Akamai Outage Raises DNS Questions

UPDATED: As distributed platform host provider Akamai scrambled to manage the fallout from a brief outage that hit some Web hosting customers Tuesday, a DNS expert argued that global domain name servers are not at risk.

In a statement Wednesday, Akamai called the distributed denial of service attack that hit its network Tuesday “sophisticated” and large-scale, but said it was limited to 4 percent of its customer base.

According to a statement issued by Akamai, the attack occurred on Tuesday between 8:30 and 10:45 AM. The attack was widely reported (including Netcraft among others) as having impacted sites such as Google, Microsoft, Yahoo and antivirus update services from Symantec and TrendMicro.

Akamai claims over 1,100 customers and indicated that only 2 percent of them were noticeably impacted by the attack, such as not being available for about an hour.

Although the attack targeted its DNS servers, experts insist that the integrity of the global Internet DNS system is not at risk from these kinds of attacks.

Less than 1 percent of Akamai customers had a significant impact “affecting more than 20 percent of their users,” Akamai said. But the hit did impact its DNS services, which led to slow responses and some page time-outs among its customers.

Akamai’s DNS outage was the second incident in less than month at Akamai. During the last one, the company said the issue was related to a “back-end content control management” software problem.

Akamai’s public response to the outage also took aim at claims from “third party website measurement services” about the impact of the attack. The company claimed that private name servers used by some measurement firms record that a site is unavailable if they cannot reach a site immediately.

But public name servers make repeated requests, which Akamai said helped most end users access sites.

VeriSign , one of the maintainers of the root DNS servers, reported a minor outage incident yesterday, but a spokesperson said it was not related to DNS. “VeriSign notified its managed security services customers yesterday morning about a network disruption we had witnessed via VeriSign Intelligence and ControlSM Services,” Brian O’Shaughnessy, VeriSign Spokesperson told internetnews.com.

“This disruption was not a result of an attack against Internet root servers hosted by VeriSign or a result of a VeriSign managed firewall outage.”

Paul Vixie, a leading authority on DNS, and the founder of Internet Systems Consortium (ISC), said he thinks there is a weakness in Akamai’s approach to the issue.

Vixie told internetnews.com he suspects that Akamai doesn’t use BIND, an open source DNS implementation that ISC maintains, because of a patent Akamai holds on its own DNS technology. “And BIND is moderately allergic to patented technology,” he added.

According to the ISC, BIND, short for Berkeley Internet Name Domain, is an implementation of the Domain Name System (DNS) protocols, which provides an openly redistributable reference implementation of the major components of the Domain Name System.

Vixie contends that Akamai’s approach to its DNS puts too many eggs in one basket. “The basic internet technology was built to military specifications and is meant to be ‘survivable’ in the sense that there is no single point of failure,” Vixie said. “Akamai is a single point of failure, as evidenced by yesterday’s problems and a similar problem that occurred a few weeks ago.

“In order to keep this from happening, Akamai is going to have to simulate diversity, which will drive their accountants crazy since it’s harder to manage profit margins if you’re building extra copies of your system of which none are ever fully utilized,” Vixie said.

Akamai was not immediately available to respond to a query from internetnews.com about Vixie’s comments.

The ISC operates 13 of the global public DNS root servers, (its servers are known as F-root). After a widespread DDOS attack hit ISC’s root servers in 2002, the ISC has taken new measures to protect from that type of attack, Vixie said, adding that attackers would have to try a lot harder since the 2002 hit.

“The root name server operators cherish their mutual and internal diversity. We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures,” Vixie explained. “As a result, almost nothing that can kill one root name server can kill the others.”

Updates prior version to clarify Vixie’s comments about measures to protect its servers from DDOS attacks.

News Around the Web