At ITogether we are often talking to customers about Akamai for the first time. We evangelise everything Akamai and we love them and their platform !
We often get into a conversation along the lines of ‘how big’ ‘how resilient’ ‘how much traffic’ ‘what happens if’ – these are answered in a very similar way. It’s important first to understand the sheer scale and size of the Akamai network and platform(s) for their services worldwide. It is important to understand that there is not anything bigger or better. 20 years in the making isn’t something that can be ‘bettered’. Even the industry biggest names like Google, Amazon and Microsoft could never build a network as big to catch up. Numbers like 250,000 world wide servers. This number alone makes the mid boggle. Imagine the logisitics of managing, maintaining and replacing these devices. Can you imagine what that many devices would look like piled together !
Akamai FastDNS
Let’s talk about DDoS resiliency firstly. How does Akamai protects its own critical Internet infrastructure from DDoS attacks ?
DDoS resilience has always been a key strength of Akamai’s platform architecture for the past 20 years. At the highest level, the Akamai capacity planning model takes the largest verifiable attack and multiplies it by several factors to ensure ample headroom as attacks grow in size. This method has allowed Akamai to be ready and successfully defend against the largest and most sophisticated attacks in history, including the QCF attacks on American banks and at the time a record-breaking 620 Gbps attack on a pro-bono Akamai customer.
Akamai protects customers against DDoS attacks through the Akamai Intelligent Platform™, the Prolexic Network, and distributed FastDNS infrastructure and makes appropriate investments to ensure the resilience of its platform infrastructure.
Akamai maintains sufficient global capacity to absorb the largest DDoS attacks and distributes that capacity around the world to stop attacks closer to the source. For reference, Akamai recently delivered a record 41 Tbps of traffic on their CDN platform. With average daily traffic less than 25 Tbps, this leaves ample available capacity to absorb the largest DDoS attacks while maintaining the availability of their CDN services. Beyond capacity, Akamai architected a CDN for availability and resiliency through any adverse conditions – not just DDoS attacks. The Akamai CDN always connects end users to the optimal Akamai edge server, regardless of the status of individual servers, and automatically routes user traffic around local network outages. With over 250,000 servers currently deployed around the world today, Akamai can maintain connectivity through the most adverse conditions, from network congestion to ISP outages to DDoS attacks. Finally, Akamai deploys a wide range of controls to defend against DDoS attacks within each server, such as the rate controls, blacklists and geo-blocking capabilities utilised with the Kona Site Defender solution.
Akamai operates an authoritative DNS service similar to Dyn Managed DNS. Akamai architected Fast DNS for availability and resilience against DDoS attacks, in addition to performance. DNS is core to the Akamai platform. Akamai runs more DNS servers worldwide than any other network or provider. Akamai has segregated the Fast DNS infrastructure into twenty separate DNS clouds, including nineteen specifically architected for availability. They then distribute the name servers assigned to customers across the DNS clouds in order to minimise the impact that attacks against any one customer can have on others. Within each DNS cloud, Akamai deploys clusters of name servers in such a way as to minimise the impact that localised attacks can have against the entire network, such as deploying name servers directly into ISPs to maintain service for ISP users. Finally, Akamai maintains sufficient capacity across the entire Fast DNS infrastructure to absorb the largest DDoS attacks, with additional controls to defend against attacks, such as rate limiting and whitelisting DNS requests.
Akamai Prolexic Network
Akamai is continuously investing in the Prolexic Network by ensuring each scrubbing center has three Tier 1 carrier connections to distribute traffic and avoid overwhelming local ISPs. They are also looking at adding more than half a terabyte/sec of extra capacity to what is already the largest DDoS mitigation scrubbing service in the world. Akamai has a public peering policy with over 500 peers, and high performance traffic analysis and active mitigation at multiple layers of the OSI stack. New scrubbing centres have already been brought on-line in 2018. Customers now have the option to BGP peer with upto four scrubbing centres.
Akamai have several tools in their armoury to defend customers against attack.
-
Flexibility in managing impact of attacks
-
Ability to shift non-targeted customers away from infrastructure under attack
-
Ability to borrow additional capacity from CDN
-
Ability to assign NS delegations through Prolexic Routed to borrow capacity
-
Additional controls such as rate limiting and whitelisting
Akamai has been defending against DDoS attacks for two decades and has demonstrated the ability to protect their customers and maintain infrastructure availability even through the largest DDoS attacks of the time. As the threat landscape evolves, Akamai is continuing to issue new threat research such as the SIRT issued in August 2016 for what is now known as the famous Mirai botnet while evolving the Akamai procedures and platform infrastructure to stay ahead of those with malicious intent. As attacks get larger, Akamai is making sure they have the capacity to protect any customer. As attacks get more complex, Akamai continues to apply what they learn defending all of their customers to make protections as resilient as possible, and Akamai are deeply committed to providing the most robust cloud security platform in the world.
0 Comments