Security experts ponder Akamai attack, defense

Computerworld - What really happened yesterday at Akamai?
That's the question some security experts are asking in the wake Domain Name System problems at Akamai Technologies Inc. yesterday that resulted in performance degradations for some customers.
The company initially said the problem appeared to stem from a broad global Internet attack (see story). But today Akamai said the problems resulted from a denial-of-service attack aimed at four specific customers (see story).
Later, in an interview with Computerworld, the company's chief scientist said that while it's possible that the four companies were the target of the attack, it's more likely that Akamai itself was the primary target.
The question of what happened at Akamai is important because of the nature of the attack, experts said. For one thing, the attacks were aimed at DNS servers, which are a critical component of the Internet. The fact that the attackers successfully managed to compromise a company that specializes in protecting them is another issue. Also important is the fact that the attack managed to disrupt service -- however briefly -- at four Web sites that are among the largest in the world: those of Microsoft Corp., Google Inc., Yahoo Inc. and Apple Computer Inc.
"My guess is that it's some kind of an internal failure within Akamai, or maybe a targeted attack against them by someone with insider knowledge and access," said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc.
A DoS attack is unlikely to have been the cause because of the bandwidth an attacker would need to overwhelm an operation such as Akamai's, Schneier said. "Akamai is not a two-bit operation," he said. "These guys are designed to stay up. They are huge and well distributed, so it doesn't add up."
The fact that the perpetrators seemed to know exactly what to attack in order to impact Web performance at the four companies suggests some level of insider knowledge, especially given the scope of Akamai's network, Schneier said.
"This does not have the flavor of the brute-force attacks that we have seen in the past," said Craig Labovitz, director of network architecture at Arbor Networks Inc., a Cambridge, Mass.-based provider of DDoS mitigation technologies.
Arbor's network monitoring technologies, which are installed in several Tier 1 networks, did not detect any of the traffic or DNS patterns typically associated with a DoS attack, Labovitz said.
"This appears to have been much more focused on the [Akamai] infrastructure," he said.