In praise of having a Plan B

The DoS attack against Akamai Technologies’ DNS servers a few days ago surprised many. The company has long been regarded as having one of the most robust infrastructures, and the fact that someone was able to tie up its servers for even a little while was unexpected.

According to Akamai’s Web site, the attack wasn’t all that bad. Only a small number of customers were affected, and only a small percentage of users of those sites had problems for long.

What happened, basically, is that attempts to contact companies that use Akamai’s services — including Federal Express, Microsoft, and the FBI — resulted in DNS errors. This didn’t affect everyone. Companies with DNS servers that didn’t depend on name resolution at Akamai had no problem reaching the affected Web sites. Third-party DNS servers that had fresh caches and didn’t flush them right away also had the required addresses available.

But the fact is that many customers were affected. For 45 minutes, many found it impossible to reach Microsoft Web sites or get their FedEx packages shipped. For companies that depend on such access, business effectively stopped for that period of time.

The fact that Akamai restored full service in such a short time is evidence that the company not only had a plan but that it worked, says Reed Harrison, CTO of eSecurity. Harrison also noted that much of what happened was outside Akamai’s control: “Somebody had to have tens of thousands of computers to do this.”

And yet, how do you stay in business during such attacks? Jon McCown, director of research at TruSecure, suggests that it might pay big dividends to have alternate means of name resolution for Web sites you absolutely must reach. For example, you can keep a host file on your internal DNS server for the FedEx Web site or perhaps a list of several unrelated DNS servers for querying. Because either of these methods could help you bypass DNS servers that are having problems, you would at least have alternate routes.

Although this strategy might help in cases of a DoS attack that affected name resolution servers, it won’t solve all problems. If worm activity or other attacks are simply filling up your bandwidth or that of your access provider, you’re still without bandwidth, and the addresses won’t help you. And of course, you’ll need to make sure you continue to have the right DNS entries on your own network if you decide to keep them there. They can change, after all.

Ultimately, you must make sure you have a way to get past a foreseeable problem, and an attack on the DNS is one of those problems. In other words, you have to do what Akamai did: Have a plan, and when the problem crops up, act on your plan quickly. That will at least help keep such problems from putting you out of business for good.