Akamai's Side of the DDoS Story: Measurement Service Got it Wrong

By Michael Hall | Jun 16, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3369391/Akamais-Side-of-the-DDoS-Story-Measurement-Service-Got-it-Wrong.htm

Main     Elsewhere     The Week in CrossNodes     The Week in Network News

A press release from Akamai offers some more insight into the company's network problems yesterday and takes a swipe at an unnamed "third-party website measurement service" it says "inaccurately portrayed" the extent of the problems. Among other things, Akamai acknowledged that the problems were the result of a massive distributed denial-of-service (DDoS) attack. The company also said the attack was aimed at specific Akamai customers.

In the release's bulletpoints:

  • the domain name service impact was limited to approximately 4 percent of the Akamai customer base
  • 2 percent had noticeable impact
  • less than 1 percent of Akamai customers had a significant impact affecting more than 20 percent of their users

Akamai has, by its own count, over 1,100 customers. Four percent of its customer base, therefore, is somewhere around 500 customers. When the list of affected customers includes the world's largest operating system company (Microsoft) and one of our more prominent anti-virus vendors (Symantec), the seemingly insignificant numbers take on a new light.

It also offered up this insight into how a Web site measurement service might provide inaccurate information:

Third party website measurement services can significantly overstate the impact of attacks such as this one, because these services use private name servers to check website availability. These private name servers do not serve traffic to actual end users. If one of these private name servers is unable to reach a site or to get a DNS resolution immediately, it may record that the site is unavailable. In contrast, actual end users are served by public name servers that make repeated attempts to perform DNS resolutions and, once successful, the appropriate domain name is shared with thousands of end users, who are then able to reach the websites they want. During Tuesday's attack, public name servers used by most end users worldwide were able to get DNS resolutions from Akamai, so most end users were able to access the Web content they wanted.

But we're back to where we were yesterday: The subject of Akamai's ire, Keynote Systems, was probably the source of more irritation for Akamai because it called "horsepucky" on Akamai's claim that the entire DNS system was under attack than any numbers it might have gotten wrong. Evil wrongdoers targetting the entire Internet, specifically a ripe target like the DNS infrastructure are one thing. Blackhats going after a single, very specific cluster of targets and earning the payoff of silencing 500 web sites for many major companies and Web presences sounds a little less like another day at the Internet grind. Still sounds like a distributed single point of failure to us.

Just as we were getting ready to post this afternoon, we noted that siliconvalley.internet.com interviewed none other than Paul Vixie who spelled the matter out in more detail:

Vixie contends that Akamai's approach to its DNS puts too many eggs in one basket. "The basic internet technology was built to military specifications and is meant to be 'survivable' in the sense that there is no single point of failure," Vixie said. "Akamai is a single point of failure, as evidenced by yesterday's problems and a similar problem that occurred a few weeks ago.

"In order to keep this from happening, Akamai is going to have to simulate diversity, which will drive their accountants crazy since it's harder to manage profit margins if you're building extra copies of your system of which none are ever fully utilized," Vixie said.

Elsewhere:

» Iomega has a new NAS device on the market. It runs Microsoft Windows Storage Server 2003. Some stats from the writeup:

  • Four USB 2.0 ports and one Ultra SCSI 320 port (480GB only) for adding high-speed backup devices.
  • Storage and file-sharing capability from remote locations even with limited IT staff
  • Supports Windows, Mac, Linux UNIX and Netware clients
  • Includes Iomega's Automatic Backup Software and Computer Associates' eTrust Anti-virus Software

Iomega spokesfolk say "Most small businesses run one of the Microsoft operating systems on their desktops, so it's familiar," he says. "Even if you have no IT experience, this server is easy enough to get up and running in 15 minutes. It's storage you already know how to use. If you can manage your Windows desktop, you can manage this box."

» The Register offers a more thoughtful followup on yesterday's news about the FTC rejecting the creation of a "Do Not Spam" list, running down the costs involved in bringing a spammer to court vs. the petite payoffs. It ends with this damning graf:

It appears that the CAN-SPAM Act is destined to remain an example of legislative window dressing - the sort of useless law that Congress passes periodically to create the impression that it cares about issues that ordinary people care about. But as a tool for cutting down on spam, it's practically worthless. Some ISPs may have supported the legislation originally, but now that they've had a taste of the actual costs of using it, it's a safe bet that the Act itself will be canned, at least after Ashcroft and Company have prosecuted a few pornographers with it and enjoyed a few triumphal press conferences.

» Phishing scams, according to Gartner may have involved upwards of $1.2 billion of $2.4 billion taken from nearly two million adults in identity theft scams last year. Hopping on board something like SPF is sounding better by the day.

The Week in Network News

» Monday: Comcast Blocks Port 25: Why Was it Ever Open?

ISP Comcast has taken to blocking port 25 when it detects spam-like traffic levels. It's a good move the company says has reduced spam coming out of its net by 20 percent. Why isn't the block default behavior? Also: MIMO pushes WLANs further, HP spruces up its network management tools, and just in time for VoWLAN, we get a crash course in question-asking.

» Tuesday: Akamai Staggered: Is It a Distributed Single Point of Failure?

Akamai, the content distribution outfit of choice, took one on the chin this morning slowing or knocking out some of the Web's biggest sites. Is it the single point of failure IP was designed to avoid? Also: Juniper rolls into Cisco country, the FTC agrees that giving spammers a mailing list is a bad idea, Microsoft releases XP SP2 RC1, and a Bluetooth worm wriggles onto smartphones.

The Week in CrossNodes

» NFS/NIS: Lessen Your Legacy Security Liabilities

You may be an old-school holdout, or you may have inherited a network with NFS/NIS driving some of the file-sharing load. Either way, here's how you can button down these venerable but potentially dangerous services.

» VoWLAN: The Wireless Voice Future is Here ... Almost

VoWLAN might be the chocolate and peanut butter of networking, but the convergence of VoIP and wireless freedom has its share of snags. Here's what you need to know.

» Squid Puts the Squeeze on Net Wrongdoers (Part 2)

Between online deathmatches, hearts tournaments, and sports bookies, your network might be looking more like a playground than a place to get work done. Here's how to use Squid to button down the traffic and make sure your more slippery users don't slide out of its grasp.

» Three LDAP Browsers for the Asking

Getting your information in a directory is just half the battle: The other half is finding it. Here are three LDAP browsers, free of charge and up to the task of digging through your data.

Network News Break is CrossNodes' daily summary of networking news and opinion, served up fresh daily. Please send your comments and suggestions to the editor.