Following last week’s Akamai outage, the Internet’s survivability once again became a hot topic. Diego Doval, CTO of Clevercactus,
noted on his Weblog that although the packet-switching fabric itself is highly decentralized, the services that breathe life into the Internet
are not. “So today, Akamai sneezes and the rest of the world gets a cold,” Doval wrote. “Tomorrow, it will be someone else.”
In the case of the Akamai incident, the vulnerable service was DNS. Paul Vixie, architect of BIND (Berkeley Internet Name
Domain) and president of the Internet Systems Consortium, charged that Akamai’s proprietary approach to DNS makes it a single
point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible
today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. “We
deliberately use different operating systems, different name server implementations, different kinds of routers, different
kinds of switches, different kinds of CPUs, and especially, different operational procedures,” Vixie told Internetnews.com.
To protect an asset as unique and vital as the root-name servers, such tactics are clearly warranted. But if Akamai tried
to diversify the implementation of its large-scale content-delivery network, Vixie said, the cost would “drive their accountants
crazy.” The same holds true for the average enterprise, of course. Maintaining a heterogeneous infrastructure would make life
hard for attackers, but even harder for you. Instead, we need to make the network fabric itself more resilient and adaptive.
I got a glimpse of how that might happen when I spoke with CloudShield Technologies about its recently announced CS-2000,
which the company describes as a server for applications that do deep packet processing at gigabit-per-second rates. The CS-2000,
a second-generation product scheduled for general availability in third quarter 2004, is a two-headed beast. Its DPPM (Deep
Packet Processing Module) runs a proprietary real-time OS and hosts packet-oriented applications and its Pentium-based Server
Module runs Linux to manage and control the “data plane.” The DPPM comprises an exotic mix of commercial NPUs (network processing
units), FPGAs (field-programmable gate arrays), and TCAMs (ternary content-addressable memories), plus CloudShields’ own Silicon-DB,
an onboard database that can efficiently handle hundreds of thousands of stateful flows.
For programmers, the company offers a high-level packet-oriented language embedded in an Eclipse-based programming environment.
The system might be a DDoS mitigator, an intrusion detector, an e-mail scanner, or anything else that needs to scan all your
traffic, correlate events, and perform complex, rules-based computation on the fly. Such applications have historically been
delivered on single-purpose hardware. A general-purpose platform, says CTO and founder Peder Jungck, will make it cheaper
and easier for service providers (and eventually enterprises) to deploy and maintain packet-aware applications and will radically
accelerate their development.
For now the attackers are winning the arms race. The technology we’ll need to monitor, react, and adapt in real time has yet
to evolve, but it’s headed in that direction.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
