Akamai DNS Issue?
Joe Abley
jabley at isc.org
Wed Jun 16 13:59:17 UTC 2004
On 15 Jun 2004, at 21:28, Stewart, William C (Bill), RTSLS wrote:
> Daniel Golding suggested that the problem was that many folks are
> sharing Akamai's magic DNS algorithms.
> This doesn't appear to be a problem with magic algorithms - it appears
> that they're sharing the _servers_,
> and that the reported attack on the servers means that it doesn't
> matter how magic the algorithms are.
> Good luck to them on developing a longer-term workaround for the next
> attack.
Workarounds and defences already exist, and have been in use for a long
time.
The chance of catastrophic, systematic operator error (e.g. rdist gone
wild, RIF-frenzied, root-wielding, caffeine-crazed sysadmins run amok)
problems can be avoided by including nameservers managed by different
organisations in the NS set.
Distributed (and non-distributed) denial of service attacks can be
mitigated using dispersed anycast nameserver deployment.
Network partition/isolation events (e.g. under sea cable failures which
isolate an economy) can be mitigated by strategic location of (anycast
instances of) locally-relevant nameservers.
Operational routing and instrumentation challenges with managing a
dispersed anycast deployment can be mitigated by including non-anycast
nameservers in the NS set alongside the anycast nameservers.
Failures due to ancillary equipment failure can be avoided by
eliminating single points of failure (e.g. wide geographic disperson of
nameservers into topologically-distant infrastructure).
Failures due to political interference can be avoided by deploying
nameservers in complementary regions of governance.
Failures or vulnerabilities in individual DNS implementations can be
mitigated by ensuring that not all nameservers in the NS set run the
same DNS software (or similar software, developed from a common code
base).
Failures or vulnerabilities in ancillary software (routers, switches,
operating systems, etc) can be mitigated by ensuring that different
nameservers rely on different brands of routers, switches and operating
systems.
Failures in master servers can be mitigated by having several of them;
simultaneous failure of all master servers can be managed to some
degree using appropriate SOA timers, so that slave servers provide
coverage while master servers are brought back into service.
Different styles of attack can be mitigated by different DNS hosting
strategies. A robustly-hosted zone will have an NS set that exhibits
several or all of these approaches (and others too).
The hosting of the root zone provides guidance, here.
Joe
More information about the NANOG
mailing list