Akamai Diversity
Home > October 2013

October 2013 Archives

This month, I've been hosting a three-part webinar series on the challenges smaller companies face when it comes to Web security. This week and next, I'm presenting the recordings here.

WellStar Health System Security Director Martin Fisher joined me for part 1: "What Web Security Means for Small & Medium Businesses."

Video: What's a Zero-Day Vulnerability?

Akamai Chief Security Officer Andy Ellis gives a whiteboard lesson on zero-day vulnerabilities. 

Class is in session:


Podcast: Akamai CSIRT Director Michael Smith

In Episode 5 of the Akamai Security Podcast, I interview CSIRT Director Michael Smith. We discuss the role of CSIRT in researching threats and vulnerabilities, as well as keeping customers and the wider public informed of defensive measures they can take.

--Listen to the podcast HERE

Bio: Michael Smith is a senior security manager with more than 20 years of experience in the IT security and intelligence fields performing security design and engineering, information assurance, web development, and security testing.

rsa2013_michael_smith_1280x720_v2.jpg
Photo courtesy of Bank Info Security

Web Shells, Backdoor Trojans and RATs

Akamai's CSIRT team advises companies to check their systems for Web shells, executable code running on a server that gives attackers remote access to a variety of critical functions.

Online adversaries can install Web shells by compromising legitimate Web applications on a server, using such tried-and-true techniques as SQL injection, Remote File Inclusion, an unvalidated file upload feature or through a valid user's stolen credentials.

Here are the basics of the CSIRT advisory, as written by Akamai Security Response Engineer Patrick Laverty:

A Web shell can also be seen as a type of Remote Access Tool (RAT) or backdoor Trojan file. The shell may be a full-featured administrative GUI or as simple as a single line of code that simply takes commands through a browser's URL field and passes them on to the back-end server.

Web shells can be written in any language that a server supports and some of the most common are PHP and .NET languages. These shells can be extremely small, needing only a single line of code or can be full featured with thousands of lines. Some are self-sufficient and contain all needed functionality while others require external actions or a "Command and Control" (C&C) client for interaction. When the shell is installed, it will have the same permissions and abilities as the user who put it on the server. 

One of the most common PHP Web shells seen is the c99madshell. It is approximately 1,500 lines long and some of its features include displaying security measures the server may have in place, a file viewer that includes the files' permissions, an area where the user can run custom PHP code on the server, and the contents of phpinfo(). Phpinfo() is a core PHP function that creates a Web page and outputs valuable information about the OS, Web server and PHP configurations. It also has the ability to search the server for configuration files, password files and other writeable files and directories. It also has tools built in to encode/decode strings from various formats as well as a brute-force password cracker. It has a GUI to directly connect to a database server and if the attacker is concerned about detection, it has a function to self-delete the shell.

The big question we always try to answer is how those affected can fix the problem. Guidance in the advisory includes the following:

The main goal is to prevent a shell from getting on a server in the first place. The methods of infection include SQL injection and remote file inclusion through a vulnerable Web application. With frequent testing and monitoring, these vectors can be minimized.

For all types of shells, a search engine can be extremely helpful. Often, the shells will be used to spread malware onto a server and the search engines are able to see it. But some check the User-Agent and will display differently for a search engine spider than for a regular user. To find a shell, you may need to change your User-Agent to one of the search engine bots. Some browsers have plugins that allow you to easily switch a User-Agent. 

Once the shell is detected, simply delete the file from the server.

A Twitter Chat on Cybercrime Defense

Yesterday, Akamai participated in a Twitter forum on cybercrime as part of National Cyber Security Awareness Month. Participants supplied a ton of great resources, which I think is worth sharing here. 

What follows are some of the tweets from the conversation. If you want to stay out of the attackers' crosshairs -- or if you're a victim looking for help -- you'll find what follows useful.

  1. If you're a victim, DOJ has a great site at where you can report a or identity theft.

  2. Check a site is using https:// *before* you login. Learn about the dangers of not doing so:

  1. You can also report phishing scams to the Internet Crime Complaint Center

  2. Cybercrime victims, file complaints: . victims, take 3 steps immediately:

  1. Guide for what to do if victim of cybercrime, including forms & what if it's your kid:

  2. FTC has detailed steps, checklists, & videos 2 help u prevent & resolve damage from :

  1. The "Victims of " resources sheet is good to have on hand before you need it.

  2. owners can also check out our whitepaper w/ plenty of tips:

  • RT : Stay educated! Here are top 10 email of 2013 & expert tips to protect yourself

  • Teach kids re: w/Fordham's great program:

    1. Final thought - subscribe to OnGuardOnline blog posts 2 learn about latest online scams & how to avoid them:

    2. Are u ready to protect yourself online? Test your skills on our game -The Case of the Cyber Criminal:

    3. RT : Seriously good advice. People are afraid to be blacklisted for one mistake, but it happens to the best of us.

    4. Check out our infographic on cybercrime & how small businesses can lose big

    5. Our blog at is a great resource for the latest info in security trends, tips and info.

    6. Oversharing info online & using unsecured public wi-fi makes it easier for criminals. Learn 2 use w/care:

    7. A lot of the training gives new employees on how to behave securely applies to what we're discussing here...

    8. If people suspect fraudulent activity, they should report it to their bank, local police,etc. Here's a list

    9. A lot of PII is shared (intentional or b/c we have many user accts). Helps bad guys social engineer. Advice:

    10. We provide pics of a few common Visa phishing scams on our security blog


    11. Guessable passwords played role in 29% of 2011 breach investigations

    12. Weak passwords! We see "123456" and "password" used way too often. More fun stats we found:

    13. For newbies, social engineering is when the bad guys try to phish you with messages that look like legit business, news, etc.

    14. As a journalist, one of the things I covered a lot -- and still do at Akamai, is social engineering...


    Akamai CSO Andy Ellis gives an overview of tokenization and why it exists, as well as a brief history of the credit card industry.


    Video: Josh Corman on Different Adversary Classes

    Akamai Director of Security Intelligence Josh Corman gives an overview of different adversary classes and their motivations.

    The Science of Online Video Advertisements

    Today Akamai announced the publication of a new study, "Understanding the Effectiveness of Video Ads: A Measurement Study," designed to gain a scientific understanding of when viewers complete watching online video ads and when they abandon them. With analysis of an aggregate 367 million videos and 257 million ads from over 3,000 publishers that were viewed by 65 million unique users worldwide across the Akamai Intelligent Platform, a great deal of useful information can be gleaned from reading the study. For example:
    • The position of an ad has the single largest impact on completion rate, with a mid-roll ad 18.1 percent more likely to be completed than the same ad as a pre-roll, and pre-rolls 14.3 percent more likely to be completed than the same ad as a post-roll.
    • Repeat visitors to a site have higher completion rates for ads on that site than one-time visitors to that site.
    • Viewers are more tolerant of video ads than of slow-loading videos. Viewers who must wait 10 seconds for their video to load are three times more likely to abandon than users who spend the same amount time watching a pre-roll ad. 
    • Users who abandon ads leave early. One-third of the abandoners leave at or before the quarter-way mark and two-thirds at or before the halfway mark in the ad. 
    • Ads that play within long-form content such as TV episodes and movies complete at a higher rate (87 percent) than those that play in short-form content such as news clips and sports highlights (67 percent).
    • Time of day and day of week do not affect ad completion rates substantially.

    The study goes to great lengths and detail to account for a multitude of variables that could affect ad completions and abandons. In addition to providing a deeper understanding of how factors of an ad, the video and the viewer influence an advertisement's effectiveness, the study is intended to help drive the evolution of video monetization models that are so critical to the growth and success of online video. 

    Akamai's Sola Analytics cloud-based video measurement and reporting product was used to collect and analyze the massive amount of data leveraged for the study. 


    Co-authors S. Shunmuga Krishnan and Ramesh K. Sitaraman are presenting the study at the Internet Measurement Conference 2013 on Thursday, October 24, in Barcelona.

    Chris Nicholson is a senior public relations manager at Akamai.

    IBM, Akamai Team Up in DDoS Fight

    As part of a new partnership, IBM will integrate Akamai's Kona Site Defender with IBM's Cloud Security Services portfolio.

    IBM Security Services General Manager Kris Lovejoy said her company decided to join forces with Akamai because of its track record in protecting customers from DDoS attacks.

    "Our clients tell us there is a need to strengthen cloud security," Lovejoy said in a statement. "The partnership with Akamai combines a world-class security team and an intelligent network platform to strengthen cloud security Together with Akamai, IBM can provide both proactive and reactive DDoS protection from the increasing frequency, scale and sophistication of these attacks."

    Based on daily monitoring of security for more than 4,000 thousand clients, IBM sees DDoS attacks as an escalating problem. The average large company must filter through 1,400 cyber attacks weekly, according to the IBM Cyber Security Intelligence Index.

    In its most recent State of the Internet report, Akamai documented a second-quarter rise in DDoS attacks. Akamai customers reported 318 attacks -- a 54 percent increase over the 208 reported in the first quarter. At 134 reported attacks, the Enterprise sector continued to be the leading target of DDoS attacks, followed by Commerce (91), Media and Entertainment (53), High Tech (23) and Public Sector (17).

    The companies will also share security intelligence to better detect threats, identify security risks and areas of noncompliance and set priorities for remediation. IBM's X-FORCE research and development will contribute global analytics capabilities and use its Q1Radar security solution, which gathers information from multiple sources and uses analytics to identify potential threats and breaches.

    The result for clients is managed DDoS protection that covers a full spectrum of services including: 


    • Preparation - development of readiness plans and response protocols
    • Mitigation - proactively stop attacks before they affect clients' networks
    • Monitoring - monitor network traffic, DDoS alerts, and the real-time health of IT resources
    • Response - trained response experts on standby to assist with attacks; to contain, eradicate, recover and identify primary and secondary attacks
    • Intelligence - deliver insights on internet threat conditions and provide real-time DDoS metrics

    cloud-security.jpeg

    The following is a guest post from Director Global Service Delivery Patrice Boffa and Solutions Architect Harish Jakkal.


    Locking down access to a Web application based on information from the Network Layer of the Open Systems Interconnection (OSI) model is the most basic level of request filtering mechanism available. There are many network firewalls in the market that inspect the source/destination IP address of the request to making routing decisions on whether to forward or deny requests.

    Using Network Layer Controls within these firewalls, you can either allow or disallow end-user access to the Web application.  At the Network Layer, the parameter available to make the decision is the advertised IP of the end-user.  Many firewalls ship with a geo-location database that lets you correlate an IP to a geographical region.  This provides the flexibility to allow or deny end-users based on their advertised geographical location rather than listing all IP spaces for each geographical region. 

    Network Layer Controls are typically maintained using a rather long list of IP/CIDR/Geo whitelist or blacklist.  However, this approach has the following limitations:

    1. Many firewalls are still on-premise devices that may not be able to scale up to volumetric attacks like Distributed Denial of Service (DDoS).
    2. Firewall configurations can be cumbersome to maintain and lack flexibility in the conditional logic that you wish to apply.
    3. Some firewalls club policies into one single configuration file.  As a result, each update to a policy requires deploying the configuration, which could be challenging from a change management perspective.  Many firewalls still require manual intervention when updating the access control list, which is more likely to be prone to human errors.

    How do we solve these problems?  The Akamai KONA Network List Management feature provides a cloud-based, scalable alternative to controlling access to your Web application that is both easy-to-use and flexible.  Network List Management allows you to create and maintain logical lists of blacklists or whitelists. 

    Movin' On Up (The OSI Stack)

    For months now, those of us working to protect Akamai's customers have been trumpeting the same theme: in the same way that companies, technology and applications are moving "Up the Stack" to the web layer, attackers have followed. For the first time since the inaugural "State of the Internet Report" was published in Q1 2008, we saw solid statistical proof to date that the threat landscape has changed:  As of Q2 2013, Port 443 (SSL [HTTPS], 17 percent) and Port 80 (WWW [HTTP], 24 percent) are the most targeted ports on the internet.

    Soti Image for Shugrue.jpg

    Akamai has been delivering and securing internet traffic for the better part of 15 years. The breadth and scale of the Akamai Intelligent Platform is second to no other content delivery network: Akamai delivers traffic for the Top 30 Media and Entertainment companies, all Top 20 global eCommerce sites, and all of the top Internet portals, and 9 of the top 10 largest newspapers. At any given time, we see 15 - 30 percent of the world's web traffic.  

    This scale and breadth gives us unusual visibility into attack traffic.  As we've grown with the internet, our ability to track attack trends has matured.  Today we combine the human intelligence of our CSIRT team with security analytics provided by our "big security data" team.  We have seen this day coming:  More and more, hackers are attacking the web layers.  We talked about it in our pieces on Account Checkers here, here, and here.  And now we are seeing our predictions born out in the latest State of the Internet report.  The attackers are moving up the stack.  The attacker's shift to the web layer was as inevitable, as is Akamai's response.  Look for more information on how we are improving our Kona Site Defender product through Big Data that improves our security intelligence and informs our Web Application Firewall rules in the coming days and weeks.

    Dan Shugrue is a Senior Product Marketing Manager at Akamai 

    The latest Akamai State of the Internet report analyzes recent DDoS trends and includes a section on something I've written about a lot in recent months -- attacks from the so-called Syrian Electronic Army

    DDoS attacks spiked in the second quarter of 2013, with Akamai customers reporting 318 attacks -- a 54 percent increase over the 208 reported in the first quarter. At 134 reported attacks, the Enterprise sector continued to be the leading target of DDoS attacks, followed by Commerce (91), Media and Entertainment (53), High Tech (23) and Public Sector (17).

    Also during the second quarter, the Syrian Electronic Army (SEA) claimed responsibility for several attacks against news and media companies. The attacks all exploited tried-and-true spear-phishing tactics where internal email accounts were compromised and used to collect credentials and gain access to Twitter feeds, RSS feeds and other sensitive information. The attacks were designed to spread propaganda about the regime of Syrian President Bashar al-Assad, and they have indeed attracted plenty of media attention in recent months. 

    The quarter covered in the latest report ended June 30, but the SEA's antics have continued. In late August, for example, users couldn't access many high-profile websites one day after SEA launched a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company. At the time, the IDG News Service reported that the attack allowed hackers to change the DNS records for several domain names including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com -- a domain owned by Twitter.

    "This resulted in traffic to those websites being temporarily redirected to a server under the attackers' control," the news service reported. "Hackers also made changes to the registration information for some of the targeted domains, including Twitter.com. However, Twitter.com itself was not impacted by the DNS hijacking attack."

    There was some concern that the SEA would use the anniversary of 9-11 and news of potential military action in Syria as an excuse to unleash a fresh wave of DDoS attacks in September, but that spike never materialized


    Additional reading: 

    syrian-electronic-army-lo-008.jpg


    Top 10 Tweets from #AkamaiEdge

    It has been a week since #AkamaiEdge 2013, and we still can't stop thinking about it! It was the first time that we had a live social stream, and it allowed us to broadcast tweets and pictures on four 40" screens that were located at the Social Media Hub. People loved it!

    We had over 4,100 people tweet using #AkamaiEdge during the conference, and everyone seemed to enjoy watching their tweets show up on the big screens.

    Now, with over 4,100 tweets to choose from, it was a difficult task to choose the top 10. But here you have it - the top 10 tweets from #AkamaiEdge! Enjoy and we hope to see you next year.


    Are You a Future Akamai Security Professional?

    It's week three of Cyber Security Awareness Month at the U.S. Department of Homeland Security, and the focus is on the future security workforce. Here's what DHS says on its website:

    As technology continues to evolve and improve, the need to protect against evolving cyber threats also requires improvement and expansion. To meet the growing technological needs of government and industry, the Department of Homeland Security (DHS) is building strong cybersecurity career paths within the Department and in partnership with other government agencies. In order to ensure that the next generation of cyber leaders is prepared to protect against cyber threats, it is crucial that we help to prepare them. To accomplish this critical task, we have created a number of very competitive scholarship, fellowship, and internship programs to attract top talent. As the agency responsible for securing federal civilian networks, DHS works closely with its partners in the private sector and federal, state and local governments to educate and engage the next generation of cyber professionals.

    It's a cause we support at Akamai, given our role in protecting many of the biggest entities on the Internet. We work hard to instill strong security scruples in all employees, who get about an hour of security training as part of their first-day orientation. Meanwhile, our InfoSec department has grown dramatically this past year. Without a doubt, we'll always need fresh security talent.

    One thing I'm learning is that we have to cast a wider net for security talent. We can't limit our search to the usual places, like the halls of academia. It's a point Mark Weatherford, former undersecretary of cybersecurity for DHS, made during an event last year put on by CSO Magazine.

    He spelled it out this way: If you're a so-called computer geek who likes to break things and put them back together again, the Department of Homeland Security's cybersecurity division wants you. Nobody would expect you to stick around forever, and lack of a college degree wouldn't necessarily be a deal-breaker.

    "We need to make it so people want to do this for a career," he said at the time. "The goal isn't necessarily to create DHS lifers, but to make the agency's cybersecurity division a step on the career ladder. For the most part, he said, "people don't work in government forever. But having DHS experience on your resume will mean a lot when you go back out to the private sector."

    And despite all that's been said about the importance of a college education for those hoping to succeed in the workforce, Weatherford said those without a degree are welcome to come forward.

    "There are people out there who didn't go to college, but they spent much of their time breaking things and putting them back together," and DHS needs their help, too, he said.

    After a stint with DHS, who knows what could be next? As I said, Akamai always has its eyes open in the never-ending search for security talent.

    This week Akamai released its State of the Internet report for the second quarter of 2013, and the security section includes some changes since the last go around.

    Based on data gathered from the Akamai Intelligent Platform, the report provides insight into key global statistics such as network connectivity and connection speeds, attack traffic, and broadband adoption and availability. One of the things we track is the origin of attack traffic around the world, and that will be the focus of this post.

    What's new this time is that Indonesia replaced China as the top producer of attack traffic. Indonesia nearly doubled its first-quarter traffic from 21 to 38 percent, while China moved to second at 33 percent -- down one percentage point from last time. The United States remained in third even after dropping to 6.9 percent in the second quarter from 8.3 percent in the first quarter.

    The top 10 countries and regions generated 89 percent of observed attacks, up from 82 percent in the previous quarter. Like the first quarter, Indonesia and China again originated more than half of the total observed attack traffic.

    Thumbnail image for Thumbnail image for akamai-americas-attack-sources-v1-620x231.jpg

    The choice of ports used to launch attacks shifted this time around. For the first time since the inaugural State of the Internet Report (first quarter of 2008), Port 445 (Microsoft-DS) was not the most targeted port for attacks, dropping to third place at 15 percent, behind Port 443 (SSL [HTTPS], 17 percent) and Port 80 (WWW [HTTP], 24 percent).

    The vast majority (90 percent) of attacks targeting Ports 80 and 443 originated from Indonesia, up from 80 percent last quarter. Indonesia was observed to originate the majority of attacks targeting Ports 80 and 443, up to 90 percent from last quarter's 80 percent.

    Thumbnail image for Thumbnail image for Thumbnail image for ports.jpg

    My next State of the Internet post will focus on the DDoS trends captured in the latest report, as well as the attacks we've been tracking from the Syrian Electronic Army.

    Additional reading: 

    An Overview of the OSI Model with Akamai CSO Andy Ellis

    In this video, Akamai CSO Andy Ellis gives an overview of the OSI model, abstraction layers, HTTP, TCP/IP and how together these things make the Internet work.

    Podcast: The Flip Side of Bots and Crawlers

    A few months ago, Akamai Senior Enterprise Architect David Senecal wrote a post about ways to identify and mitigate unwanted bot traffic

    Last week, I went into more detail on the subject with Matt Ringel (@ringel on Twitter), an enterprise architect in Akamai's Professional Services team. (Check out Matt's recent post, "You Must Try, and Then You Must Ask."). That resulted in the post "Bots, Crawlers Not Created Equally."

    In addition to that post, we have a full audio recording of the conversation. Listen to it HERE.

    Schneier and Corman: A Conversation in Tweets

    What does one do when he has to get on a plane right before one of the more anticipated keynotes at Akamai Edge? In my case, follow the tweets and retweet what I found most interesting.

    Below are tweets from those attending the keynote discussion between security luminary Bruce Schneier and Akamai InfoSec's Josh Corman. I followed from the taxi, through the TSA line and from the gate, and it was worth it.

    BWPMznXIYAAgdig.jpg



    1. I have to give both and Bruce Schneier props for rocking the stage here at Akamai Edge!

    2. Economics of classifying information on it's head. Incentives must shift to charging for classifying info.

    3. at : one of the problems with secrets: "There is no cost to classification." At least to those classifying things

    4. at The NSA is turning into a huge surveillance platform and we don't know how to fix it.

    5. is demonstrating why he is one of the foremost authorities on .

    6. Oh,   is asking Bruce Schneier the chaos vs control question. Will this result in the Balkanization of the internet?

    7. at : we are moving to a world of less secrecy. Stunned that NSA had no contingency plan for big leaks.

    8. : at : on computer security: Offense is easier and won't change anytime soon.

    9. "The onus is not on the breaker, it is on the maker" Bruce Schneier (only in a perfect world)

    10. at : one click is too many for security in most cases.

    11. Check out the orange shoes on  Bruce says "I like them on YOU"

    Akamai at Velocity New York and WebPerfDays


    While some of you are attending and enjoying the Edge conference, some of us are preparing for other great Web Performance conferences where you can listen and meet some of the members of the Akamai's Advance Solutions Group.


    Velocity NYC

    Colin Bendell will be speaking at Velocity NYC on the topic "Performance Impacts of i18n, l10n and m18n" on Wednesday, October 16, 2013.  If you are planning to expand your target demographic by adding multiple language support, multiple currency support or other locale specific functionality, you won't want to miss this presentation.  Colin will be sharing his insights about scaling your site while maintaining high page performance and cache hit rates, and exploring how to govern the complex business rules that comes with internationalization and localization.  Check back later for Colin's post conference post.  


    WebPerfDays

    David Sztykman will be speaking at WebPerfDays on "How to scale large live events to millions of end users" on Thursday, October 17, 2013.  This ignite session will cover key points to make your next streaming event successful.  He will talk about the site surrounding the stream and how it affects the live event.  As a follow up, David will be presenting on the topic with more details during the upcoming November Meetup event.


    Advance Solutions Group

    The Advance Solutions Group (ASG) helps Akamai customers meet their critical business goals and complex technological challenges by providing Akamai innovation, thought leadership and education.  ASG services include :

    • Architecture Design: Identify and translate advanced requirements into creative out-of-the-box cloud solutions.
    • Assessment Services: Value-add consulting to provide customers with expertise and best practices in the areas of user experience, infrastructure reliability and security.
    • Education Services: Hands-on, in-depth training for customers to make them more self-reliant and increase their Akamai ROI.


    We hope to see you at our next Meetup event and enjoy Conferencetober!


    Manuel Alvarez is Enterprise Architect at Akamai

    Dissecting Operation Ababil at Akamai Edge

    Operation Ababil has been a thorn in the side of financial institutions this past year, costing victims both business and sleep. At Akamai Edge, we've been talking a lot about the attacks -- particularly the lessons we've learned and the fresh security measures companies have put in place.

    Thursday, Akamai CSO Andy Ellis led a panel discussion on the lessons learned, and earlier in the day John Summers -- VP of Akamai's security business -- shared some slides on the subject.

    I was on the plane home by the time Andy got onstage, but I did attend Summers' talk and photographed his slides. Meanwhile, artist Natalia Talkowska -- who has been doing some fabulous live sketching at Edge -- captured Andy's panel discussion as it happened. What follows are the Summers slides and Natalia's sketch. Together, I think they present a pretty solid picture of the discussion.

    Related reading:


    IMG_20131010_114452_251.jpg

    IMG_20131010_114509_375.jpg
    IMG_20131010_114601_600.jpg

    IMG_20131010_114718_560.jpg

    IMG_20131010_114836_876.jpg
    ll
    IMG_20131010_115553_410.jpg

    Thumbnail image for BWPnzD9IMAAl3FK.jpg

    George Delivers Security Message at Akamai Edge

    At Akamai Edge I've been hanging out a lot with Dan Abraham, my InfoSec department colleague. I have yet to see him without George, the stuffed penguin who serves as our mascot and symbol of security awesomeness.


    We've shown George a good time, taking him on a stroll around Washington DC Sunday. (He visited the Spy Museum and was not amused to discover that Ford's Theater was closed because of the government shutdown.) But he's earned it. This week, he's working overtime to deliver our security message.

    Whenever someone catches sight of George, they ask Dan what the deal is. Dan then tells them about our internal efforts to be secure, and how George visits those who "do something awesome for security."

    Since Dan can't talk to every single person who sees George and wonders about him, I thought a post was in order. What follows is my own personal history with George, and the education he's given me so far.

    I met George long before starting this job, and I admit that I've had a little fun at his expense. During the RSA conference in San Francisco last February, I acquired a stuffed mini version of George and stuck him in the side pocket of an unsuspecting colleague, who spent the night bouncing from one vendor party to the next with no clue that a penguin's head was bouncing up and down on the side of his leg.

    As this department's storyteller, I can't do that sort of thing anymore. I have to play nice with George and keep him happy. Akamai CSO Andy Ellis absolutely adores George, and failing to get on the flightless waterfowl's good side could prove career limiting.

    The first time I met George, he looked familiar. Duh, you're probably thinking. Everyone knows what a penguin looks like. But the fluffiness of this guy was something distinctive that stuck in my mind like a thorn. So I did some digging and remembered: I had run into his likeness dozens of times during family trips to the New England Aquarium. He was always in the gift shop, sold in stuffed animal form and in a smaller, rubber version. My youngest son Duncan had one of the latter. His name was Bucky, and he brought the child tremendous joy until he got old and worn out, at which point his rubber butt fell off.

    It turns out one of the stuffed penguins was purchased by an Akamai employee during a team outing, and she was allowed to make the purchase as a business expense. That meant he had to be put to work.

    And so Akamai's InfoSec emissary was born.

    The little dude even has his own Twitter account (@SecurityPenguin), LinkedIn page and website.

    Here's how he describes himself on LinkedIn:

    "I am a highly motivated information security professional, looking to promote awareness of security practices. In my role as the Penguin of Awesome, I promote and recognize practices that promote and raise awareness of Information Security. I am assigned in 1-week rotations to shadow staff who have helped make Akamai a more Security-aware place to work, so that I may learn from them and make sure that their peers know how awesome they are."

    He even has some LinkedIn recommendations. Akamai InfoSec CSIRT Director Michael Smith wrote, "GTP is hands-down the most awesome dictator that I have ever had the opportunity to work for. Just the other day I asked him 'George, I'm having a problem getting the sales reps to say no to customer audits, would it help if I showed up at meetings with a crowbar and threatened them physically?' He nibbled on his herring lunch and nodded. Such genius, such drive, such vision!"

    There are pictures on the wall of team members with George. The photo op is something that comes your way in recognition of a job done well. My mug isn't up there yet, but it's something I covet. 

    Still, as popular as he is around here, there's something mysterious about George. There's a lot we don't know about him. There are rumors that he has a nemesis out there, someone dedicated to trouncing on the InfoSec principals we hold most dear.

    I do have 20 years of reporting experience under my belt, and I intend to use those skills to peel back the layers of mystery.

    Stay tuned.

    BV64EYyIUAA1Rc6.jpg

    For years at Akamai, I have spoken at conferences and with customers about the future of the WAN.  While the title of my presentations may have varied - "Next-Generation WAN Services", "How to Redesign your WAN", "Preparing for the Convergence of Private WAN and Internet" - my view has not.  Network architectures need to undergo a huge transformation.  Why?  The increased amount of web traffic finding its way within enterprise private networks.  It's inevitable due to increased adoption of public cloud services, video and other business or recreational traffic.

    Mixing web traffic with other business traffic inside the corporate network creates a lot of strain.  The majority of enterprises today still backhaul traffic from the branch office to the data-center to access the Internet.  The primary reason is for security as it is easier to lock-down a small Internet access points as opposed to going "direct-to-net" at every branch and having to protect all of these locations.  The downside to this approach is the performance impact it has for users in the branch office as their traffic is unnecessarily being routed around large distances, along with scalability challenges as bandwidth available at the branch is limited.  Even for those branches that do connect entirely direct to net, you'll still have to bring the optimizations into the last mile, to solve for scalability and performance.  Ultimately, I believe enterprises will increasingly mix and match their Internet strategies for the branch using techniques like direct to net, split tunnel and path selection depending on factors such as security, quality of service, application type and cost.

    Today, we announced that Akamai has been developing new technology which we call Akamai Unified Performance that brings application performance "behind the firewall" and into the branch office.  With more than 1,000 Commerce, Retail, Hotel and Travel customers, many of these customers have asked us to help them move their Omnichannel initiatives forward as the digital experience increasingly extends beyond home and mobile into their brick and mortar stores.  One of our customers, Marks & Spencer, recently shared that their shoppers spend 8x as much if they can engage them in all three channels.  But enabling the in store Omnichannel experience requires a new approach to the retail store network, as highlighted in this white paper. It involves a whole bunch of new optimizations that allow retailers to extend their investment and experience with Akamai on the web and get those same optimizations into the store - while also accelerating lots of other 3rd party content delivered by Akamai given the Intelligent Platform already delvers 15-30% of all web traffic.

    We also announced today that Akamai and Cisco are working together for future integration of Akamai Unified Performance into the Cisco ISR AX series of routers and we showed a working prototype on the main stage at Edge 13.  The intent is to co-develop enterprise network offerings with Cisco aimed at delivering the world's first combined Intelligent Wide Area Network (IWAN) Optimization solution that provides a high quality end user experience for both public and private cloud applications to all remote offices.  You'll be hearing more from us when products are brought to market, but there are so many possibilities when you think about the routing, performance optimization and security capabilities both companies bring to the table which can overcome existing challenges associated with branch office network architectures and the user experience.

    It's an exciting day for the enterprise WAN (and me).   Read more at www.akamai.com/cisco

    Neil Cohen - VP Global Product Marketing, Akamai

    "The future of the Internet lies on the hands of developers and architects."

    While this statement sounds really great, I can't take the credit for it. The original quote comes from Tom Leighton himself, co-founder and CEO of Akamai, in a video introducing Akamai {OPEN}, part of the Akamai Open Platform Initiative.



    Akamai has become one of the most reliable and popular web platforms, handling up to 30 percent of total web traffic on any given day. What that means is that virtually every user in the word surfing the web is at some point helped by Akamai to improve and secure the Internet experience. And, this kind of insight really puts the Akamai Intelligent Platform in a unique position for helping companies to gain better understanding and control over their business.

    At the same time, as Tom says, the future of the Internet will be driven by those who create things; those who understand market needs; and those who create applications to address these needs and tackle problems.

    And because of this, we needed to answer two important questions:

    "How can we, from this privileged position, fuel the innovation the market is demanding?"

    "How can we make sure our customers get the most out of their investment in Akamai while embracing new market trends (if not needs), such as a solid cloud computing strategy?'

    As mentioned earlier, today we announced the Akamai Open Platform Initiative. And fundamentally, this new program provides our answer to the previous questions. Akamai has worked intensively to extend the capacities of the platform, so developers, partners and customers can take more control of their interaction with the Akamai Intelligent Platform, multiplying the reach and scope of their applications.

    This, again, sounds great. But you may be wondering what does it effectively mean? Or more simply put, what would I say if I were talking to you over a cup of coffee (apart of eventually asking you to take the bill). Let's slice and dice this strategy.

    The Open Platform Initiative is, ultimately, a new way for not only to our customer, but also a wide community of developers to interact with Akamai. We work tirelessly to create better services every day and this initiative is all about giving developers, customers and partners greater freedom in the way these services are consumed. We have opened up our core technology,granting more insight and more control through program elements including:

    • A developer website (developer.akamai.com) where we are exposing APIs so Akamai services can be consumed, edited and monitored programmatically. The great thing is that it enables developers to integrate Akamai services with other technologies.
    • A newly designed Luna Control Center customer portal providing greater self-serviceability. For example, Property Manager is a new tool that allows customers to fully edit, control and manage the behavior of Akamai Intelligent Platform™ in relation to their sites and applications. And even though I call myself a fan, it seems that I am not the only one. We are observing great customer adoption both in frequency and intensity of use. We've also added capabilities such as Predictive and Intelligent Alerts, support for Single Sign On and simplified User Management (the ability to drag and drop widgets to personalize your view of Akamai assets) as part of the Open Platform Initiative.


    Property Manager Adoption.png


    • A significant group of Integration Services that range from providing real time access to relevant big cloud data to executing customer's business workflow tasks -- all of which can be integrated with third-party technologies to create a wider scope of applications.
    I like to say that the Akamai Open Platform Initiative is part of the process of 'cloudifying' Akamai. While this word may sound a bit weird, we are used to hearing that a particular site, one which kept performing smoothly even during an attack did so because it was 'akamaized', right?

    Never more true than today, you have the power of Akamai, and then, potentially, the next big thing in the Internet, at your fingertips.

    Miguel Serrano Palacio is a Senior Product Marketing Manager at Akamai

    Manipulating PHP Superglobal Variables

    Here at the Akamai Edge conference in Washington D.C., we're talking to customers about the latest attack techniques and how we're staying ahead of the threats. One example of what we're watching: a method where attackers are able to use vulnerabilities in PHP applications to exploit superglobals -- pre-defined variables in PHP -- to launch malicious code.

    Attack details:

    PHP superglobal variables have been a part of the language since version 4.1.0, which was released in December 2001. Superglobals are predefined array variables in the language that could be used in any PHP application on any platform running the language. These variables included $GLOBALS, $_SERVER, $_GET, $_POST, $_FILES, $_COOKIE, $_SESSION, $_REQUEST and $_ENV. The $GLOBALS array contains each of the values from the other eight superglobals just as the $_REQUEST also includes the values from $_GET and $_POST.

    PHP had a directive, register_globals until it was switched to "off" by default as of version 4.2.0 (April 2002) and removed it completely as of version 5.4.0 (March 2012). When register_globals was set to on, developers could dynamically create new variables with global scope via the request.

    Due to this scope, the values of the parameters were immediately available anywhere in the application. If the developer was not careful, a malicious user could change the behavior of the application by simply adding parameters into the Web page request.

    Despite a series of fixes along the way, attackers continue to exploit old vulnerabilities using PHP's superglobals. One report showed a method where attackers chained together two known vulnerabilities to run remote code on a server.

    How to tell if you're at risk:

    Affected versions of phpMyAdmin are before 3.3.10.2 and before 3.4.3.1. This issue was patched by phpMyadmin in July 2011 as of versions 3.3.10.2 and 3.4.3.1.

    Additionally, on August 20, 2010, the Mitre Common Vulnerability and Exposure database added CVE-2010-3065, which described a method by which attackers can alter serialized PHP session data on a server. Affected versions of PHP are 5.2.13 and earlier as well as 5.3.2 and earlier.

    Fixing the problem:

    The most important way to keep your applications safe is to keep them fully patched and at the latest install versions. The latest version of phpMyAdmin can be found at http://www.phpmyadmin.net/home_page/downloads.php and the latest version of PHP can be found at http://php.net/releases/index.php.

    Don't leave third-party applications available to the public Internet. Place your company's single sign-on in front of it or put it on an internal network and require VPN to access it.

    If your application requires the user be able to interact with a superglobal variable, take extra steps to ensure that the input is properly sanitized and validated, to avoid any malicious input. If possible, don't use superglobals at all in the application.

    For Akamai customers, we've created a custom WAF rule to prevent superglobal variable manipulation.

    Bots, Crawlers Not Created Equally

    A few months ago, Akamai Senior Enterprise Architect David Senecal wrote a post about ways to identify and mitigate unwanted bot traffic. Here at the Akamai Edge conference in Washington D.C., discussions around that continue -- specifically, how to squeeze the maximum usefulness out of bots and other Web crawlers.

    Yesterday, I continued a discussion I've been having about that with Matt Ringel (@ringel on Twitter), an enterprise architect in Akamai's Professional Services team. (Check out Matt's recent post, "You Must Try, and Then You Must Ask.")

    The first order of business was to throw cold water on the notion that all bots are the work of bad guys. 

    "People think of bot armies descending on your site like locusts, killing your performance and wrecking your infrastructure," Matt said. "But in terms of commerce and the ability to do things like making price comparisons, some bots will give people faster access to your information, which is worthwhile in certain contexts."

    To start down that road, let's break bots down to two categories:

    • The nasties that do nothing but weigh down your infrastructure (low usefulness, high load on resources).
    • Those that can be useful to your business if properly directed. (These fall into the category of high usefulness, but with lower or higher loads.)
    Let's say you have a site that sells LED flashlights and you want potential customers to find you within seconds of a Google search. Price-comparison bots can help Google's own crawlers find you more quickly. Then Google can tell the user to "buy LED flashlights from these sites," including yours, and -- if you're lucky -- starting with yours.

    For businesses, the question is how to get to "high usefulness, low load" as often as possible. That's where using an application programming interface (API) comes in handy. 

    APIs are good for, among other things, setting up online partnerships with resource sharing. A business solution to mitigating the effect of high-load, high-usefulness crawlers is to offer an API to the entity if the opportunity arises. This is typically a much more efficient way to receive pricing data than crawling your website.

    If there's no way to make a partnership, periodically creating static versions of your sites and directing bots to those sites will lighten the load on your infrastructure. A bot will not interact with a dynamic website the way a user would, so there is no need to show them one.

    An alternate technical solution is to set up network rate limits for aggressive bots, especially if they're not very useful to you. 

    Another way to slow down bots is through browser testing -- planting a javascript "puzzle" the crawler needs to solve in order to proceed. If a bot isn't running a javascript engine, it won't be able to get through. Even if it has such an engine -- some do -- it effectively rate limits the bot by causing it to spend more CPU resources per request.

    A more subtle way to foil web crawlers is to use a spider trap. Here's how it works: Since bots read pages and follow links for data, one way to get them hopelessly lost is by putting in a link that's invisible to the user -- white-on-white text, for example -- that the bot will most certainly see. That link, in turn, leads to dozens of pages with randomly generated data, all having dozens of their own links.

    With variations of these techniques in place, the business is now in a much-improved position to sell products online, even in the presence of bots and other crawlers.

    Catch the rest of my discussion with Matt next week in the next episode of the Akamai Security Podcast.

    Akamai Edge 2013 and Patch Tuesday

    I'm in Washington D.C. for the Akamai Edge customer conference, and while it's easy to lose sight of the daily chores of security when you're spending the day listening to talks, there's still always work to be done. An example of that: Tuesday is Microsoft's regularly-scheduled security patch release.

    We'll be talking to Akamai customers at Edge about how our efforts play into their vulnerability management needs. We'll also talk about our own efforts to keep our patches up to date. So it's fitting that Patch Tuesday coincides with our event. 

    Microsoft has released an advance notification bulletin on what to expect tomorrow. Here's a breakdown:

    Bulletin 1: Critical 
    Remote Code Execution, affects Microsoft Windows, Internet Explorer

    Bulletin 2: Critical 
    Remote Code Execution, affects Microsoft Windows

    Bulletin 3: Critical 
    Remote Code Execution, affects Microsoft Windows, Microsoft .NET Framework

    Bulletin 4: Critical 
    Remote Code Execution, affects Microsoft Windows

    Bulletin 5: Important 
    Remote Code Execution, affects Microsoft Office, Microsoft Server Software

    Bulletin 6: Important 
    Remote Code Execution, affects Microsoft Office

    Bulletin 7: Important 
    Remote Code Execution, affects Microsoft Office

    Bulletin 8: Important 
    Information Disclosure, affects Microsoft Silverlight

    Why Early Termination Is Not A Bad Thing...

    On July 31st Facebook announced that they have enabled secure browsing by default. More and more companies such as Google, Twitter and PayPal have started to switch to always on SSL/TLS to ensure more secure browsing. And the growth of HTTPS use is likely to continue.

    Number of Sites With Valid Certificates Part of Netcraft's SSL Server Survey

    Netcraft.jpg

    Source: Netcraft

    This sounds all well and good. However, as is often the case on the web this trend has performance implications.

     

    Twitter.jpg 

    Instead of outlining the web and mobile performance implication of SSL/TLS here, I suggest you read Ilya Grigorik's excellent Browser Networking book which includes a great section on TLS.

    One thing I do want to highlight though is the fact that the connection setup for SSL/TLS requires up to two additional round trips to establish a connection:

    Connection Set Up.jpg

    Source: Microsoft Technet

     

    As many readers will  know, these extra round trips can have a significant performance impact - particularly on high latency networks or if the server is far away from the client. You might end up with a US partner trying to log into a secure partner portal that is hosted in the EU. This is what it would look like if we tested that page using Webpagetest (Dulles, VA - IE 9 - Cable). Not exactly what you would call blazing fast.

    waterfall.jpg 

    One of the ways to optimize SSL/TLS connection establishment is a technique called Early Termination (ET). ET simply means getting your servers as close to your end-users as possible to reduce round trip latency. This is one of Akamai's core capabilities and a large number of our clients leverage it.

    If we look at the same page above after they moved onto the Akamai Intelligent Platform we can see a significant performance improvement:

    Waterfall 2.jpg

    And, if we take this a step further and look at a whole transaction and the associated SSL time in a synthetic testing tool such as Gomez, we can easily spot the likely origin region but also the significant value Akamai can bring to the table in terms of performance improvement for secure transactions.

    Gomez.jpg

    Further, as protocols like SPDY (which are primarily implemented over HTTPS) become more commonplace, early termination becomes even more important to deliver fast, quality experiences to your end-users.

    That is why early termination is not always a bad thing...

     

    Lorenz Jakober is a Senior Product Marketing Manager at Akamai

    You Must Try, and then You Must Ask

    I like working with grownups.

    Here's an example:

    When I was a wee little New Hire at my current employer, one of the things that came up a lot was the "15 minute rule." That is, if you're stuck on a problem, take a solid 15 minutes to bash your brain against it in whatever manner you see fit. However, if you still don't have an answer after 15 minutes, you must ask someone. I shorten this down to "You must try, and then you must ask." It's a simply-worded rule, which works something like this:

    1. If you've hit the point of giving up, you have to push yourself for another 15 minutes. The pressure is now off. You know that in 15 minutes, you'll be able to take what you found and talk to another person about it and get their help. For right now, all you have to do is step back and look at the whole problem from the top. Maybe you'll find the solution that was sitting there all along. Maybe you'll convince yourself it's completely unsolvable. Whatever you end up doing, those next 15 minutes are where you look at the problem one more time.

    2. During those 15 minutes, you must document everything you're doing so that you can tell someone else. So, what does "look at the problem one more time" mean? It means taking notes. Lots of them. I'm a big fan of using a paper notebook with an excruciatingly fine-point pen, because I don't need to move windows out of the way to keep writing in it, and I can fit a lot of words on a single page. Use what you like, but keep writing. Write down all the steps, all the assumptions, everything you tried, and anythingyou can do to reproduce the problem. More likely than not, you've now probably figured out at least one other way to solve the problem, just by getting it out of your head and onto paper.

    3. After that, you must ask someone for help. Okay, you've decided you need help, and you've spent another 15 minutes looking at the problem again (and again (and again)),and you've documented your approach.

      Now, stop.
      Stop trying to solve the problem, if only for a moment.

      Call for help. Even if you think that you almost have it, stop. Even if you think that an incarnation of the wisdom of the masters is perched on your shoulder whispering the answer in your ear, stop. Write that email or walk over to the office/cube/etc. or cast the appropriate summoning spell, but make sure that someone else knows that you need help. Request assistance, state the problem, and show your work. You may not get help right away, but now you've employed at least one other brain in helping you, and now they have a great head-start, courtesy of you.

    So, that's the 15 Minute Rule in 3 easy steps.

    Here's why it's important:

    1. Your paid hours are costing someone money. You can be in a Professional Services Organization, an internal IT organization, or an independent contractor, but it all works out to the same thing; someone is paying for your skills. While it may feel good to figure out the answer on your own, there's no medal for wasting 3 hours worth of money on a problem that doesn't merit that kind of time. In a sneaky way, this also helps you value your own time, if only by making you ask yourself "Is this problem worth this much of my time?"

    2. Your colleagues will help you because they're playing by the same rules. This means they're used to asking and listening to informed questions, and they'll be expecting the same from their peers. Needless to say, use your common sense... find someone that isn't heads-down in a problem of their own; no one likes to have their flow interrupted. That being said, your colleagues will know that if you come over to ask for help, you'll already have taken time to look it over and documented your findings so they can help you figure out the problem faster or point you in the right direction. It's possible you'll end up Rubber Duck Debugging the problem, and the act of talking through the problem will help you solve it.

    3. Last but certainly not least, You have to interact with your colleagues because they have the answers you need. Building and maintaining an enterprise software platform (to choose something of appropriately fiendish complexity) is not a solo sport. Your colleagues have different ways of understanding problems and different ways of using the knowledge they have. This goes for many definitions of colleague and many definitions of knowledge.

    This eventually turns into a virtuous cycle. People value each others' time and their own, so they do their own homework before asking a question. In turn, people are more likely to answer questions because they know the person asking will give them the interesting part of the problem to solve.

    Put another way: by explicitly taking enough time, everyone saves time.

    Matt Ringel is Enterprise Architect in Akamai's Professional Services team

    There's been a lot of debate in the InfoSec community about the effectiveness (or lack thereof) of security awareness programs. More such discussion is likely this month as the Department of Homeland Security (DHS) promotes National Cyber Security Awareness Month.

    Rather than repeat my own position on the matter, I'll direct you to the post "Security Awareness Programs: Better Than Nothing." For now, I'm thinking about how DHS's initiative fits in with the Akamai Edge customer conference taking place, appropriately, in Washington DC next week. As I noted a couple weeks ago, security will be a major part of the proceedings

    There will be the Financial Services Roundtable Lunch on Security Information Sharing: Lessons Learned from Financial Services, and Former NSA Senior Counsel Joel Brenner will share his insider perspectives on the implications of our global reliance on the inter-connected and Internet-dependent way of life and how to address "the new faces of espionage and warfare on the digital battleground."

    There will also be a keynote discussion with Bruce Schneier, founder and CTO of BT Managed Security Solutions, and Akamai CSO Andy Ellis will lead a panel discussion on the lessons of Operation Abibal.

    As I cover these discussions, I'll tie them in with the themes of National Cyber Security Awareness Month. Beyond that, I'll write one post per week focusing on the individual themes, captured below. The exception will be week 2, as I'll be traveling. The following week's post will cover Oct. 7-18.

    Stop Think Connect logo

    Week One (October 1-4):
    Launch of 10th Annual National Cybersecurity Awareness Month. Cybersecurity is Our Shared Responsibility

    The next ten years in cybersecurity are critical to ensure a safe, secure, resilient cyberspace where the American way of life can thrive. Given the stakes we must remain focused on meeting the challenges of the next ten years.

    keyboard keys

    Week Two (October 7-11): 
    Being Mobile: Online Safety and Security

    Emphasizes the importance of cybersecurity no matter where you are or what device you are using.
    Group of people

    Week Three (October 15-18): 
    Cyber Workforce and the Next Generation of Cyber Leaders

    Highlights the importance of fostering the next generation cyber workforce through education and training.

    keyboard keys

    Week Four (October 21-25): 
    Cyber Crime

    Focuses on national and local efforts to prevent traditional crimes like theft, fraud, and abuse that can also take place online.

    Man with a headset Week Five (October 28-31):
    Critical Infrastructure and Cybersecurity
    Highlights the growing intersection between cyber and physical security when protecting the Nation's critical infrastructure.

    Silk Road, Tor and the Threat of DDoS

    Whenever authorities bust somebody for alleged use of popular software for illegal purposes, there's always the chance digital miscreants will protest with DDoS and other attacks.

    That's certainly a possibility after the FBI's arrest of Ross William Ulbricht, known as "Dread Pirate Roberts," alleged operator of Silk Road, a marketplace for illegal drugs. 

    According to the Reuters news service, federal prosecutors charged Ulbricht with one count each of narcotics trafficking conspiracy, computer hacking conspiracy and money laundering conspiracy.

    In a Forbes article, writer Andy Greenberg added that authorities seized the Silk Road website along with between $3.5 to 4 million in bitcoins, the cryptographic currency people use to buy drugs on Silk Road. In addition to the use of bitcoins, Ulbricht allegedly used Tor to conduct business.

    Tor is free software used for online, anonymous communications. It moves Internet traffic along through a free, global volunteer network using thousands of relays to hide a user's location from those who might try to spy on them via traffic analysis and other methods.

    Silk Road and Tor have many loyal users who will no doubt be unhappy with this latest turn of events. Don't be surprised if some of them express their feelings by launching fresh waves of DDoS attacks. The FBI's online resources are an obvious target, but when rage ensues everyone becomes fair game.

    Of course, there's always the possibility nothing will happen and I'll be happy if proven wrong. But it's best to be prepared. As always, Akamai will monitor activity for its customers and protect them from what may come.

    silkroad.jpg

    Was This Really One of the Internet's Biggest Attacks?

    There was an interesting story in eWeek yesterday about "one of the largest attacks in the history of the Internet" taking place last week. It describes a 9-hour barrage against an unnamed entity that swelled to 100 Gigabits of traffic at its peak.

    But does it really qualify as one of the biggest in Internet history? It's an impressive barrage, to be sure. 

    Reading the article reminded me of a post Akamai CSO Andy Ellis wrote back in March about a 300 Gbps attack against SpamHaus.

    (For additional perspective, check out Andy's blog post on "DNS reflection defense" and our page on Akamai's DNS security offerings)

    He wrote at the time:

    When we think about an attack an Akamai, we think about three things: the attacker's capacity, their leverage, and the target's capacity. And when we think about leverage, it's really comprised of two smaller pieces: how much cost efficiency the attacker expects to get, and how the target's resilience mitigates it. 300 Gbps isn't that bad when it's restricted to reflected DNS traffic -- if you have enough capacity to ingest the packets, they're pretty trivial to drop, and, until your network cards fill up, are less effective than a SYN flood. 

    So why bother? Andy continued:

    The attacker likely doesn't have 300 Gbps in their botnet - they probably have somewhere in the range of 3 to 60 Gbps. Attacks through DNS resolvers are amplified - so the attacker can create a larger attack than they might have otherwise, at the cost of reducing their leverage. In comparison the BroBot botnets are routinely tossing around 30 Gbps attacks, with peaks upwards of 80 Gbps.   Because they're willing to sacrifice their hosts, they have a wider range of attacks available to them. Commonly, they send HTTPS request floods - requiring their targets to negotiate full SSL connections, parse an HTTP request, and determine whether they'll deliver a reply or not. BroBot could certainly throw around a bit more bandwidth with DNS reflection - but against most of their targets, it would have less effect than some of their current tactics.

    I write this with the admission that I'm not an expert in the metrics of data transfers and the size of Internet traffic in general. As a still-fairly-new Akamai employee, I'm learning quickly. But I'm not ready to shoot down the claims others make.

    But as a long-time journalist, I also know how easy it it to make too much or too little of attack traffic patterns. In the hurry to cover breaking news, I've been the sucker of more than one claim over the years. So whenever I see "biggest" or "largest" in a headline, I'm an instant skeptic.

    Having said that, I welcome your thoughts. Is this really that big, or is it hyperbole?

    cyber-attack.jpg