Akamai DNS Issue?

• Previous message (by thread): Akamai DNS Issue?
• Next message (by thread): Akamai DNS Issue?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15 Jun 2004, at 21:28, Stewart, William C (Bill), RTSLS wrote:

> Daniel Golding suggested that the problem was that many folks are 
> sharing Akamai's magic DNS algorithms.
> This doesn't appear to be a problem with magic algorithms - it appears 
> that they're sharing the _servers_,
> and that the reported attack on the servers means that it doesn't 
> matter how magic the algorithms are.
> Good luck to them on developing a longer-term workaround for the next 
> attack.

Workarounds and defences already exist, and have been in use for a long 
time.

The chance of catastrophic, systematic operator error (e.g. rdist gone 
wild, RIF-frenzied, root-wielding, caffeine-crazed sysadmins run amok) 
problems can be avoided by including nameservers managed by different 
organisations in the NS set.

Distributed (and non-distributed) denial of service attacks can be 
mitigated using dispersed anycast nameserver deployment.

Network partition/isolation events (e.g. under sea cable failures which 
isolate an economy) can be mitigated by strategic location of (anycast 
instances of) locally-relevant nameservers.

Operational routing and instrumentation challenges with managing a 
dispersed anycast deployment can be mitigated by including non-anycast 
nameservers in the NS set alongside the anycast nameservers.

Failures due to ancillary equipment failure can be avoided by 
eliminating single points of failure (e.g. wide geographic disperson of 
nameservers into topologically-distant infrastructure).

Failures due to political interference can be avoided by deploying 
nameservers in complementary regions of governance.

Failures or vulnerabilities in individual DNS implementations can be 
mitigated by ensuring that not all nameservers in the NS set run the 
same DNS software (or similar software, developed from a common code 
base).

Failures or vulnerabilities in ancillary software (routers, switches, 
operating systems, etc) can be mitigated by ensuring that different 
nameservers rely on different brands of routers, switches and operating 
systems.

Failures in master servers can be mitigated by having several of them; 
simultaneous failure of all master servers can be managed to some 
degree using appropriate SOA timers, so that slave servers provide 
coverage while master servers are brought back into service.

Different styles of attack can be mitigated by different DNS hosting 
strategies. A robustly-hosted zone will have an NS set that exhibits 
several or all of these approaches (and others too).

The hosting of the root zone provides guidance, here.


Joe

• Previous message (by thread): Akamai DNS Issue?
• Next message (by thread): Akamai DNS Issue?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]