On Friday Microsoft changed its DNS so that requests for www.microsoft.com no longer resolve to machines on Microsofts own network, but instead are handled by the Akamai caching system, which runs Linux.
Akamai provides an internet-wide caching system, which can act as a symmetric defence to distributed denial of service attacks. Just as a denial of service attack funnels traffic from many different points to a single destination, Akamai’s DNS servers multiplex requests for a specific hostname to the nearest point to each attacking machine in its global caching system, diminishing the effect of the attack by dividing the inbound requests amongst its many servers, and limiting the amount of DDoS traffic by localising the distance between attacker and target. Akamai presents a more challenging target for a DDoS than any single network, and would seem to be the best practical step where a distributed denial of service is directed at a hostname that the target organisation cannot reasonably take offline.
Posted by mhp at August 17, 2003 04:19 PM