I had some friends who worked at Akamai. I always got the impression that they were very serious about addressing anything which could disrupt service, including DDoS.

Yup. And it's those people I feel bad for. I'm sure I would have been one of the tech people saying, "We must not give in! Let's use this as incentive to keep upping our game. That's the only way we'll win in the long haul."

You're entirely ignoring the fact that there's no way Krebs could've possibly been paying Akamai enough to tank the attack.

>For me, buying DDOS protection is something like buying insurance. I don't expect to need it, but if the worst happens, I expect them to stick with me. The way I measure insurance providers is by asking friends how it was when they had a claim.

DDoS protection isn't insurance, Krebs gets attacked 24/7. Only an utter moron would be willing to sell Krebs DDoS insurance.

>That means I can't trust Akamai.

Which means nothing at all in a world without alternatives, hosts capable of tanking attacks like that number at two or less. But I get the impression you're not looking to spend hundreds of thousands of dollars a year on DDoS protection anyway.

> You're entirely ignoring the fact that there's no way Krebs could've possibly been paying Akamai enough to tank the attack.

They were hosting it pro bono. He never paid them enough to do anything. And yet...

> Only an utter moron would be willing to sell Krebs DDoS insurance.

But a smart person would cover him for free as a way of proving that they could handle the worst the DDoSsers gave out. To prove that they stick by their customers.

Most people who buy insurance never really use it. So what are they buying? A feeling of safety. Just think about the various insurance company slogans that come to mind.

But he didn't buy anything. We can't extrapolate what happens to paying customers from the experience of a non-paying customers.

That being said, I definitely agree with your thoughts on insurance.

> But he didn't buy anything. We can't extrapolate what happens to paying customers from the experience of a non-paying customers.

So, if he had paid one cent (thus being a paying customer), you could extrapolate?

I don't see how the price is in any way relevant here. They promised to protect him, and they failed to do so. Claiming afterwards that the premium was too low isn't the way this works.

Also, I doubt that it actually was "for free". He may not have paid in money, but likely in the form of (at the time positive) PR, for example.

You're right the actual amount of money is not relevant. What is relevant is that the contract he signed with them is not the contract paying customers sign when they do business with Akamai.

Since we have no idea what was in the contract this guy signed and it's all speculation, this discussion is totally vacuous and pointless.

> They promised to protect him, and they failed to do so.

How do you know what they promised? They could have promised protection, or they could just as well told the guy "hey, here is some free caching for you, m'kay? No strings attached". Hell, it's possible he didn't even sign anything, and there wasn't a contract at all!

If he were a regular paying customer, I would make the assumption that the contract he signed is likely the same, or similar to the contract I would potentially sign, and this would put Akamai in a very bad light to me.

Since the contract this guy signed is not the contract I would sign, I cannot rationally infer any information from this incident, good or bad.

If Akamai emails me and offers me some free service, then yes, this information would be valuable and relevant. Until that day, I can't make any use of this information.

You are missing the point which is that Akamai can't handle this DDoS.

Do potential customers care if Krebs is a paying customer or not? He went with them as they offer this service which apparently doesn't work as well as advertised.

There is no indication that Akamai can, or can't handle the DDoS. The only information we have is that they are only not willing to do it anymore for this particular customer. There is no indication that they won't do it because they lack the technical capacity to do it. Just as well they might not do it because this thing is financially disadvantageous to them.

As a potential paying customer, what they can and can't do is covered by their SLA, and that's all that matters. If they break their SLA they own the customer compensation. This incident is irrelevant.

Of course I don't actually know what kind of SLA and indemnification Akamai provides. Maybe it's bad. Then after analysing the contracts I would make an informed decision. These things are what I use to make decision, not random stories with no technical or business details on random blogs.

From what I've seen (quoted elsewhere in this thread) there isn't any significant penalty for Akamai if they are unable to mitigate, or choose to not mitigate, a DDoS attack. They might negotiate other terms, but I doubt it. DDoS mitigation is, by its very nature, a best-effort service, and reputation for not giving in to attackers is more important than any contract terms you're reasonably going to be able to get.

I haven't read anywhere that they failed. Isn't the timeline:

- Akamai mitigates attack just fine

- After the attack is over, Akamai does the cost/benefit analysis and decides to stop providing the free service.

The attack was ongoing when Akami gave Brian Krebs 2 hours to find alternate hosting.

The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity.

http://arstechnica.com/security/2016/09/why-the-silencing-of...

They gave Krebs the service free of charge.

I mentioned that above, but I think this misses my point, which is:

If Akamai can't provide their service for free, then they shouldn't provide their service for free.

A CDN's whole business is resilience, which in this case makes them the bodyguard, not a bystander.

Whatever your opinion of Cloudflare, it seems clear to me that Matthew Prince keenly understands this, hence him reaching out and offering to step in and get Krebs back online.

tldr; If Akamai can't do the one job they exist to do in the face of an (albeit well armed) assailant, then they're the problem, not Krebs.

"This was flagged to my attention and I've reviewed all the interactions between the author and our team [cloudflare]. The site in question was using the free version of CloudFlare's service. On February 2, 2013, the site came under a substantial Layer 7 DDoS attack. While we provide basic DDoS mitigation for all customers (even those on the Free CloudFlare plan), for the mitigation of large attacks a site needs at least the Business tier of CloudFlare's service. In an effort to keep the site online, our ops team enabled I'm Under Attack Mode, which is available for Free customers and enhances DDoS protection.

The attack continued and began to affect the performance of other CloudFlare customers, at which point we routed traffic to the site away from our network."

https://news.ycombinator.com/item?id=5214480

That was 3.5 years ago. CloudFlare's ability to deal with DDoS has changed substantially in that time and we deal with enormous attacks day in day out automatically.

So how would you feel about 600gbit+? I'm genuinely curious, would it be an interesting challenge or an immediate avoidance? As a business customer myself and a big fan of CF's general attitude to these sorts of things, I know be very happy to see the blog post on it.

We've offered to help Brian Krebs out. We don't see any reason we could not handle an attack of that size. We've already seen gigantic attacks and have a very well developed automatic infrastructure for dealing all manner of attacks at different layers and an experienced 24/7 network team.

How do you feel about Kreb's criticism of CloudFlare for, in his view, sheltering the web presences of various DDoS-for-hire services? Just wondering what your response to his articles such as "Spreading the Disease and Selling the Cure" is. He seems to have taken some pretty strong anti-CloudFlare public positions.

I just want to take this opportunity to say that as a paying customer, this attitude towards your duty of keeping a site online, no matter who's it is, is exactly why we swear by CloudFlare and why almost no one else seems appealing in this field. I've watched your competition snuff out customers for being too controversial, while you guys just get it done. Thanks for this, it's really changed the shape of the internet in some ways.

Honestly I didn't know about this instance, but as another poster has mentioned, I don't believe this reflects where Cloudflare is today, and that's who Akamai is competing with.

On a side note, they really don't appear to be making a concerted effort to get out in front of this which tells me that they either aren't aware of the reaction or don't think it's a big deal.

Either way, it just makes them look bad.

They gave him service for free and covered many, many smaller attacks, including the 20-100Gbps attacks he reported earlier this month. The fact that they decided not to cover one of the largest attacks ever documented pro bono isn't great but I don't think any of their clients would fail to understand the difference between a favor and a signed contract.