Within a span of just a few weeks, another major internet outage has occurred. The latest incident involved Akamai Technologies, a content delivery network (CDN) provider, whose service interruption on June 17 caused several critical websites to go dark for about an hour.
Some of the parties affected by the outage include (but are not limited to) financial institutions like the Hong Kong Stock Exchange, Reserve Bank of Australia, Westpac Banking Corp., and Navy Federal Credit Union; major United States air carriers like Southwest Airlines and Delta Airlines; and human capital management firm Automatic Data Processing. Investigations are still ongoing.
Akamai revealed that the outage was specifically in its Prolexic Routed 3.0 distributed denial-of-service (DDoS) system, which started at 4:20 am Coordinated Universal Time. The impact was limited to Akamai customers using that version.
Many of the approximately 500 customers using the service were automatically rerouted, restoring operations within several minutes. Majority of the remaining customers were said to be manually rerouted shortly thereafter.
According to Akamai, the issue was caused by a routing table value that “inadvertently exceeded”.
The Akamai disruption is the second CDN outage this month. Last June 8, CDN provider Fastly went down as well, causing several major websites like Reddit, Spotify, and PayPal to return 503 errors.
Security experts weigh in
Lotem Finkelstein, Head of Threat Intelligence at Check Point Software Technologies, commented on the Akamai Technologies outage, saying: “This is the second time this month that the world is experiencing a major internet outage, and yet again it’s a leading CDN provider behind it. Today, an issue in Akamai’s DDoS mitigation platform, Prolexic, caused many leading websites to be unavailable to anyone who wishes to browse them. While it looks like all these firms are experiencing a well-synced outage, it is actually a single point of failure that causes the issue.”
Amit Sharma, Security Engineer, at Synopsys Software Integrity Group, opined on the issue as well: “The world of software implementation bugs still very much matches with the analogy of an iceberg. As in, we don’t yet know how many more software vulnerabilities/bugs lurk beneath the surface until they’re identified in the wild.”
“In such a large and complex environment, adding new code or configurations may trigger a new bug which wasn’t present before. This means that each new piece of code logic or configuration should be tested before it moves into production. That way, you can see what kinds of behavioural changes it may cause when it’s added so that applicable teams are aware of the final outcome.”
“In addition to writing new code securely, it’s also crucial to understand how the complete code base behaves when a new piece of code is added. A small error may wreak havoc across the deployment landscape if it’s not discovered and resolved early.”