Akamai: How They Fought Recent DDoS Attacks

yootje writes "Infoworld is running an interesting article about Akamai and the DDoS attack that hit the network of Akamai Tuesday. According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC." Yootje points to another article on this subject as well, this one at Internetnews.com. Update: 07/07 19:38 GMT by T : Note that Vixie's quote here is actually presented out of context; he was commenting by way of contrast on the diversity of the root DNS servers, not Akamai's content-serving system.

WRONG!

[Anonymous Coward]

It says the root servers use different stuff, not akamai. RTFA.

Quote misattributed

[RML]

Unfortunately, the ""We deliberately use different operating systems, different name server implementations..." quote is from Paul Vixie, president of the Internet Systems Consortium, and it's about the root name servers, not about Akamai.

The submitter is WRONG.

[TheAmigo]

The submitter's description of the article was completely incorrect and backwards.

Diversity of hardware makes ROOT DNS SERVERS more defensible. Akamai is NOT diverse, and they do not want to be.

Re:Quote misattributed

[tcopeland]

> Quote misattribute

Exactly. And Vixie goes on to say that Akamai can't do that because "the cost would 'drive their accountants crazy.'".

But I'm not sure having diverse bits of gear is such a huge cost. Wouldn't it instead be a way for sysadmins to broaden their experience and learn more about which tools are best for which jobs?

Re:WRONG!

[Travis Fisher]

Exactly! Correct quotes from the article:

• Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. ... [I]f Akamai tried to diversify the implementation of its large-scale content-delivery network, Vixie said, the cost would "drive their accountants crazy."

Re:Never heard of syn cookies or what?

[Burdell]

SYN cookies are for TCP connections (because TCP uses a three-way
handshake to set up a connection). DNS uses (primarily) UDP traffic,
which is connectionless (there is no "stateful" connection with UDP).
SYN cookies do no good when your DNS servers are under attack.

Re:Trade-Off

[Anonymous Coward]

Akmai doesn't have a heterogeneous IT solution. It is the root nameservers that do. In fact, TFA says that the cost would be too high for them to do this.

Mod this whole story down "-1 incorrect".

Slashdotted!

[Anonymous Coward]

We have been slashdotted several times, so we knew what to do when we got hit with the DDoS attack.

Your Karma can go down when trying to be funny, but cannot go up. If you are going to try to be funny, post anonymously or be sure you have Karma to burn.

Re:security by obscurity..

[cynic10508]

nobody knows what they run, so nobody can make a decent attack ..

Well, Kerkoff (sic) said in his principles of security to make the paranoid assumption that attackers will always be able to know what you have and/or how it works. So he says security only by obscurity isn't security at all. Kind of like the ostrich sticking its head in the sand and hoping the lion doesn't see it.

Diversity Doesn't Refer to Akamai at All

[SeinJunkie]

I RTFA, and it doesn't say that Akamai has a diversity of hardware at all, that was talking about BIND:

Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. "We deliberately use different operating systems, different name server implementations," etc...

AFAIK, all of the text that the quote from the submitter is regarding not Akamai, but BIND in criticism of Akamai. He's saying that they would have performed better had they used a more diversified network.

Correct me if I'm wrong.

Re:What do they do?

[Tmack]

For not knowing about the recent Akamai attacks, you must have just joined /. or been hiding in a cave for the past few months. Basically, a bunch of the recent worms that have been going around have a client built into them for targeted DOS attacks, and most of them target various servers in Akamai's network. For not knowing who Akamai is, you are just lazy. Try www.akamai.com. Akamai is a large hosting company (they estimate 15% of ALL internet traffic goes through them), hosting sites such as Microsoft. As for why the attack? Why does any site get attacked? Akamai is also a very large target, this attack just happened to disrupt service to 2% of its customers for a short time. And since you probably didnt RTFA, it was due to their DNS implementation. The rest of the article read like an ad for a new beast of a security server, and the article as a whole was rather uninformative and boring. The "Akamai got attacked" part was only in the first few lines.

tm

Re:MacOS classic?

[Anonymous Coward]

Back in the System 6 days, viruses like WDEF and NVIR were really common. At least in the college labs I was in.

You can bet a hostile AppleTalk programmer could DoS and hack those things to hell. They're great for trusted networks tho.

Re:MacOS classic?

[Lohrno]

I remember Several, init/cdev A, init B, etc.

RTFA first, please...

[zx-6e]

The article summary is incorrect. Diversity was not a defense for Akamai, it is a defense for the 13 DNS root servers. In fact, in the article, Paul Vixie "charged that Akamai's proprietary approach to DNS makes it a single point of failure." The diversity approach is what is used to help prevent these kinds of failures in the global DNS system.

Oooops

[bozojoe]

According to this article one of the defenses of Akamai

please reread the infoworld article, as they are refering to the DNS root servers, not akamai

Re:Diversity Doesn't Refer to Akamai at All

[NoNsense]

Your absolutely correct. The article even goes on to point out that such a change would "drive the accountants crazy" at Akamai.

I wish the approvers of the stories would read the article before posting the summary.

John

It's all relative

[The Angry Mick]

Akamai is, at best, being disingenous when they say only 2 percent of their customers were affected by the outage. Maybe 2 percent of their customers, but how many of their customers customers were affected?

2 percent may not sound like much on the surface, but if that percentage includes companies like Microsoft, MSNBC, Amazon, Yahoo, CNN, Lycos and other big-shot content providers then the relative number of "customers" affected by the outage is a lot more notable.

Article is an ad for Vixie and his companies...

[Anonymous Coward]

First, the root servers have different dns server software and OSes, not because Vixie thought of it, but because it is policy codified in the BCP RFC for root servers best practices [faqs.org]. In fact, I think he was unhappy about other root servers using non-BIND software in the beginning.

Second, he is being disingenuous about his comments about patents, his company owns at least one patent related to the Verisign "Site Finder" service methodology. Nominum Patent [uspto.gov] I didn't see any statements by him disparaging his company when they applied for that patent. So it isn't that he doesn't like patents, it is that he doesn't like that Akamai is making money doing third party DNS without paying him money or homage. Note: His commercial, for profit dns server software company has a white paper enumerating the scalability and other problems with BIND, and they use an architecture more similar to DJBDNS than to BIND 9 - separate auth and resolving dns server packages, most modern dns server software uses this architecture to reduce code complexity and improve security and performance.

Third, if he wanted to be the pillar of dns server software that he supposedly is, he could have sent a few goons from Nominum over to Akamai and set up some boxes with his commercial, for profit, "scalable" dns server software and Akamai would have been able to see if his software was able to stand up to the ddos attack better than what they have. If it did, he probably could have gotten a sweet, lucrative contract out of it and been a hero for helping thwart the attack, rather than a hypocritical, self serving competitor hiding behind Open Source to appear credible.

Fourth, Akamai is a single point of failure because that is what they do - offload dns and content load from the biggest companies on the net life MS, google and ebay. No, I don't work there, but I would venture a guess that they carry more traffic than (maybe) any other company. So I am sure it is easy to armchair quarterback and say they should do this and that, but when the attacks are probably at 10's or 100's of GiB/s I am not sure what I would do.

Nominum is also involved in RFID stuff, so I will be interested to see what happens with him and his companies as that ramps up. And who knows what deals have already been made - "the future of DNS is right."

Some DNS software links:
nsd - high performance, uses BIND style files and authoritative only [nlnetlabs.nl]
They have an interesting testing procedure where they run nsd and BIND, have them build responses to the same queries and then analyze any differences: diff analysis [nlnetlabs.nl]
maradns [maradns.org]
Powerdns, mysql and a pretty website [powerdns.com]
djbdns [cr.yp.to] he's grouchy and the no license license thing freaks people out and pisses them off, but people become attached to the quirky but rock solid software.
nstx, ip over dns, yeah... [sourceforge.net]