On any given day, Akamai delivers 15-30% of the world's web traffic, including some very high-profile sites. We also receive large volumes of Distributed Denial of Service (DDoS) attacks
and provide DDoS protection services to act as a buffer between our customers and the attackers. In a typical week, Akamai and/or our customers are the target of two significantly-sized attacks of 10 or more Gigabits per Second (Gbps) and countless smaller attacks, and we're very successful in defending against them.
During the past few weeks, there have been several high profile attacks that have generated media attention and a lot of speculation. People want to know who the attackers are and what their motivation may be. The attackers and their motives have been linked to everything from cyber-jihadi hacktivism to Iran-sponsored cyberwar to Eastern European organized crime.
Speculation is interesting; useful, actionable information that can help protect your business is significantly more valuable. Information, especially during a security incident, is critical for a number of reasons. This is because the attackers will change tactics, techniques, and procedures until they find one that is effective against their current target and that enables them to achieve their objectives with the least amount of effort and risk. As a result, threat intelligence is very perishable: what the attackers are doing today is different from what they were doing last month and very different from what they'll be doing in the future.
As you might imagine, we have fielded both informal and formal requests for information on what we've seen and what recommendations we have for customers. And where possible and without disclosing any customer specifics, we share blocking tips and then implement them in our customers' configurations to protect them from likely attacks. And we released an advisory for our portal users in North American and Premium Support customers.
So what do we know about the recent attacks?
-We received up to 65Gbps of attack traffic that varied in target and technique.
-Some attack traffic was directed at our Domain Name System (DNS) servers that we use for our Enhanced DNS service.
-Some attack traffic consisted of "junk packets" that are dropped from our servers automatically.
-Some attack traffic was valid HTTP for which we responded with a HTML page.
As far as Akamai is concerned, we're not as much interested in attributing attacks to a specific group of threats as we are in determining the pattern of the attacks and implementing countermeasures to stop them. In this case, we advise customers to do the following:
-Protect their DNS: DNS security
is a critical service because when it fails, all other services fail. We offer the EDNS service that uses the redundancy and availability of the Akamai platform to keep our customers' zones resolving.
-Protecting from network-layer attacks: Network attacks attempt to flood the bandwidth into the target's datacenter. Akamai mitigates this by having a massive deployment footprint and load-balancing between servers, locations, and geographies.
-Protect the default page: A default page is the home page where the path ends in a "trailing slash" (for example, http://www.akamai.com/ ) that web users see when they first come to your site. This is the page most commonly attacked in a DDoS and can be easily protected with basic caching.
-Protect their redirect or splash pages: splash pages are a special page such as a custom 404, maintenance, or typo page that gives the web users information or redirects them to where the content is located. Oftentimes these receive attack traffic destined for the default page. These pages can also be protected by basic caching.
-Protect dynamic sites: In those situations where caching is not a viable option, Akamai offers both rate controls to limit the amount of requests that an attacker can send and "waiting room" capabilities that can park traffic and keep legitimate users engaged while at the same time alleviating pressure on backend applications.
Whether the attack is attributed or not, Akamai helps its customers today and in the future by understanding the attackers' patterns and by providing timely information and a platform designed to make the Internet safe for many transactions such as banking, commerce, government, and publishing.
Mike Smith is a senior security evangelist at Akamai Technologies