongs to). And of course you have the payload, the data being sent, like the letter in the envelope.

        Mu!
  • by rgmoore (133276) * <glandauer@charter.net> on Wednesday July 07, 2004 @02:22PM (#9634106) Homepage
    According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC.

    Actually, according to the article the diversity approach is part of what's used to defend the DNS root servers, not Akamai. Vixie specifically mentions that this approach is not practical for an ordinary content provider like Akamai because, 'the cost would "drive their accountants crazy."' I'm dubious about just how helpful diversity would be against a DDoS attack in the first place. Diversity won't solve the problem of requests coming in faster than they can be processed.

  • According to this article one of the defenses of Akamai is the big diversity of their hardware...

    Erm, I think the poster made a mistake here. This diversity is attributed to the 13 root servers. Akamai's services do not employ such techniques due to the unsupportable cost. Based on the problems we saw during the DDoS, I can't say Akamai had much to offer in its arsenal.

    Or am I the one who misread?

  • by doombob (717921)
    Is that like using Windows 98 and Windows ME?
  • 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'

    ...That their entire operation is really based out of a bunch of Computer Renaissance stores and pawn shops run by cheap managers that don't talk to one another.

    It sounds like a recipe for success!

  • by CokoBWare (584686) on Wednesday July 07, 2004 @02:40PM (#9634267)
    A valid tactic... it mitigates the problems with a unified vendor, but it costs lots more...
    • Diversity is not the same as obscurity. Diversity is the same as inhabiting a planet with strong coldblooded animals and weaker warmblooded animals and see which turn out to be the dinosaurs and which will end up inventing the wheel.

      Obscurity is hiding your dinosaur, hoping the meteorite won't see it.

  • by twitter (104583) on Wednesday July 07, 2004 @02:40PM (#9634272) Homepage Journal
    [description of magnificent gateway] For now the attackers are winning the arms race. The technology we'll need to monitor, react, and adapt in real time has yet to evolve, but it's headed in that direction.

    I wish the net was headed in the right direction, but it's not. No single site or company will ever "win". The resilience of the web lies in it's redundancy and distribution. What I see is continued centralization and creation of points of failure. As "Broadband" internet access is more monopolized and treated as a platform for mindless browsing, and smaller ISPs are destroyed, the net is being squeezed into fewer and fewer hands. This invites attacks that can not be protected against. The real solution is to let everyone run everthing they want. That's the only way to route around damage.

  • by Mr. Neutron (3115) on Wednesday July 07, 2004 @02:42PM (#9634280) Homepage Journal
    ...is like trying to wipe out swarm of gnats with a shotgun.
  • by stienman (51024) <adavis.ubasics@com> on Wednesday July 07, 2004 @02:44PM (#9634300) Homepage Journal
    Boss: "Why did nearly half our service go down Friday?"

    CTO: "Actually, sir, the real question is why did we lose less than half of our service. The answer is that I've, uh, been strategically using different systems and components throughout the enterprise on purpose to prevent drastic losses. No one else could have even kept 10% of their machines up under that DDOS."

    Boss: "I knew I could count on you for the right PR spin job. Go back and think up some other good excuses."

    -Adam
  • Ummm.. (Score:5, Interesting)

    by Sheepdot (211478) on Wednesday July 07, 2004 @02:51PM (#9634351) Journal
    RTFA.

    In the case of the Akamai incident, the vulnerable service was DNS. Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures," Vixie told Internetnews.com.

    He's not talking about how great Akamai is. He's talking about how great everyone else is.

    On another note: What the heck does this story have to do with Akamai operators fighting DDoS attacks? They more than likely sat with their thumbs up their rears contemplating how having such a structured and inflexible DNS system could possibly be in err.

  • but why didn't it work? Or is this a case of "it could have been worse?" And if it is, then why does it even matter?
  • by MisterMoney (615506) on Wednesday July 07, 2004 @03:11PM (#9634561)
    I thought we were disorganized here where I work, but it turns out we were just throwing up a good defense.

    'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'
  • by zx-6e (604380) <zx-6eNO@SPAMdragonnetworks.com> on Wednesday July 07, 2004 @03:21PM (#9634654)
    The article summary is incorrect. Diversity was not a defense for Akamai, it is a defense for the 13 DNS root servers. In fact, in the article, Paul Vixie "charged that Akamai's proprietary approach to DNS makes it a single point of failure." The diversity approach is what is used to help prevent these kinds of failures in the global DNS system.
  • Oooops (Score:3, Informative)

    by bozojoe (102606) on Wednesday July 07, 2004 @03:21PM (#9634656) Journal
    According to this article one of the defenses of Akamai
    please reread the infoworld article, as they are refering to the DNS root servers, not akamai
  • Yootje Points? (Score:2, Insightful)

    What the heck are those? Are they like bad karma points for articles that have overlapping information with other articles?

    By the way, which one of the articles is it that says Akamai did anything right to fight attacks?
  • 'We deliberately use different operating systems . . . .'

    They called me crazy for using Windows 95, 98, 2000, CE and ME . . . I'm invincible! Bwahahaha!
  • by np_bernstein (453840) on Wednesday July 07, 2004 @03:27PM (#9634720) Homepage
    'It's about CloudShield Technologies ... recently announced CS-2000', and nothing but a fluff peice meant to sell some hardware. Sure, Akami's DDOS is discussed ("DDOSs are ba-ad, mmkay."), but then it just goes on to talk about the CS-2000.
  • by Anonymous Coward on Wednesday July 07, 2004 @03:42PM (#9634865)
    not only did the submitter not rtfa

    the editors did not rtfa

    and after the first five posts pointing this out, it was obvious that nobody was reading the responses either.

    nobody was reading anything, and now we have a 1000 responses saying the same thing, it wasn't akamai, it was the root servers, blah blah blah.
  • Fuck (Score:5, Funny)

    by yootje (770109) on Wednesday July 07, 2004 @04:10PM (#9635123) Homepage
    I'm sorry, next time I will read the article ten times before I post...
    • Re:Fuck (Score:3, Insightful)

      by Anonymous Coward
      Also please make sure it's not a paid ad for some ByMeNow-5000 product rather than an actual article.
  • I have a feeling it was more like,

    (BOFH types RETURN, followed by)

    "Oh Shit!"
  • by Anonymous Coward on Wednesday July 07, 2004 @06:46PM (#9636896)
    First, the root servers have different dns server software and OSes, not because Vixie thought of it, but because it is policy codified in the BCP RFC for root servers best practices [faqs.org]. In fact, I think he was unhappy about other root servers using non-BIND software in the beginning.

    Second, he is being disingenuous about his comments about patents, his company owns at least one patent related to the Verisign "Site Finder" service methodology. Nominum Patent [uspto.gov] I didn't see any statements by him disparaging his company when they applied for that patent. So it isn't that he doesn't like patents, it is that he doesn't like that Akamai is making money doing third party DNS without paying him money or homage. Note: His commercial, for profit dns server software company has a white paper enumerating the scalability and other problems with BIND, and they use an architecture more similar to DJBDNS than to BIND 9 - separate auth and resolving dns server packages, most modern dns server software uses this architecture to reduce code complexity and improve security and performance.

    Third, if he wanted to be the pillar of dns server software that he supposedly is, he could have sent a few goons from Nominum over to Akamai and set up some boxes with his commercial, for profit, "scalable" dns server software and Akamai would have been able to see if his software was able to stand up to the ddos attack better than what they have. If it did, he probably could have gotten a sweet, lucrative contract out of it and been a hero for helping thwart the attack, rather than a hypocritical, self serving competitor hiding behind Open Source to appear credible.

    Fourth, Akamai is a single point of failure because that is what they do - offload dns and content load from the biggest companies on the net life MS, google and ebay. No, I don't work there, but I would venture a guess that they carry more traffic than (maybe) any other company. So I am sure it is easy to armchair quarterback and say they should do this and that, but when the attacks are probably at 10's or 100's of GiB/s I am not sure what I would do.

    Nominum is also involved in RFID stuff, so I will be interested to see what happens with him and his companies as that ramps up. And who knows what deals have already been made - "the future of DNS is right."

    Some DNS software links:
    nsd - high performance, uses BIND style files and authoritative only [nlnetlabs.nl]
    They have an interesting testing procedure where they run nsd and BIND, have them build responses to the same queries and then analyze any differences: diff analysis [nlnetlabs.nl]
    maradns [maradns.org]
    Powerdns, mysql and a pretty website [powerdns.com]
    djbdns [cr.yp.to] he's grouchy and the no license license thing freaks people out and pisses them off, but people become attached to the quirky but rock solid software.
    nstx, ip over dns, yeah... [sourceforge.net]

I'm a Lisp variable -- bind me!

Working...