×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Akamai: How They Fought Recent DDoS Attacks

timothy posted more than 9 years ago | from the malice-is-unbounded dept.

Security 231

yootje writes "Infoworld is running an interesting article about Akamai and the DDoS attack that hit the network of Akamai Tuesday. According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC." Yootje points to another article on this subject as well, this one at Internetnews.com. Update: 07/07 19:38 GMT by T : Note that Vixie's quote here is actually presented out of context; he was commenting by way of contrast on the diversity of the root DNS servers, not Akamai's content-serving system.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

231 comments

Wow (5, Funny)

Anonymous Coward | more than 9 years ago | (#9633990)

"We wired a million dollars into the attackers' Swiss account."

That's shocking!

Re:Wow (0)

Anonymous Coward | more than 9 years ago | (#9634038)

million dollars to code a new version of TFN2k ..lol

afternet (1)

joeldg (518249) | more than 9 years ago | (#9634087)

maybe that is what afternet should do..
they are totally hosed right now due to a huge ddos.
see http://www.afternet.org/ for all the details

sucks

Trade-Off (5, Insightful)

cynic10508 (785816) | more than 9 years ago | (#9633995)

The diversity of hardware and software may be an IT nightmare but I think this shows how effective it really is. Now all we need is a concise cost/benefit analysis.

Re:Trade-Off (4, Insightful)

Ignignot (782335) | more than 9 years ago | (#9634058)

Allow me to perform a concise analysis for you. Hmm... the benefits are that DDoS's have some trouble knocking you offline. What are the costs? Much higher IT costs. Also, the total number of holes in your security will be higher. Just keeping track of all windows security fixes is hard. Imagine doing that for windows, solaris, linux, osx, and bsd. On 100 different hardware setups. Some things are going to go unpatched. You're giving hackers / crackers more opportunities, not more problems.

Re:Trade-Off (1)

cynic10508 (785816) | more than 9 years ago | (#9634192)

Allow me to perform a concise analysis for you. Hmm... the benefits are that DDoS's have some trouble knocking you offline. What are the costs? Much higher IT costs. Also, the total number of holes in your security will be higher. Just keeping track of all windows security fixes is hard. Imagine doing that for windows, solaris, linux, osx, and bsd. On 100 different hardware setups. Some things are going to go unpatched. You're giving hackers / crackers more opportunities, not more problems.

Fair enough. But what I was thinking of was more of a metric. What are the costs associated with various hardware and software systems? Then, at what point does the added complexity and cost overwhelm the security benefit?

Side note: the security benefit would have to be a metric unto itself also. Perhaps the number and severity of vulnerabilities per release, etc.

Re:Trade-Off (2, Interesting)

Anonymous Coward | more than 9 years ago | (#9634198)

but, no single point of failure. A knock on one weakness in Akamai's network does not bring the whole thing down. That is probably a critical factor in Akamai's business plan.

Re:Trade-Off (5, Insightful)

bastardadmin (660086) | more than 9 years ago | (#9634212)

If you are Akamai, your uptime isn't everything, it is the only thing.

In their case maintaining a hybrid infrastructure makes perfect sense.
Remote exploit in IOS? No problem, the Juniper/Extreme/Linux/OpenBSD router in failover config takes over while patching goes on.

And if you are maintaining a massive hybrid infrastructure like that you will likely have the people and processes to handle security issues/patches.

Re:Trade-Off (5, Insightful)

Pharmboy (216950) | more than 9 years ago | (#9634094)

Even with our little network (2 T1s, several servers) we do the same thing. Different OS versions, Bind builds, even Apache implimentations. NS1 is dedicated on a slow but extremely robust dual cpu box, all other boxes have a primary task and act as a back up for other tasks. At this small level, its not THAT hard to do, although it takes some preplanning and maintenance. Even the outbound linux router has an offline spare with a different version of Linux and completely different firewall/NAT configuration in case the first gets taken down.

IMHO, when it comes to providing IT services, if you are not paranoid, you are crazy.

Re:Trade-Off (0)

Anonymous Coward | more than 9 years ago | (#9634246)

We've got a web-server "cluster" of two systems running MONO's ASP.Net and Microsoft's ASP.Net.

'course we're doing it just to prove we can; but it's kinda cool.

Re:Trade-Off (3, Insightful)

Tony-A (29931) | more than 9 years ago | (#9634097)

Now all we need is a concise cost/benefit analysis.

Life versus death?

What you want out of backups and backup systems isn't so much that they are as good as or better than the primary systems, but that they are as independent as possible. Backing up OpenBSD to Windows 95 is not as stupid as it looks.

Re:Trade-Off - TCO (2, Funny)

axis-techno-geek (70545) | more than 9 years ago | (#9634124)

MS products running on MS hardware with MS support contracts gives the best cost/benefit.... to MS :)

Just ask MS, they will tell you.

Re:Trade-Off (1)

Crinos (201310) | more than 9 years ago | (#9634132)

Okay, this may be off-topic, but it's always bugged me. What do big companies base "damage" estimates on? IIRC, some/one of the companies during the whole Kevin Mitnick deal claimed that he caused $80 million in damage... how is this number figured?

Re:Trade-Off (1)

Jad LaFields (607990) | more than 9 years ago | (#9634167)

Reading your post "damaged" me and my productivity -- during that time I could have gone and bought a instant scratch-off lottery ticket and won.

I'll be expecting your $20 million in the mail if you don't want to be sued.

Re:Trade-Off (3, Interesting)

lambent (234167) | more than 9 years ago | (#9634188)


Basically, it works like this ... they make it up. Kindof. In the mitnick case, they took the product he stole (software), deemed it now unusuable because it was leaked, and said 'we could have sold 80$million to users ... now we can't.'

Also, man hours get factored in, sometimes two or three times over, including the man hours that were used to create the product in the first place, as well as to re-create the product again.

It's all very stupid, and nobody believes a word of it except the courts.

Cause they're dumb.

(shrug)

Response to computer security by JabberKatz(tm) (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9634136)

Borsook's "Cyberselfish: A Critical Romp Through The Terribly Libertarian Culture of High Tech" is published by O'Reilly ($US24), one of the largest info-tainmnent conglomerates on the planet. It's the stepchild of post-war progress in farming, slaughtering, packing, refrigeration, and transportation.

For several years now, federal law enforcement agencies and a private threat-evaluation security firm have teamed up to develop a genetic map indicating which components of this genetic material determine certain human traits, from depression to disease to susceptibility to addiction to eye color or artistic ability.

The institutions of the outside world are thundering online like a great frenzied herd. And they're dinosaurs, fading relics of another time.

Rebel code helped end the Microsoft Age by focusing attention on the impact of the Net like Jonathan Postel. Millions of kids informing on millions of other kids, as is often true of sex and scandal, the press has been full of Armageddon-like reports about the end of World War II, and TV has become an unprecedently significant focal point for many competing interests -- corporations, fans, some artists -- all grappling with intellectual property and other kinds of virtual communities. However, they were given short shrift amidst all of the responses, some of whom are now parents. The hysteria over Littleton has only made things worse. It's time for the politically correct revolution to include Geek! Vertically challenged persons, color diverse persons, size-enhanced persons (like the GNAA) have all had their day. This must be the case with a series of infamous pre-dawn attacks on the "K"

Date: Thu, Sep 28, 2000, 8:37 AM


Katz,

It's late and I'm having difficulty forming even the simplest of sentence structures -- I've been awake over 26 hours now so I'm a little out of it.

CNN may not know what to do. You people are supposed to be a hick Vermont town. The L.A. slickies vs. the gullible locals who are smarter than they are to be shot in school, I still am. Does that make me dangerous? Only if the fact that Pinkerton clearly wanted to go forward with its program in the least controversial way -- another corporatist hallmark.


I might have come up with a clever fake headline and hack the NY Times Magazine, slobbering profiles, TV and other media, zaps information that was once available only via "enclave" institutions -- schools, libraries and public buildings.

Open Source and Free software; the individualism released by decentralized software programs -- Napster, Freenet, instant messaging, nearly instant e-mail response. If you're encountering problems, you can build it! Nothing Verne sees is in the future. In fact, with new software and plentiful bandwidth, most people are learning the lessons of the real day-to-day world and feeling alive writing code.

Codes are the building blocks of quantum computers.

This could conceivably be written off as old-fashioned, bare-knuckles competiveness. That the writers stuck unaccountably close to the center. Neither party offers a radically different approach or vision of the Internet so boring as to be shocking.

Michael Lewis is a great giveaway, but not all cases. A CRA may not report negative information that is free, very expensive, and every level in between. It must allow all the different interest groups to put together all manner of pricing and licensing and incentive systems and always, of course, belong on Slashdot. Recently, that site ran stories about a player named Sheyla who faked her death in a ploy for sympathy from the Everquest community; the stories linked to a story by Tamar Lewin in the New York Times and Washington Post are market-driven, focused increasingly on high-end consumer products spawned by digital technology, and of skilled, educated, technologically-centered people working, playing, and communicating through networked computers.

Once we on the surface judge you, you won't find anything remotely offensive.

And the much-libeled Napster users are dedicated music buyers, quick to reach for those credit cards.

Beyond the intensely ingrown community of free software advocates, though, which one in Stanford studies?

No, that's a different disgusting perversion CmdrTaco indulges himself in. Mr. Malda is usually not satisfied with merely snotting your own jizz back onto my face out of his showdown with Harris, who has written a story about technology, but riddled with passionate moral and other disagreements about it.

These kinds of republics wouldn't need traditional police forces or defense industries or tax-collection mechanisms. Just as the Net has revolutionalized personal communications and the movement of power, influence and freedom away from institutions and companies and towards individuals.

"The University condemns violation of copyright laws, as our policies and procedures clearly state. We also don't consider you, or anyone else, to pretend that the 'piracy' of movies or music is morally OK," Zimmerman writes. Our much heralded global economy has been good at producing a handful of greedy corporations to turn the Net into the cultural and business differences between Japan and America that dogged the marketing and distribution of the PlayStation.

Be part of the crowd, but don't make a scene.

Re:Trade-Off (5, Informative)

Anonymous Coward | more than 9 years ago | (#9634154)

Akmai doesn't have a heterogeneous IT solution. It is the root nameservers that do. In fact, TFA says that the cost would be too high for them to do this.

Mod this whole story down "-1 incorrect".

Re:Trade-Off (0)

Anonymous Coward | more than 9 years ago | (#9634282)

I don't care what hardware or software your running. A Denial of Service attack affects them all equally. If someone jams your fat pipe your fat pipe is jammed Period. How many different kinds of hardware and software servers has slashdot, slashdotted, same difference.
To top it off many of the sites they serviced were frustratingly slow or unavailable due to timeouts so I think the attackers did exactly what they wanted to accomplish. I think their intent was to bend not break akamai and they did it until they decided to stop not when akamai or anyone else decided to stop them.

Sys admins (4, Funny)

FortKnox (169099) | more than 9 years ago | (#9633999)

'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'

Wow, your sys admins and help desk must LOVE supporting that!

Re:Sys admins (0)

Anonymous Coward | more than 9 years ago | (#9634063)

wtf would Akamai do with a help desk?

Re:Sys admins (1)

cephyn (461066) | more than 9 years ago | (#9634074)

Its easy. the "You have a non-standard configuration" excuse applies to everyone.

Re:Sys admins (5, Insightful)

ron_ivi (607351) | more than 9 years ago | (#9634105)

different operating systesm ... Wow, your sys admins and help desk must LOVE supporting that!

I know you were trying to be sarcastic, but I bet that they indeed do prefer things this way.

When the pager goes off at 3AM that there's a suspected new worm attacking your dos-based systems, it's nice to simply turn them off and let the other systems handle the load until morning when you can investigate the problem at your leisure.

Re:Sys admins (0)

Anonymous Coward | more than 9 years ago | (#9634137)

And Microsoft hates them with a passion?

I R 0wn j00 (-1, Offtopic)

pythro (728638) | more than 9 years ago | (#9634000)

It didn7 w0rk. Ph33r.

Re:I R 0wn j00 (4, Funny)

FortKnox (169099) | more than 9 years ago | (#9634027)

When you say "It didn7 w0rk" are you talking about the "Post Anonymously" checkbox?
Just askin you big hacker, you.

Re:I R 0wn j00 (1)

lambent (234167) | more than 9 years ago | (#9634055)


Some people aren't afraid to make a crappy joke using their own name, just as some are not afraid to run it into the ground.

first post (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9634001)

first post

WRONG! (5, Informative)

Anonymous Coward | more than 9 years ago | (#9634019)

It says the root servers use different stuff, not akamai. RTFA.

Re:WRONG! (5, Informative)

Travis Fisher (141842) | more than 9 years ago | (#9634085)

Exactly! Correct quotes from the article:
  • Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai's proprietary approach to DNS makes it a single point of failure. ... [I]f Akamai tried to diversify the implementation of its large-scale content-delivery network, Vixie said, the cost would "drive their accountants crazy."

Re:WRONG! (0)

Anonymous Coward | more than 9 years ago | (#9634150)

And just think of poor Oliver Twist being taken advantage of by Akamai...err... wrong article.

security by obscurity.. (4, Insightful)

klang (27062) | more than 9 years ago | (#9634021)

nobody knows what they run, so nobody can make a decent attack ..

Re:security by obscurity.. (5, Insightful)

stratjakt (596332) | more than 9 years ago | (#9634059)

Sort of. You can know what they run, you can know you can exploit server A because it has a known vulnerability.

But servers B, C, D, E, F, G, etc are immune to your attacks on server A. To take down the root servers, you'd need to simultaneosly come up with 12 different exploits to knock each one of them out. Which makes it 12 times more difficult.

It's more proof of what I've always said, there is no "perfectly secure" OS in existence.

Re:security by obscurity.. (1)

lambent (234167) | more than 9 years ago | (#9634091)


couldn't you just launch 144 attacks simultaneously, knowing that at least 1 would work on each server?

Kind of like the old days ... you'd go into an irc channel, and just let the bots fly without doing any verification, because you knew at least one bot would work on most of the people.

Re:security by obscurity.. (0)

Anonymous Coward | more than 9 years ago | (#9634169)

**It's more proof of what I've always said, there is no "perfectly secure" OS in existence.**

huh? how does this prove that? it doesn't. there can be a perfectly secure os, the less the features the cheaper it would be to build - but it certainly is _possible_.

or... (4, Funny)

Psymunn (778581) | more than 9 years ago | (#9634228)

couldn't you just link to them on slash dot
that's been proven to be an effective, system independent DoS attack (even if the attack was unintentional or brought about by the owner)

Re:security by obscurity.. (0)

Anonymous Coward | more than 9 years ago | (#9634146)

I know what they run, I used to work there, and no I will not tell you, their nondisclosure agreement is about 10 pages long.

it really isn't all that complicated, a lot of what is deployed is a minimum of 3 servers and a switch. Vendors of the servers varry, but all of them are major players in the server market at one time or another. Now what operating system is loaded onto each system varies greatly, and can be changed at any time. there are many different versions of a lot of different OS that might be on a system.

Re:security by obscurity.. (0)

Anonymous Coward | more than 9 years ago | (#9634247)

Not really. You can assume that they run everything. The problem is that in order to have a massive impact you have to launch about a dozen simultaneous attacks.

Re:security by obscurity.. (2, Informative)

cynic10508 (785816) | more than 9 years ago | (#9634289)

nobody knows what they run, so nobody can make a decent attack ..

Well, Kerkoff (sic) said in his principles of security to make the paranoid assumption that attackers will always be able to know what you have and/or how it works. So he says security only by obscurity isn't security at all. Kind of like the ostrich sticking its head in the sand and hoping the lion doesn't see it.

The summary is wrong. (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#9634025)

...and obviously so. Vixie doesn't work for Akamai, so why would he be talking about their implementation?

What Vixie actually said is that Akamai's proprietary DNS was a single point of failure and largely to blame for the success of the attack. He contrasts this with the way the root servers are run, which is where the diversity of systems comes in.

Quote misattributed (2, Informative)

RML (135014) | more than 9 years ago | (#9634026)

Unfortunately, the ""We deliberately use different operating systems, different name server implementations..." quote is from Paul Vixie, president of the Internet Systems Consortium, and it's about the root name servers, not about Akamai.

Re:Quote misattributed (4, Informative)

tcopeland (32225) | more than 9 years ago | (#9634072)

> Quote misattribute

Exactly. And Vixie goes on to say that Akamai can't do that because "the cost would 'drive their accountants crazy.'".

But I'm not sure having diverse bits of gear is such a huge cost. Wouldn't it instead be a way for sysadmins to broaden their experience and learn more about which tools are best for which jobs?

Re:Quote misattributed (0)

Anonymous Coward | more than 9 years ago | (#9634122)

Meanwhile, is business getting done then? And does a business CARE that Sysadmin Joe is REALLY getting smart at that Dynix system when the transaction server is down better than 10-20% of the time?

The workplace is not a classroom, nor should it be treated as such. Yes, you'd better learn there, but you learn as you go, and always with an eye to doing your job.

Re:Quote misattributed (1)

tcopeland (32225) | more than 9 years ago | (#9634287)

> is business getting done then?

Yes.

> the transaction server is down
> better than 10-20%

I'm not sure that necessarily follows from having a diverse collection of gear.

> The workplace is not a classroom,
> nor should it be treated as such.

Of course it is, and it should be. Usually it's referred to as "on the job training".

> you learn as you go,

Right on.

Re:Quote misattributed (2, Insightful)

NekoXP (67564) | more than 9 years ago | (#9634156)

Having your sysadmins LEARNING how to use new architectures, procedures and so on costs money - because their time is on salary, you pay for that learning process, their lack of knowledge in the beginning adding time to solving problems, and bringing in help costs more because you'd prefer they'd have that broad experience already.

Remember.. [insert product here] is free if your time is worthless.

Neko

Re:Quote misattributed (2)

jj_johny (626460) | more than 9 years ago | (#9634075)

I noticed this too. Do you have to read the article to get your topic posted on /. or can you just put together random quotes that seem interesting?

YOU REDUNDANT PIECE OF SHIT (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#9634076)

Re:YOU REDUNDANT PIECE OF SHIT (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9634112)

Oh no! He posted a similar comment one whole minute after the other guy. He must be a plagarizererer, let's form a lynch mob and get him!!!!

Re:YOU REDUNDANT PIECE OF SHIT (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9634158)

Hell yeah, now you're talking! Let's get his IP address, track him down, and shove a frozen piece of shit up his ass until he bleeds and it melts.

Never heard of syn cookies or what? (0, Offtopic)

XMichael (563651) | more than 9 years ago | (#9634029)

I guess Akamai never heard of Syn Cookies? Yes you need to build them into your kernel, and for whatever reason, there not enabled by default... but seriously, Akamai...

Security Cameras [completecctv.com]

Re:Never heard of syn cookies or what? (4, Informative)

Burdell (228580) | more than 9 years ago | (#9634125)

SYN cookies are for TCP connections (because TCP uses a three-way
handshake to set up a connection). DNS uses (primarily) UDP traffic,
which is connectionless (there is no "stateful" connection with UDP).
SYN cookies do no good when your DNS servers are under attack.

SYN cookies for UDP? (0)

Anonymous Coward | more than 9 years ago | (#9634149)

As the name imples SYNC cookies is about TCP. DNS is mostly UDP, and that is likely what was used to attack Akamai. Dumb ass.

Re:Never heard of syn cookies or what? (0)

Anonymous Coward | more than 9 years ago | (#9634197)

There == Over there.
Their == It's their server.
They're == They are not enabled by default.

Lack of diversity (1, Redundant)

phasm42 (588479) | more than 9 years ago | (#9634033)

If I read it right, one of their problems was their lack of diversity -- they all use Akamai's proprietary DNS.

Re:Lack of diversity (3, Interesting)

phasm42 (588479) | more than 9 years ago | (#9634073)

Also, Paul Vixie is the founder of ISC, not ITC. What a shoddy article write-up -- two blatantly obvious mistakes I caught by skimming the articles got front-paged.

Re:Lack of diversity (1)

KarmaMB84 (743001) | more than 9 years ago | (#9634078)

Not doing so would inflate costs dramatically.

Re:Lack of diversity (1)

phasm42 (588479) | more than 9 years ago | (#9634104)

I was talking about the write-up -- the quote was attributed to Akamai's servers, when it was actually talking about ISC's servers (ISC, not ITC as the write-up says).

intentional or not (4, Insightful)

cjwl (776049) | more than 9 years ago | (#9634037)

I have to wonder if the diversity of systems was an intentional choice of theirs way back to face these kinds of attacks or if it just grew that way from rapid growth and having their systems spread all over.

They survived the attack and "Oh yea, we MEANT for it to happen that way".

I think it's spin.

Re:intentional or not (2, Insightful)

Radon Knight (684275) | more than 9 years ago | (#9634268)

I think it's spin.

Maybe so, but there's a kernal of truth there. Diversity in biological systems produces robustness. If you have a rich genetic code in a species, you're more likely to have a subset of the population that will survive a new virus, disease, etc. Given the complexity of networked computer systems, is it really that surprising that we're finding certain survival techniques which work well in nature work well when applied in alternative environments?

That idea's not new, and it's not well-defined. However, I would certainly like to see it made more precise and analyzed so that we can see just what, really, lies at the bottom of that otherwise vague analogy.

Speeking of... (2, Interesting)

after (669640) | more than 9 years ago | (#9634039)

I don't know how related these two things are, but the AfterNET IRC network has been ^H^H^H^H^H^H^H is being flooded with SYN packets and is -down-.

Is this related to these DDoS attacks?

Re:Speeking of... (1)

downbad (793562) | more than 9 years ago | (#9634119)

I doubt it. IRC networks get DDoSed all the time.

Re:Speeking of... (0, Redundant)

joeldg (518249) | more than 9 years ago | (#9634231)

like Afternet
they are totally hosed right now due to a huge ddos.
see http://www.afternet.org/ for all gory the details

Not quite (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#9634046)

Did the submitter not read the article? It was Vixie stating that the 13 root namesevers were protected using the heterogeneous strategy. He goes on to state that it would cost Akamai a great deal of money to use this method (implying that they do not do so currently).

They never mention percentage of users impacted (5, Interesting)

pornaholic (242268) | more than 9 years ago | (#9634049)

Akamai claims over 1,100 customers and indicated that only 2 percent of them were noticeably impacted by the attack, such as not being available for about an hour.
Theo only statistic they ofer is the percentage of customers that were impacted. To me this hints of trying to play down the severity of the situation. When only 2 percent of your customers comprise (following is is a made up statistic since they didn't give me one) 80 percent of your traffic, you're lying by omission by only giving customer statistics.

Re:They never mention percentage of users impacted (1)

gl4ss (559668) | more than 9 years ago | (#9634186)

how many percent of their customers customers noticed something to be 'wrong' would be the more meaningful stat..

Re:They never mention percentage of users impacted (1)

NekoXP (67564) | more than 9 years ago | (#9634200)

Only if your made-up statistic is correct.

If Akamai's 2% of affected customers only comprised, for example, 5% of their total traffic, it would still be not-a-big-deal, wouldn't it? Since you have no accurate statistics on Akamai's total traffic, number of customers or anything like that either, why bother to err on the side of negativity?

Is it Slashdot policy to see conspiracy in every situation?

What do they do? (0, Offtopic)

BlindSpy (772849) | more than 9 years ago | (#9634050)

What does this company do and if there "different hardware" deffence is so good, why'd they get attacked?

The submitter is WRONG. (3, Informative)

TheAmigo (10935) | more than 9 years ago | (#9634054)

The submitter's description of the article was completely incorrect and backwards.

Diversity of hardware makes ROOT DNS SERVERS more defensible. Akamai is NOT diverse, and they do not want to be.

Re:The submitter is WRONG. (0, Flamebait)

stratjakt (596332) | more than 9 years ago | (#9634099)

You're right. Akamai runs that shitty linux system. No wonder they were so easily knocked out.

Submitters and Editors, RTFA! (4, Insightful)

adavies42 (746183) | more than 9 years ago | (#9634056)

The quote on diversity is by Vixie wrt the roots servers--it's a criticism of Akamai! Jesus H. Christ, it's in the first paragraph!

MacOS classic? (1, Offtopic)

bluethundr (562578) | more than 9 years ago | (#9634070)

I've often wondered how a Mac running Classic on a beefy box as a server would stand up to an attemp to h4x0r it. To really get at it, seems to me you would have to get to the base underpinnings of the OS on some level. Which are arcane and hard to master, even (I'm told) to seasoned Mac programmers.

Not that I'm implying that it would be invulnerable to some attacks (like DDOS) but surely it seems that many of your other bases would be covered.

Re:MacOS classic? (1)

192939495969798999 (58312) | more than 9 years ago | (#9634211)

I have used macs since they came out, and I never saw a virus on a "happy mac" (Mac Classic or earlier). You used to see SE/30's and such running file / print servers for years and years,with no probs. They're like tiny mainframes, but with a sweet GUI. And yes, I still have one, yes it still works, including the original mac carrying case!

Re:MacOS classic? (3, Funny)

freqres (638820) | more than 9 years ago | (#9634224)

a Mac running Classic on a beefy box

You mean like a Quadra 950 (~35lbs.) or a pallet of hamburger helper?

A stable version of BIND (-1, Offtopic)

Offwhite98 (101400) | more than 9 years ago | (#9634077)

I wish I could get a stable version of BIND. I am running a recent release and I still have to run a cron job to make sure it is running and restart it when it randomly dies. I use to be able to look at the logs to determine what was wrong, but it seems the current version fails to provide the useful information.

So I have been looking into alteratives like TinyDNS. I still have much to read, but I would like to discover more documentation and more alteratives. Ultimately I would like to be able to manage the DNS zones in a MySQL database. I can then tunnel into the server with SSH and run the MySQL Control Center to edit database records.

Any suggestions?

Re:A stable version of BIND (1)

stratjakt (596332) | more than 9 years ago | (#9634177)

IIRC, TinyDNS can integrate with LDAP, then you can SSH in and use an ldap browser/client to modify and add records..

It's a better solution, on paper, since LDAP is optimized for the fastest retrieval, at the expense of write time. RDBMS's are generally the other way around, or at least balanced.

Of course, you can have OpenLDAP use mysql as a backend if you really want to bring that abomination into the equation.

Re:A stable version of BIND (0)

drinkypoo (153816) | more than 9 years ago | (#9634203)

Any suggestions?

Yeah, stop doing whatever you're doing, and do something else. I've never had a problem with any version of bind on any operating system.

Re:A stable version of BIND (0)

Anonymous Coward | more than 9 years ago | (#9634222)

You might want to investigate DNSMASQ which has a few DNS-like features and is under development. It's *not* a full DNS implementation but if your target is a moderate-sized LAN (and especially if that LAN uses DHCP) it's a nice, lightweight solution.

Re:A stable version of BIND (1)

Chicane-UK (455253) | more than 9 years ago | (#9634227)

I ran BIND9 on Red Hat 7.2 for about 2 years.. its still running now in fact. No random crashes on BIND ever in that time. It was rock solid...

This is an ad! (5, Insightful)

isaac (2852) | more than 9 years ago | (#9634081)

This article has nothing to do with Akamai, other than pointing out that Akamai DNS is vulnerable to DOS.

Most of this "article" is a puff-piece (or paid advert) for one "CloudShield Technologies," pimping their (vaporware) "server for applications that do deep packet processing at gigabit-per-second rates."

-Isaac

Authors should try readin the article (4, Insightful)

rgmoore (133276) | more than 9 years ago | (#9634106)

According to this article one of the defenses of Akamai is the big diversity of their hardware: 'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.' So says Paul Vixie, architect of BIND and president of the ITC.

Actually, according to the article the diversity approach is part of what's used to defend the DNS root servers, not Akamai. Vixie specifically mentions that this approach is not practical for an ordinary content provider like Akamai because, 'the cost would "drive their accountants crazy."' I'm dubious about just how helpful diversity would be against a DDoS attack in the first place. Diversity won't solve the problem of requests coming in faster than they can be processed.

Re:Authors should try readin the article (1)

elrusoloco (737386) | more than 9 years ago | (#9634152)

Correct - the diversity in this case pertains to the root-node servers, not Akamai's own.

Uh, poster got it wrong (1)

GreyPoopon (411036) | more than 9 years ago | (#9634163)

According to this article one of the defenses of Akamai is the big diversity of their hardware...

Erm, I think the poster made a mistake here. This diversity is attributed to the 13 root servers. Akamai's services do not employ such techniques due to the unsupportable cost. Based on the problems we saw during the DDoS, I can't say Akamai had much to offer in its arsenal.

Or am I the one who misread?

Slashdotted! (0, Informative)

Anonymous Coward | more than 9 years ago | (#9634170)

We have been slashdotted several times, so we knew what to do when we got hit with the DDoS attack.
Your Karma can go down when trying to be funny, but cannot go up. If you are going to try to be funny, post anonymously or be sure you have Karma to burn.

You Morons (0)

Anonymous Coward | more than 9 years ago | (#9634180)

Security through Obscurity != Security

Akamai diversity? (1)

Cramer (69040) | more than 9 years ago | (#9634234)

Moderators, please correct the lead-in... BIND and the global DNS system is what has the diversity. The problem with Akamai was their lack of diversity on top of their proprietary hacks to DNS.

So what they're saying is... (3, Funny)

teamhasnoi (554944) | more than 9 years ago | (#9634249)

'We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures.'

...That their entire operation is really based out of a bunch of Computer Renaissance stores and pawn shops run by cheap managers that don't talk to one another.

It sounds like a recipe for success!

wtf? (0)

Anonymous Coward | more than 9 years ago | (#9634265)

Vint Cerf was NOT talking about akamai's diversity, exactly the opposite. He was talking about the BIND/root server community.

Security through obscurity.. (2, Insightful)

CokoBWare (584686) | more than 9 years ago | (#9634267)

A valid tactic... it mitigates the problems with a unified vendor, but it costs lots more...

Gee-Wiz hardware will never win. (5, Insightful)

twitter (104583) | more than 9 years ago | (#9634272)

[description of magnificent gateway] For now the attackers are winning the arms race. The technology we'll need to monitor, react, and adapt in real time has yet to evolve, but it's headed in that direction.

I wish the net was headed in the right direction, but it's not. No single site or company will ever "win". The resilience of the web lies in it's redundancy and distribution. What I see is continued centralization and creation of points of failure. As "Broadband" internet access is more monopolized and treated as a platform for mindless browsing, and smaller ISPs are destroyed, the net is being squeezed into fewer and fewer hands. This invites attacks that can not be protected against. The real solution is to let everyone run everthing they want. That's the only way to route around damage.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...