Following last week’s Akamai outage, the Internet’s survivability once again became a hot topic. Diego Doval, CTO of Clevercactus, noted on his Weblog that although the packet-switching fabric itself is highly decentralized, the services that breathe life into the Internet are not. “So today, Akamai sneezes and the rest of the world gets a cold,” Doval wrote. “Tomorrow, it will be someone else.”
In the case of the Akamai incident, the vulnerable service was DNS. Paul Vixie, architect of BIND (Berkeley Internet Name Domain) and president of the Internet Systems Consortium, charged that Akamai’s proprietary approach to DNS makes it a single point of failure. He added that the 13 DNS root servers, which weathered a vicious DDoS attack in 2002, are even more defensible today than they were back then. The root servers are resilient, Vixie said, because their operators embrace diversity. “We deliberately use different operating systems, different name server implementations, different kinds of routers, different kinds of switches, different kinds of CPUs, and especially, different operational procedures,” Vixie told Internetnews.com.
To protect an asset as unique and vital as the root-name servers, such tactics are clearly warranted. But if Akamai tried to diversify the implementation of its large-scale content-delivery network, Vixie said, the cost would “drive their accountants crazy.” The same holds true for the average enterprise, of course. Maintaining a heterogeneous infrastructure would make life hard for attackers, but even harder for you. Instead, we need to make the network fabric itself more resilient and adaptive.
I got a glimpse of how that might happen when I spoke with CloudShield Technologies about its recently announced CS-2000, which the company describes as a server for applications that do deep packet processing at gigabit-per-second rates. The CS-2000, a second-generation product scheduled for general availability in third quarter 2004, is a two-headed beast. Its DPPM (Deep Packet Processing Module) runs a proprietary real-time OS and hosts packet-oriented applications and its Pentium-based Server Module runs Linux to manage and control the “data plane.” The DPPM comprises an exotic mix of commercial NPUs (network processing units), FPGAs (field-programmable gate arrays), and TCAMs (ternary content-addressable memories), plus CloudShields’ own Silicon-DB, an onboard database that can efficiently handle hundreds of thousands of stateful flows.
For programmers, the company offers a high-level packet-oriented language embedded in an Eclipse-based programming environment. The system might be a DDoS mitigator, an intrusion detector, an e-mail scanner, or anything else that needs to scan all your traffic, correlate events, and perform complex, rules-based computation on the fly. Such applications have historically been delivered on single-purpose hardware. A general-purpose platform, says CTO and founder Peder Jungck, will make it cheaper and easier for service providers (and eventually enterprises) to deploy and maintain packet-aware applications and will radically accelerate their development.
For now the attackers are winning the arms race. The technology we’ll need to monitor, react, and adapt in real time has yet to evolve, but it’s headed in that direction.