On 6/15/04 9:28 PM, "Stewart, William C (Bill), RTSLS" <billstewart@att.com> wrote:
Daniel Golding suggested that the problem was that many folks are sharing Akamai's magic DNS algorithms. This doesn't appear to be a problem with magic algorithms - it appears that they're sharing the _servers_, and that the reported attack on the servers means that it doesn't matter how magic the algorithms are. Good luck to them on developing a longer-term workaround for the next attack.
Bill Stewart, bill.stewart@pobox.com
Disclaimer: This note is, as usual, my personal opinion, not my employer's.
Bill, The point still holds - when too much high value content shares anything - algorithm, infrastructure, etc you get vulnerability. The problem I was highlighting was excessive sharing, not AkaDNS magic. (Of course, everything shares the general DNS infrastructure, but the numerous roots (some of which are anycast-ed) plus the distributed nature make that tougher to completely take out. ) It looks like this was an attack on the Akamai DNS redirection infrastructure rather than the Akamai hosting infrastructure. Their DNS servers present far fewer points to attack. It would be interesting to hear a detailed analysis of the attack at some point. Maybe a good topic for the next NANOG? (Patrick? :) Part of the difficulty of discussing this is, that by bringing up points of potential vulnerability in a public forum, it provides hints for those who would wreak havoc. I'm sure many of us can come up with other bits of vulnerable shared infrastructure, but it seems inappropriate to discuss this on such an open forum. I can only wonder if the more private forums being hosted by government organizations are effective, or simply boondoggles designed to provide political cover. - Dan