Do We Now Know Akamai’s Threshold?
When Akamai decided that it was no longer worth it from a business standpoint to sponsor (through pro-bono service) the highly popular and highly targeted security website KrebsOnSecurity.com, it unceremoniously dumped Brian, with the result that Brian’s site has been taken off the Internet.
This sets two bad precedents. First, it’s a real shame to see that Brian’s site has been forced to capitulate to the criminals. That’s terrible. For his part, Brian says he holds no ill will towards Akamai. There are many professionals right now working to solve Brian’s problem and I would not be surprised if it were back online soon - one thing I know about Brian is that he does not give up easily.
The substantially larger precedent set has been that of Akamai – a company that has bragged that it handles about 30% of the Internet’s traffic every day; delivering more than 30 Terabits per second, and delivering the pipe through which users conduct nearly 3 trillion Internet interactions each day, enabling, it claims, more than $250 billion in annual e-commerce for its online retail customers.
By taking this decision, it would appear to even a non-casual observer that Akamai announced to the world that, if your site is getting attacked at a rate of 620 gigabits per second of traffic, you’re on your own.
I don’t care what justification they are offering, nor do I care what their media machine is kicking out. Akamai won’t comment on customers.
Defenders of Akamai have said that, since Brian was getting pro-bono service from Akamai, that Akamai would not be held to the standard that they would be with, say, a paying customer.
I say that’s interesting, but kinda balderdash.
If Akamai is doing it pro-bono, it’s doing it not from the goodness of its heart, but rather as a marketing and sales tool to demonstrate that, thanks to Akamai, Krebs can stay up, because Akamai is so awesome that it can, for example, deliver more than 30 Terabits per second, delivering the pipe through which users conduct nearly 3 trillion Internet interactions each day, enabling more than $250 billion in annual e-commerce for its online retail customers.
It’s an ad. It’s a billboard. And unfortunately, it still is an ad. A billboard. And right now, that billboard reads to me:
Akamai. Standing Behind Its Customers Until The Attack Hits 620gbps.
Don’t get me wrong: I am specifically saying that this is a business decision. When the attack was sustained for days, Akamai executives undoubtedly met in a vape-filled room and made the business call that this particular juice was no longer worth the squeeze.
That’s legit. But there are reputational consequences.
In my opinion, if I have Akamai running my traffic or denying my denials-of-service, it’s because Akamai is using my reputation to bolster its own. I note that Akamai has not yet called me to offer to protect this website, but I will check my voicemail later just to make sure. The point is, fighting DDOS attacks is very complex and difficult.
That means it’s expensive.
So for Akamai, it was a question: do we want to stand up perhaps the largest DDOS ever mounted in exchange for the inferred dollar value of the account? At some point the answer was no.
If I were an Akamai customer I would ask just how much Akamai would have my back, especially if I have “a good deal” with them. I would really wonder whether I pay them “enough” to justify them hanging in there with me.
We have an incident response customer this very week who told us, “Say, there seems to be something going on – our ISP told us that our pipe was saturated.”
Is this customer part of this amazing new botnet that is part of the attack on Krebs?
No way to know until we’re done.
But I do know that when small and medium sized businesses wonder who has their back, we are in the unfortunate position (as I pointed out recently) of regularly telling our customers when they have been hosed; that their expectations have not matched the realities of their contracts.
This is a crucial issue: How do customers know whether they’ve chosen wisely?
Or when they have chosen poorly.