Akamai Diversity
Home > April 2014

April 2014 Archives

Akamai recently released the Prolexic Q1 2014 Global DDoS Attack Report. What follows are some of the key points, including a 114-percent increase in the average peak bandwidth of attacks.


Two Embarrassing Security Lessons

Good news: I got another look at how well Akamai's security procedures work. 

Bad news: It's because I made two simple mistakes. And I knew better.
The following is a post from Director of Product Marketing, Kurt Michel, and Senior Solutions Architect, Nicolas Weil.

It has been a very busy first quarter for the media team here at Akamai, where the technical folks have been elevating the quality of online video to all-new heights. In January at CES, we demonstrated 4K/Ultra HD streaming video with help from Qualcomm and Elemental. Last week at the NAB Show in Las Vegas, we showed what we believe was the world's first CDN-delivered 4K/Ultra HD 60 frames per second linear stream using Elemental's HEVC compression and MPEG-DASH packaging, highlighting the performance capabilities of our network and our new native DASH ingest feature.

Storm Stress Tester Crimeware Kit Targets Windows

The Akamai Prolexic Security Engineering & Response Team (PLXsert) has discovered a new tool attackers could use to target Microsoft Windows. The PLXsert advisory describes it this way:

The Storm kit is capable of infecting Windows XP (and higher) machines for malicious uses, including execution of DDoS attacks. Once a PC is infected, the Storm Network Stress Tester crimeware kit establishes remote administration (RAT) capabilities on the infected machine, enabling file uploads and downloads and the launching of executables, including four DDoS attack vectors.

A single PC infected by the new Storm crimeware kit can generate up to 12 Mbps of DDoS attack traffic with a single attack. As a result, orchestrated botnet attacks pose a significant DDoS threat. In addition, the RAT capability enables a variety of malicious activity, including the infection of other devices.

The RAT capabilities provide criminals with an all-purpose crimeware platform that can be used for a variety of malicious activity, including the infection of other devices, the advisory says.

"Remote administration lets malicious actors take over a PC from a distance, even from another continent," said Stuart Scholly, senior vice president and general manager of Security at Akamai Technologies. "In the last year, we've seen a growing volume of cyber-attacks coming from Asia. The Storm kit seems to have been custom-designed to infect and control vulnerable Windows XP machines in China."

One PC infected by the kit can generate up to 12 Mbps of DDoS attack traffic with a single attack. The kit comes pre-programmed to launch four types of DDoS attacks at once, increasing the potential attack volume.

A free download of the full advisory is available here.

Akamai PLXsert monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through digital forensics and post‐attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with customers and the security community.

By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.

windowslivewriter9dc595f9764e-d3e9windows-bullet-holes21.jpg

2013 DDoS Analysis For Europe

This year, we decided to do something a little different to accompany the year-end State of the Internet Report. In addition to the analysis we do on the numbers for the world as a whole, we're breaking out a particular region to look at in more detail. Although it is not the target of the largest number of attacks, we chose Europe because, like the rest of the world, it is seeing a growing number of attacks.

Cisco and Akamai Announce Solution to Enable Digital Experiences and Relieve Network Congestion

Today marks another important milestone in Akamai's relationship with Cisco. Together we are enabling IT to respond to the business challenges to support the huge traffic increases brought on by the digital era.  Specifically, the IT challenge of supporting business leaders who are innovating at the branch office. Consider a retailer engaging customers with mobile assisted selling apps, digital displays and customer wi-fi. Think about a banker building out virtual branches to promote new financial services. Contemplate educators delivering a rich media curriculum to thousands of students. Reflect on business leaders adopting myriad digital experiences to improve productivity and drive revenues. In all these situations, organizations across the board are adopting new applications and services that require significantly more bandwidth than has been required in these "branch" locations. As important, these applications are no longer being hosted solely within the corporate data center. They are delivered from private or public cloud infrastructures, or directly from the Internet as a SaaS application.


Historical Lookback: Observed Attack Traffic

The previous two blog posts in this series reviewed how key connectivity metrics have trended over the last six years and trends in IPv6 adoption/IPv4 exhaustion.  Unfortunately, as connectivity has improved over the years, attacks on Internet infrastructure have become more commonplace.  This includes targeted DDoS attacks, application layer attacks, brute force login attempts, and attempted exploitation of known vulnerabilities (both new and those patched long ago). In today's post, we'll review observed attack traffic trends seen across a number of countries over the last six years. (While the choice of countries in the graphs below may seem a bit arbitrary, they are drawn from a data set initially aggregated at the request of the OECD a few years back.)

Prefetching: Anticipating the Next Move

The fastest HTTP request is the one never made. And a great way to avoid making the request is to fetch it before the user ever requested it! This video explains the different prefetching technologies Akamai offers, how each helps, and how they differ from one another.

Yesterday's blog post reviewed how key connectivity metrics have trended over the last six years.  In general, average and peak connection speeds, as well as high broadband and broadband adoption, have all grown over time, although the growth rates in some regions have clearly been more aggressive than in other regions.  However, without IPv4, none of that connectivity would have been possible.  Going forward, IPv6 will be a key enabler of connectivity as available IPv4 address space is exhausted.  In today's post, we'll review IPv6 traffic trends seen on the Akamai Intelligent Platform during 2013, as well as global IPv4 exhaustion trends seen during 2012-2013.

FFIEC DDoS Notice: The next step in the evolution of DDoS

The joint statement issued in early April by the FFIEC should come as no surprise to the banking and finance community in the U.S. Beginning in 2012 and continuing throughout most of 2013, banks suffered massive DDoS attacks, with dozens of banks attacked during 2013, and up to 50 banks attacked in a single week. A response from regulators such as this is part of the ongoing evolution of DDoS and information security for the financial sector, and is a positive step forward for the industry.

Historical Lookback: Connectivity Trends

Over the last few years, we have included a "Historical Lookback" section at the end of the 4th Quarter issues of the State of the Internet Report. The section has generally included data aggregated at a continental level (where appropriate), with graphs showing how particular metrics have trended over time.  This year, we are publishing the the historical lookback content as a series of blog posts, including interactive graphs that can be zoomed, customized, and saved.  Today's post will cover connectivity trends, including connection speeds and broadband adoption from 2008-2013, while posts over the next two days will cover trends in IPv6 Traffic and IPv4 Exhaustion, as well as Observed Attack Traffic.  (And don't forget that you can download the full 4th Quarter report, or any of the prior issues, from http://www.akamai.com/stateoftheinternet, or read them in the State of the Internet iOS app.)

Akamai Is Hiring

One of the most interesting aspects of working at Akamai is the sheer volume of opportunities within the company. Since I started here in my own role last July I have had no end of interesting challenges that have managed to keep me thoroughly engaged. Akamai is a company that allows you to grow and never has a shortage of amazing projects to work on. 

This sort of excellent working environment invariably brings forward the question, "How do I get a job at Akamai?" Well, I'm happy that you asked. In fact we have extensive job listings on our careers page. In point of fact we currently have four open positions right now for our Information Security team. Take your career faster forward where your only limitation is your own imagination. Check out these job descriptions. 



A new variant of DNS amplification attack relies on home gateways with open DNS proxies to forward DNS queries to ISP resolvers. To launch this exploit attacker can deploy their exploit code anywhere on the Internet that allows address spoofing, a compromised server in a hosting facility for example. From there DNS queries can be targeted at any network with open home gateways. These queries enter ISP networks at border routers.

The Argyle Executive Forum - Post-show report

Great panel session at the Argyle Executive Forum last week around Next Generation of Customer Care. My peers continue to see technology and the Internet as tools to enable and strengthen the customer experience across all industries, yet they still see relationships at the heart of customer intimacy. Folks came from all disciplines are looking for ways to create the ultimate experience through their Customer Care centers. Web experience continues to be a strong component of the brand and paramount to building customer loyalty.

Heartbleed: A History

In the interest of providing an update to the community on Akamai's work to address issues around the Heartbleed vulnerability, we've put together this outline as a brief summary:
  • Akamai, like all users of OpenSSL, was vulnerable to Heartbleed.
  • Akamai disabled TLS heartbeat functionality before the Heartbleed vulnerability was publicly disclosed.
  • In addition, Akamai went on to evaluate whether Akamai's unique secure memory arena may have provided SSL key protection during the vulnerability window when we had been vulnerable; it would not have.
  • Akamai is reissuing customer SSL certificates, due to the original Heartbleed vulnerability. 
More detailed information is below.

Cloudification of Web DDoS Attacks

Recent studies and reports show a dramatic increase in the prevalence of denial of service attacks in general, and application layer attacks in particular. As a result of this increase, DoS protection and mitigation solutions have evolved both on the technological side as well as in their ability to scale and protect against larger and more distributed attacks (DDoS).

Heartbleed Update (v3)

Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys.  We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community.  The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase.
In short: we had a bug.  An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others.  In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p.  These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability.  Given any CRT value, it is possible to calculate all 6 critical values.
As a result, we have begun the process of rotating all customer SSL keys/certificates.  Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer. 
In parallel, we are evaluating the other claims made by the researcher, to understand what actions we can take to improve our customer protection.

Heartbleed Update

Update 2014-04-13: Our beliefs in our protection were incorrect; update here.
Today, we provided more information to our customers around the research we've done into the Heartbleed vulnerability.  As our analysis may inform the research efforts of the industry at large, we are providing it here. 
 
Summary: Akamai patched the announced Heartbleed vulnerability prior to its public announcement.  We, like all users of OpenSSL, could have exposed passwords or session cookies transiting our network from August 2012 through 4 April 2014.  Our custom memory allocator protected against nearly every circumstance by which Heartbleed could have leaked SSL keys.  There is one very narrow window through which 4 Akamai server clusters had a vulnerable release for 9 days in March 2013.  For the small number of customers potentially affected, we are pro-actively rotating certificates.
 
All certs issued on or after 1 April 2013 are certainly safe.
 
Please read below for more details on this issue.

Missed #NABshow? We've Got You Covered!

If you follow us on Twitter, you may have noticed that we were live tweeting at the NAB Conference in Las Vegas this past week. There was plenty going on, and 98,000 people attending from 150 different countries. Weren't able to make it out to Las Vegas this year? We've compiled all of our tweets from this past week, to get you up to date on what was talked about at NAB this year. Read our Twitter stream to follow the events and talks over the past week. Enjoy!

SOURCE Boston: Fighting Security Burnout

If you're attending SOURCE Boston, there's a discussion Thursday at 11 a.m. you should attend. It deals with a subject we've been working hard to address at Akamai: burnout in the security industry, and how we can make things better by tapping into the better angels of our nature.



OPEN Thoughts

It was only six months ago that Akamai opened its core technology, revealing the Open Platform Initiative strategy. The main idea was to enable everyone; every developer, every customer and every partner, to access Akamai technology and benefit from its amazing power. You may arguably say that this was a small step on a long path. But let's look back and see how much we walked, using the evolution of technology as our context.

As technology has evolved, there were milestones that changed the way we use it in our lives, milestones that changed and improved things forever. More importantly, technology plays a key role in the way we all behave, communicate, learn, share and spend our leisure time. Technology is now part of our lives, as it was never before.

SOURCE Boston 2014: Need a Job? Stop By Our Table

Attention, SOURCE Boston attendees: If you or anyone you know needs a job, come by our booth. Recruiters are on hand, and they have several positions to fill, including:

  • A program manager for InfoSec;
  • A senior manager for Enterprise Security;
  • A security architect for Adversarial Resilience; and 
  • A principal application software engineer for the Security Products Group.
We're also giving away an iPad at 5 p.m., so come put your business card in the raffle jar. And by all means, come grab some shwag.

10006383_10203740995191803_846107286495733959_n.jpg

SOURCE Boston 2014: Proof Heartbleed is a Big Deal

Akamai CSO Andy Ellis wrote about how we're protecting customers from the much-publicized Heartbleed vulnerability OpenSSL fixed in an update Monday. At SOURCE Boston 2014, there's plenty of personal proof that this bug is a big deal. You could say it ruined the first day of the conference for some.

Update 2014-04-11: Updated information on our later analysis here.

We're getting a lot of questions about the OpenSSL Heartbleed fix. What follows are the most commonly asked questions, with our answers.

The Heartbleed bug affects a heartbeat functionality within the TLS/DTLS portion of the library. It allows the attacker to -- silently and without raising alarms -- dump portions of the servers memory to the client. This can allow the attacker to walk through the memory space of the server, possibly dumping private SSL keys and certainly exposing important secrets.

All versions of the OpenSSL library between 1.0.1 and 1.0.1f contain the Heartbleed bug and should be updated to 1.0.1g as soon as possible. (The vulnerability researchers have posted their analysis, and an excellent analysis is up on Sean Cassidy's blog.

Fix Released for Heartbleed OpenSSL Flaw

A fix is now available for a serious Open SSL flaw known as Heartbleed. The vulnerability, covered in CVE-2014-0160, affects OpenSSL 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8.

SOURCE Boston 2014: Talk Descriptions

SOURCE Conference 2014 runs tomorrow through Thursday at the Marriott on Tremont Street, Boston. Akamai is a platinum sponsor of the event and we hope to see you there. To help attendees acclimate, we're sharing the following talk descriptions, which are also available on the conference website.

In today's financial world, smart organizations face tremendous pressure to deliver mission critical Web applications quickly, reliably and securely. Malicious attacks against the Financial Services industry are increasing daily. Financial institutions must meet regulatory requirements and protect their clients. Don't leave your brand to chance.... learn how IBM Edge Delivery Services powered by Akamai transforms the Internet into an Enterprise class network with superior performance, visibility, security and control.

Learn more about becoming an Akamai Partner: http://www.akamai.com/html/partners/index.html

And Now, This Message on 'Booth Babes'

For years, I've despised the so-called booth-babe phenomenon, in which vendors hire women to stand at their booths in skimpy attire at conferences. I've focused on what I see at security events, but the problem is universal.

If you want to know how I feel about it, read this Salted Hash write-up from a couple years ago. 

For the rest of this post, I direct your attention to this message from two individuals who want to see change.


As of 31 March 2014, the UK officially has a governmental Computer Emergency Response Team (CERT) that is responsible for being the central point for communication between a variety of governmental and business within the confines of the UK, as well as beyond. While this is the 'birthday' of CERT-UK, the organization has already been working hard since November to create infrastructure and hiring personnel, this was simply an official date to say "We're open for business."

Akamai is a Platinum Sponsor of SOURCE Boston 2014

Akamai is a platinum sponsor of next week's SOURCE Boston conference, and we'll have an army of security staff on hand to answer questions, show people around and help with introductions.

Caching is, at the end of the day, at the core of Akamai's business. As such, the more a website can cache on the edge, the more value they get out of Akamai, and the happier its users are. Dynamic Page Caching is a powerful capability that lets you cache content that appears to be uncacheable, and is explained in this video by Ravi Maira, VP Web Experience Products at Akamai.

Podcast: Cyber Competition in Review

My guest this episode is Kathryn Kun, manager of our Adversarial Resilience team. She reviews the recent Northeast Collegiate Cyber Defense Competition (NECCDC), of which she was an organizer.

As part of the competition, each team -- along with a new "CIO" -- was hired to take over IT operations for the fictional company EnV research Inc. The competition packet described the following scenario: "At the request of major stake holders, including the Department of Energy, the previous IT team was let go after confidential and proprietary EnV research documents surfaced online. As the new IT department, you will be tasked with securing the EnV network, while maintaining business operations."

NECCDC is the regional qualifier for the national Collegiate Cyber-Defense Competition (CCDC). The northeast region represents institutions in the states of New York, Maine, New Hampshire, Vermont, Massachusetts, Rhode Island, and Connecticut. 
 
The NECCDC selected one winner and one alternate to represent the region in this year's CCDC in San Antonio, Texas, April 19-21.

More Akamai Security Podcast episodes are available here.

hacker2.jpg