in

Two obscure service providers briefly broke the internet. It could happen again

New York (CNN Business)For the second time in 10 days, a giant chunk of the internet briefly broke because of an outage at a company most people have probably never heard of.
The websites for Southwest Airlines (LUV), United Airlines (UAL), Commonwealth Bank of Australia (CBAUF), the Hong Kong Stock Exchange and others all went dark on Thursday after an issue at cloud service provider Akamai Technologies (AKAM).
The situation was nearly identical to another recent outage caused by a similar company called Fastly, which took out major sites including Reddit, CNN, Amazon (AMZN) and a UK government website.
Although the outages were both short-lived, they serve as jarring reminders of the internet’s fragility. And at a time when concerns are growing about cyber risks to critical physical US infrastructure, the outages may raise alarms about risks to our digital infrastructure, too.
Nearly all websites rely on a service provider like Fastly or Akamai — which run what’s called a “content delivery network” or CDN (we’ll get into what that means later on) — as a layer between internet users and the servers where their content is hosted. The problem: There are only a small handful of CDN operators. If one of them goes down — whether because of a benign software bug, as in Fastly and Akamai’s case, or a cyberattack — huge swaths of the internet could go with it.
“Absolutely the biggest centralized point on the internet is these CDNs,” making them a potential target for cybercriminals or government actors, Nick Merrill, research fellow at UC Berkeley’s Center for Long-Term Cybersecurity, said following the Fastly outage.
Utilities, social media platforms, news organizations, financial services, government agencies and more rely on CDNs to operate their websites. Although Fastly was able to restore its service quickly, one can imagine problematic future scenarios if the resolution is slower.
“The problem with the internet is it’s always there until it isn’t,” former Microsoft Chief Technology Officer David Vaskevitch, who now runs photo storage service Mylio, told CNN Business earlier this month. “For a system with so many interconnected parts, it’s not always reliable. Any one fragile part can bring it down.”
Even before the recent outages, internet infrastructure experts have been ringing the alarm about concentration in the CDN space, where the small number of major providers could make for big targets for an attack.
CDNs play a crucial security role by preventing so-called “distributed denial-of-service” attacks, where bad actors send tons of requests to access a website in an effort to overwhelm its systems and shut it down.
“They’re indispensable infrastructure,” Merrill said.
The catch is that so many websites — big and small — use CDNs as a layer between users and the servers where their content lives that when a CDN goes down, much of the internet can go with it.
In Fastly’s case, a software bug that appeared as part of a normal update briefly took out around 85% of the company’s network, the company said. Akamai said that around 500 of its customers were affected by an issue with its DDOS mitigation software that caused its outage.
And it’s not just CDNs. Amazon Web Services, a cloud computing service that supports numerous popular websites, has also experienced outages that end up taking down large chunks of the internet.
The risk
With any technology, occasional failures and outages are inevitable.
“There is no error-free internet, so the measure of success is how quickly a major internet firm like Fastly can recover from a rare outage like this,” said Doug Madory, director of internet analysis at network analytics firm Kentik.
Fastly detected its issue “within one minute,” and within less than an hour, 95% of its network was operating normally, senior vice president of engineering and infrastructure Nick Rockwell said in a blog post. Akamai, likewise, said it notified customers of the issue within seconds and the issue was resolved within four hours, though it took steps to ensure that most affected customers were only offline for a few minutes.
The bigger problem with the internet’s huge reliance on just a few CDN’s is the possibility that they become the target of an attack, Merrill said. He also worries about a potential government order dictating what such companies can and can’t provide support for, which could amount to government censorship of the internet.
Fastly is actually one of the smaller players in the CDN market. The largest is Cloudflare, which supports around 25 million internet properties including county websites, national ministries of health and corporate giants like IBM and Shopify. In 2019, Cloudflare was briefly in the spotlight after blocking support for 8Chan, making it difficult for the controversial online message board site to stay online.
Akamai is also among the larger CDN providers.
To be sure, CDNs have backup protections in place and websites can contract with more than one CDN operator in case of failures. Most of the time, an outage will be like Fastly’s — a temporary inconvenience. And websites could still appear online without a CDN, they’d just load slowly and be more at risk of cyberattacks.
But experts say there is still a risk that a bigger player like Cloudflare is targeted, or that multiple CDNs are hit at once.
“Worst case, it’s going to be an attack on Cloudflare,” Merrill said. “The Russian government or the Chinese government is going to take down Cloudflare and it’s going to break the internet.”
The solution, he said, could be antitrust regulation of the industry — similar to the regulatory pressure facing more consumer-facing tech companies — or promoting the growth of more CDN alternatives.
“People are really concerned rightly about antitrust issues in the tech space” Merrill said. “I don’t think that CDNs are as visible to people, but they’re probably the most important part of the core internet infrastructure that’s been privatized and centralized.”

Leave a Reply

GIPHY App Key not set. Please check settings

494 Comments