The young content delivery services offered by Akamai Technologies, Speedera Networks and a lengthening list of others have until now been known for attracting companies from Yahoo on down for their ability to shave critical seconds off the time surfers wait for Web pages to load.
But it turns out these companies' services are also an unexpected defense against attacks of the nature that made many of Microsoft's sites virtually inaccessible last week. Microsoft said Monday it had given Akamai responsibility for handling its domain name system, which is the technology that translates Web addresses like "MSN.com" into the numerical system understood by most computers.
"It's not a preventative measure, but it does mitigate the effects of a denial-of-service attack," said Scott Blake, security program manager for Bindview's Razor consulting team. "There are so many points of entry...that it makes it a lot more expensive for someone to shut down the system."
Content delivery technologies like Akamai are based on moving as much content as possible--starting with static graphics and moving to streaming media and even some personalization features--as close as possible to individual Web surfers. The companies place thousands of servers inside hosting centers and individual ISP networks, so that as many people as possible have to go just one or two steps through the Net to reach most of a Web site, instead of transmitting data across the country.
Compare that with the mechanism behind so-called DDoS (distributed denial-of-service) attacks, which were the type that pushed Yahoo, eBay, CNN and others offline a year ago, and apparently contributed to Microsoft's woes last week.
In DDoS attacks, the instigator quietly takes control of multiple machines around the Internet, priming them to act together at a single command. Launching the attack sends a stream of data or even ordinary Web site requests at a single server, router or network, in hopes of overloading the systems so they fail or are inaccessible to others. This brute-force attack does not generally yield the attacker any internal data such as personal or credit card information, but can be temporarily devastating for the company attacked.
The content delivery network serves as a natural check on this kind of attack. Because so much of the content is distributed across thousands of places in the network, it's harder to reach.
Networks like Akamai's haven't been seen primarily as an anti-hacking tool. But analysts note that handling spikes of traffic at peak periods of demand--one of the key problems they are designed to solve--is almost precisely the same as a DDoS attack.
"In general, when you move things to the edge of the network, denial of service becomes more difficult," said Peter Christy, an analyst with Jupiter Research.
This has long been an undermarketed feature in the content delivery systems, but Microsoft's adoption of Akamai's network as a defense is likely to help the whole industry by shifting potential customers' perceptions of what they're getting, the analyst added.