Re: Akamai DNS Issue?

[Daniel Golding <dgolding () burtongroup com>]

On 6/15/04 9:28 PM, "Stewart, William C (Bill), RTSLS" <billstewart () att com>
wrote:

> Daniel Golding suggested that the problem was that many folks are sharing
> Akamai's magic DNS algorithms.
> This doesn't appear to be a problem with magic algorithms - it appears that
> they're sharing the _servers_,
> and that the reported attack on the servers means that it doesn't matter how
> magic the algorithms are.
> Good luck to them on developing a longer-term workaround for the next attack.
>
> Bill Stewart,  bill.stewart () pobox com
>
> Disclaimer: This note is, as usual, my personal opinion, not my employer's.

Bill,

The point still holds - when too much high value content shares anything -
algorithm, infrastructure, etc you get vulnerability. The problem I was
highlighting was excessive sharing, not AkaDNS magic.

(Of course, everything shares the general DNS infrastructure, but the
numerous roots (some of which are anycast-ed) plus the distributed nature
make that tougher to completely take out. )

It looks like this was an attack on the Akamai DNS redirection
infrastructure rather than the Akamai hosting infrastructure. Their DNS
servers present far fewer points to attack. It would be interesting to hear
a detailed analysis of the attack at some point. Maybe a good topic for the
next NANOG? (Patrick? :)

Part of the difficulty of discussing this is, that by bringing up points of
potential vulnerability in a public forum, it provides hints for those who
would wreak havoc. I'm sure many of us can come up with other bits of
vulnerable shared infrastructure, but it seems inappropriate to discuss this
on such an open forum. I can only wonder if the more private forums being
hosted by government organizations are effective, or simply boondoggles
designed to provide political cover.

- Dan