False alarms spark barrage of Akamai complaints

A quirk in common security software is setting off false alarms that have brought at least one content delivery company a steady stream of complaints.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
A quirk in common security software is setting off false alarms that have brought at least one content delivery company a steady stream of complaints.

Akamai, which speeds content delivery on the Internet by maintaining a network of computers closer to consumers, is receiving daily gripes from people who think--mistakenly--that the company is scanning their ports, or sending packets designed to get information about their computers.

Akamai said it does not scan end-user ports but that a glitch involving common personal firewall software and the latest version of the basic Internet transport protocol, HTTP 1.1, is causing false alarms that make it seem as if Akamai is sniffing around networked computers.

"This has nothing to do with Akamai's content delivery services or technology," a company representative said in an email interview.

The problem, according to Akamai, has to do with the new way that HTTP 1.1 terminates connections between client and server computers. Because HTTP 1.1 supports persistent connections, the Web server relies on the visitor's computer to signal that the visit is over and the connection should be closed.

But if the connection is closed improperly--for instance, if the browser crashes or if the network connection gets cut off--the server will continue sending packets to the visitor's computer.

Normally, a server can tell that its packets are running against an aborted connection.

But some personal firewall software, interpreting the queries as hostile snooping, refuses to permit those incoming packets to glean any information about the connection. So they continue ad infinitum, often setting off alarms with personal firewall software that thwarts what it considers to be suspicious port scanning.

Hackers typically scan ports to scout for possible points of entry.

Because of Akamai's reach, many of those persistent querying packets arrive with an Akamai return address, fueling indignation against the company.

"Akamai is like a nasty little pit bull attached to my browser's ankle, and it won't let go," one Web surfer wrote in an email interview.

Akamai insists that the problem lies with firewall software that won't acknowledge the server queries and said it is working on the problem with ZoneLabs, which makes the firewalls frequently implicated in the daily complaints Akamai receives.

Akamai said the problem also can arise in a situation in which Internet users are assigned random Internet Protocol (IP) addresses, as is common with many consumer dial-up Internet service providers and corporate settings.

In this scenario, if someone improperly terminates a Web connection, the subsequent user of that IP address could wind up getting the querying packets.