White Paper

Akamai Security Capabilities:

Protecting Your Online Channels and Web Applications
Table of Contents

EXECUTIVE SUMMARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

The Threat Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Defense Beyond the Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Akamai Security Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

APPLICATION LAYER SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Web Application Firewall (WAF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

HTTP Authorization Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

User Prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

NETWORK LAYER SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

SiteShield. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Secure Delivery (SSL & Digital Certificates) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

PCI Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

IP-Based Fraud Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

IP-Based Rights Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

IP Blacklisting/Whitelisting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

DNS SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Enhanced DNS (EDNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Global Traffic Management (GTM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

DENIAL-OF-SERVICE MITIGATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The First Line of Defense: Massive Scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Traffic and Origin Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Additional DDoS Mitigation Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

BUSINESS CONTINUITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Zero-Downtime Delivery Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Improved Reliability for Dynamic Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

NetStorage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Site Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

EdgeComputing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

PAYMENT SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Edge Tokenization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

AKAMAI: BUILDING A BETTER, MORE SECURE WEB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Akamai Security Capabilities 1

Executive Summary
As companies continue to push their business-critical data and operations to the Internet, they must
also take appropriate measures to protect these assets from the growing threats of the online world.
From worms and viruses, to phishing and pharming, to botnets and denial-of-service attacks, the Inter-
net’s open infrastructure is an easy target for criminals looking to profit by stealing data, compromising
systems, or otherwise disrupting the increasing amounts of business transacted online. To combat this
proliferation of threats, enterprises need a multi-layered defense architecture that can protect their
increasingly porous perimeter against potential attacks that are continually growing in sophistication
and magnitude.

Situated at the entry point between end user requests and the enterprise’s core infrastructure,
the Akamai EdgePlatform can uniquely provide certain critical layers within a robust defense system.
Leveraging its vantage point as the world’s largest distributed computing platform, the EdgePlatform
offers a broad range of flexible and highly scalable security capabilities to help customers extend their
defenses out to the edges of the Internet and harden their infrastructure to the massive-scale attacks
that are possible today.

This whitepaper gives a broad overview of the ways in which Akamai can help organizations bolster
the security of their Web-based assets, with capabilities ranging across the application, network,
and DNS layers, as well as solutions focused on Distributed Denial of Service (DDoS) mitigation and
business continuity.

Introduction
The Threat Landscape
In recent years, there has been a dramatic rise in the scale and severity of attacks launched on Web
sites and applications. Cyber crime has grown increasingly lucrative as companies migrate from main-
frame to desktop to Web, relying more and more on the Internet for mission-critical data and operations.
The Internet is now a virtual gold mine of sensitive data and valuable assets — but, unfortunately, its
security stature has not yet caught up.

In fact, the opposite is occurring: vulnerabilities have multiplied as the Web becomes an increasingly
complex and heterogeneous environment. Security plays second fiddle to the competitive pressures
that drive unending cycles of rapid application development — so weaknesses and potential attack
points are continually introduced. This means Web sites and applications are more susceptible to threats
than ever. In fact, the Web Application Security Consortium recently found that more than 87% of Web
applications carry a vulnerability classified as high risk or worse, with about half of the risks detectable
through purely automated scanning.1

To make matters worse, malware has grown increasingly dangerous, as worms and viruses leverage
ever more sophisticated techniques and become more difficult to detect and counteract. With stealthy
use of advanced rootkits, social engineering, encryption, polymorphism, and the like, malware is propa-
gating faster than ever across millions of unsuspecting hosts. As a result, botnets — the armies of infected
zombie machines that carry out many of today’s cybercrimes — have grown exponentially in recent years.
Recent estimates state that more than 100 million computers are currently part of botnet. 2 Their numbers
pose an enormous threat, because the zombie armies are both cheap and highly effective at executing
any number of different cyber crimes, including DDoS attacks, data theft, spamming, phishing,
and propagation of spyware and other malware.

No one is safe: recent, well-publicized attacks have crippled all types of establishments, from popular
social networking sites to financial firms, from government organizations to the biggest names on the
Web. With these attacks proving financially lucrative, a highly sophisticated criminal underground has
formed, complete with an active black market for specialized services and clear ties to organized crime.
While they deliberately fly under-the-radar, their impact is very real. According to a study conducted
by Ponemon Institute, cybercrime costs a business $3.8 million/year on an average and these costs can
range from $1 million to $52 million per company. 3
Akamai Security Capabilities 2

Defense Beyond the Perimeter Akamai Security Capabilities

In order to mitigate operational risks and secure mission- Akamai secures, monitors, and operates the Akamai
critical infrastructure in such a challenging threat environment, EdgePlatform, the world’s largest, on-demand distributed
enterprises need to employ a defense-in-depth strategy, using computing network, with more than 90,000 servers across
overlapping layers of protection to detect and deflect attacks more than 1,000 networks, located in 71 countries around
across all tiers and access points of their infrastructure. the world. With a proven track record over a decade long,
Akamai now delivers approximately one-fifth of all Web
In addition to traditional perimeter-based solutions such as traffic and counts many of the world’s leading enterprises
firewalls, intrusion detection systems, hardened routers, and as its customers, including:
other security appliances, a highly distributed, cloud-based
defense system provides a necessary layer within the defense- • 8 of the top 10 U.S. online brokers
in-depth approach, particularly as enterprise network perimeters
• 5 of the top 6 online music sites, 29 of the top 30
become more porous to accommodate a growing variety of
media/entertainment companies
mobile devices, access methods, and client platforms.
• 10 of the world’s governments and all the branches
An edge-based defense offers unique capabilities for combating of the U.S. military
the pervasive, distributed nature of the Internet’s threats. It
counteracts attacks at their source, rather than allowing them • All of the top 5 anti-virus companies
to reach the centralized perimeter. In addition, an edge architecture
is the only one that can scale suffciently to absorb and deflect the • Six of the top ten US insurance companies
massive-scale attacks that today’s botnets are capable of — includ-
ing DDoS onslaughts that can barrage sites with traffic levels • Over 90% of top online retailers, delivering over
hundreds of times higher than usual. $200 billion in annual e-commerce revenue

Designed with security, resilience, and fault-tolerance at

Country/Region Q4 ‘10 % Traffic Q3 ‘10 %
the forefront, Akamai’s Edge-Platform is a proven platform
1 Russia 10% 8.9%
for providing flexible and intelligent edge-based defense
2 Taiwan 7.6% 7.1%
capabilities at all layers of the OSI stack, as shown in Figure 2.
3 Brazil 7.5% 7.9%
These cloud-based capabilities help organizations lock down
4 China 7.4% 8.2%
their security perimeter and bolster their defense-in-depth
5 United States 7.3% 12%
architecture with the highly flexible and scalable protections
6 Egypt 3.6% 3.3%
needed to combat current day threats. Moreover, Akamai’s
7 Italy 3.6% 3.0%
innovative approach overcomes the traditional tradeoff of
8 Turkey 2.8% 3.0%
sacrificing performance and availability for increased security.
9 Germany 2.7% 2.6%
10 Romania 2.6% 2.0%
– Other 45% 42%

9 10 8

7 1

6
4
5
2
3

Figure 1: Attack Traffic, Top Originating Countries

Data from Akamai’s network shows that attack traffic
sources continue to fluctuate, as the Internet’s global,
interconnected nature makes cybercrime an equal-oppor-
tunity employer. These and other Internet statistics are pub-
lished quarterly in Akamai’s State of the Internet reports.
 Akamai Security Capabilities 3

Figure 2:
Akamai’s proven EdgePlatform offers a broad
HTTP Application Layer range of highly scalable security capabilities
• Web Application Firewall • HTTP Authorization Controls that combat cyber threats at the application
• User Prioritization layer, IP network layer, and DNS layer, and
offer DDoS mitigation and Business Continuity
IP Network Layer solutions across all tiers of infrastructure.
• SiteShield • Secure Delivery (SSL & Certificate Services)
• PCI Compliance • IP-based Fraud Detection
• IP-based Rights Management • IP Backlists & Whitelists

DNS Layer
• Enhanced DNS • Global Traffic Management

DDOS Protection
• Platform Scalability • Application, IP, and DNS layer capabilities
• Traffic & Origin Health • Monitoring

Business Continuity
• Zero-Downtime Platform • SureRoute Technology
• Site Failover • NetStorage
• EdgeComputing

Payment Security
• Edge Tokenization

Application Layer Security

More and more cyber attacks are bypassing traditional firewall and email-specific security
controls by using increasingly sophisticated HTTP-layer attacks to target Web sites and ap-
plications. Unfortunately, Web applications’ heterogeneous nature, combined with continual,
rapid development cycles, often leaves many doors open to exploit. In fact, recent estimates
state that a new Web page is infected every 0.65 seconds. 4

This trend drives the needs for firewalls and other security defenses that can understand
and analyze Web traffic payloads such as HTTP, HTTPS, and XML — and provide protection
against treacherous application-layer threats such as cross-site scripting (XSS), buffer over-
flow exploits, and SQL injection attacks. Akamai delivers this type of protection at the edge
of the network, augmenting traditional defense solutions with an unprecedented level of
built-in redundancy and scalability.

Web Application Firewall (WAF)

Akamai’s Web Application Firewall service is a highly scalable edge defense system with the
ability to detect potential attacks in HTTP and SSL traffic as it passes through the EdgePlat-
form, before reaching the customer’s origin data centers. The WAF service gives customers
the ability to set up traffic blocks or alerts based on rules that either check for the presence
of specific data like cookies, client certificates, and referrer fields, or detect anomalous and
potentially malicious patterns in HTTP request headers. Based on a translation of the open
source ModSecurity core rule set (CRS), Akamai WAF’s protects against the most common
and harmful types of attacks, including XSS and SQL injection.

WAF is unique in its highly distributed architecture, which enables both instantaneous scal-
ing of defenses as needed as well as filtering of corrupt traffic as close to the attack source
as possible. Moreover, unlike a centralized firewall, WAF does not create any performance
chokepoints or single points of failure that often prove to be easy targets for attackers.
Akamai Security Capabilities 4

Akamai’s Web Application Firewall uses configurable, User Prioritization

rule-based application layer controls to prevent the following
types of attack vectors: Akamai offers the capability to manage flash crowd situations
where the customer’s application server is at risk of failure. By
• Protocol Violations monitoring application server health, Akamai is able to throttle
load to the server when necessary, redirecting excess users to
• Request Limit Violations
alternate, cached content — a virtual waiting room which keeps
• HTTP Policy Violations them engaged on the site and keeps the origin server from
becoming overloaded. This offers a double benefit, as case
• Malicious Robots studies show that recovering traffic levels after a site failure
(where the site is completely inaccessible) takes much longer
• Generic and Command Injection Attacks than recovering from a site slowdown.
• Trojans Backdoors

• Outbound Content Leakage (Server Banners) Network Layer Security

While cyber attacks are growing in sophistication and an increas-
Not every type of Web application attack is best dealt with
ing number of the most devastating attacks are focused on the
as it passes through Akamai’s infrastructure. Some classes
application layer, the IP layer still accounts for nearly two-thirds
of attacks may be better addressed using detailed knowledge
of attacks today. 5 Accordingly, defenses that harden this fun-
of the specific applications, databases and network infrastruc-
damental layer of Internet communications are essential to the
ture in the customer data center. Thus, WAF provides a highly
security of any Web infrastructure. Akamai leverages its unique
flexible and efficient outer defense layer that works both
architecture and real-time Internet knowledge base to offer a
as a stand-alone service and as a complement to other Web
number of capabilities that help secure the network layer.
application protection systems — enhancing the robustness
and scalability of those systems by migrating some of their
SiteShield
functions to the Akamai platform so that centralized defenses
can focus on more application-specific protections. Akamai’s SiteShield service helps protect the customer origin
server by cloaking it from the public Internet — that is, removing
HTTP Authorization Controls it from the Internet-accessible IP address space. This mitigates
risks associated with network-layer threats, including lower layer
Akamai offers various authorization mechanisms that allow
DDoS attacks that direct target the origin server.
customers to retain full control over proper distribution
of their access-controlled content, while still enjoying the
SiteShield works by allowing the customer’s firewall to restrict
enhanced performance and scalability offered by the Akamai
incoming connections to Akamai SiteShield servers only, rather
network. The customer designates which content requires
than leaving the standard HTTP/S ports 80 and 443 open and
authentication and what authorization mechanism to use.
vulnerable to all incoming connections. SiteShield servers can
These mechanisms include:
be configured to communicate with the origin on non-standard
ports as well to provide additional port masking protection. Aka-
Centralized User Authentication. The protected content
• 
mai’s EdgePlatform intercepts and fulfills each end user request,
resides on Akamai’s edge servers but each end user request
on the customer’s behalf, communicating securely and “invisibly”
is authenticated by the customer origin server before delivery,
with the origin server as necessary to retrieve content that is not
enabling centralized control while taking advantage of the
in cache.
high performance of offloaded delivery.

Edge User Authentication. Akamai’s edge servers

• 
authenticate user requests for content on behalf of the
customer origin server. This unique feature works based
on a combination of encrypted cookies and special content
URLs, dynamically generated by the customer origin server.
The customer retains complete flexibility to choose the crite-
ria with which to grant or restrict access, but the authentica-
tion and delivery process are completely offloaded to Akamai.

Akamai Authentication. This is a flexible and robust

• 
mechanism to authenticate Akamai’s edge servers to the
customer’s origin server using a shared secret key. This means
the origin server can securely authenticate requests from any
server in the Akamai network without using a preset list of
IPs or other more rigid mechanism.
Akamai Security Capabilities 5

Customer Case Study: SiteShield

Akamai SiteShield protects U.S. Citizen and Immigration Services

When the U.S. Citizen and Immigration Servers (USCIS) wanted to both streamline
its infrastructure and provide cost-effective protection against denial-of-service
attacks, it choose Akamai, leveraging both the Dynamic Site Accelerator and
SiteShield solutions. According to Stephen Schillinger, Chief of Web Services
Branch, USCIS, “SiteShield provides us with peace of mind. With it, we know
our Web infrastructure will be safe from attack, and will remain available despite
any issues that may happen within the USCIS environment.”

“Akamai guarantees that our site is always available and that our users will have
as good an experience as possible.”

— Stephen Schillinger, Chief of Web Services Branch, USCIS

Secure Delivery (SSL & Digital Certificates)

Akamai delivers SSL-secured content over a network that is engineered to meet stringent
financial services industry standards. The Secure Delivery service enables customers to enjoy
Akamai’s performance, reliability, and offload benefits while delivering content protected
by SSL encryption and authentication.

Digital Certificates. In order to facilitate secure and trusted transactions, Akamai provides
a number of SSL certificate options to meet different customer business requirements.
These include single hostname, wildcard, and Extended Validation certificates, as well
as a seal option that displays a trust logo on the secure Web site or application.

Cipher Strength. Akamai edge servers can be configured to require a minimum cipher
strength in any SSL connection request. Requests that do not meet the minimum can
be denied or sent to an alternate page with upgrade requirements.

PCI Compliance
The Akamai SSL network is certified to the Payment Card Industry Data Security Standard
(PCI DSS) Level 1 Service Provider guidelines. The Akamai SSL network is scanned quarterly
by an Approved Scanning Vendor (ASV), plus assessed and audited annually by an indepen-
dent Qualified Security Assessor (QSA). PCI compliance is required of all systems worldwide
that process, store, or transmit credit card data. Akamai’s PCI certification allows customer
organizations to streamline their own certification process and ensure protection of their
sensitive user transaction data.

IP-Based Fraud Detection

Akamai offers fraud detection capabilities based on its ability to provide real-time
geographic data (such as country, state/region, city, latitude and longitude, or zip code)
for each end user request, based on IP information. This data is made available via
a simple API that can be integrated into the content provider’s Web application server.
The data can be used, for example, to verify address information entered by the end user;
mismatched locations may signal the need for a second level of verification. IP-based fraud
detection also enables blocking of requests from open or anonymous proxies that are
a high security risk.
Akamai Security Capabilities 6

IP-Based Rights Management Global Traffic Management (GTM)

Similar to its IP-based fraud detection capabilities, Akamai’s Akamai’s Global Traffic Management is a highly scalable,
ability to validate end user geography in real time helps con- cloud-based offering that enables companies with origin
tent providers ensure that digital goods and information are servers in multiple geographies to optimize the availability
delivered only to users in authorized geographies. With this and performance of their Web applications. GTM leverages
capability, customers are able to enforce contractual or legal ob- Akamai’s globally distributed dynamic DNS system to direct
ligations, protecting their assets while reducing the occurrence user requests to the best origin location based on customer-
and expense of distributing products to unauthorized locations configured rules that encompass business policy and real-
and users. time Internet and origin server performance conditions
that are continually monitored by Akamai’s EdgePlatform.
IP Blacklisting/Whitelisting Dynamically configurable business policies include automatic
failover, weighted load balancing, or IP-based routing.
Akamai offers the capability to allow or deny a request based
on IP address: GTM can also be employed to help mitigate DDoS attacks that
are emanating from localized regions. By leveraging real-time
• Blacklist: deny access to a list of specific IPs (and/or geographic information about each request, GTM can be used
CIDR blocks) to set up a black hole — directing traffic from attack regions
to nonexistent or nonresponsive machines — while directing
• Whitelist: allow access to a list of specific IPs (and/or legitimate traffic to the true origin servers.
CIDR blocks) without further inspection

• Strict Whitelist: allow access to a list of specific IPs Denial-of-Service Mitigation

without further inspection; all other IPs are denied
Distributed Denial of Service (DDoS) attacks have become one
of the most visibly disruptive forces in cyberspace. While some
This capability can be leveraged both for access control
DDoS attacks are politically or socially motivated, many are
as well as mitigation of DOS attacks.
financially driven — either by companies hiring cyber criminals
to attack competitor sites, or by the criminals themselves black-
DNS Security mailing companies with the threat (or reality) of severe business
disruption.
A Web site or application’s DNS (Domain Name System)
infrastructure is a critical but often under-deployed part Unfortunately, with the proliferation of botnets, the size and
of its overall infrastructure. DNS failure can devastate an scale of DDoS attacks has skyrocketed. According to Arbor Net-
organization’s Web operations, yet many enterprises rely works, the largest reported attack size doubled year-over-year,
on just two or three DNS servers, often residing in the to more than 100 Gbps in 2010. This is an astonishing 1000%
same network or even the same data center — making increase in attack size compared to 2005. 6 It is worth noting
them vulnerable to server failures, power losses, or network that Akamai has defended against attacks in excess of 124Gb/s.
outages, as well as DNS-based attacks. Akamai offers a The July 4th attacks of 2009 were yet another order of magni-
number of options for customers looking to fortify their tude larger, as Akamai Technologies absorbed attack traffic in
DNS system against such vulnerabilities. excess of 200 Gbps on behalf of its under-siege customers.

Enhanced DNS (EDNS) The First Line of Defense: Massive Scale

Akamai’s Enhanced DNS service provides a secure, robust Akamai’s highly distributed global network of 90,000 security-
and scalable outsourced DNS solution to reliably direct hardened servers routinely delivers worldwide Web traffic of
end users to an organization’s Web sites and applications. 4Tbps, on average, which has peaked as high as 6 Tbps. With
Configured as an authoritative Secondary DNS service, its massive scale and real-time dynamic resource allocation
EDNS enables the customer to leverage the unparalleled capabilities, Akamai’s EdgePlatform is uniquely able to help its
performance, scalability, and reliability of Akamai’s distributed customers successfully withstand DDoS storms that can drive
global nameserver platform without changing their existing traffic levels to hundreds of times higher than normal. More-
DNS administration processes. over, Akamai’s intelligent load balancing and routing system en-
sures that the attack traffic does not degrade performance for
Using EDNS, the customer’s primary DNS servers are not legitimate end user requests — for any of Akamai’s customers.
directly exposed to end users, therefore mitigating the risk
of cache poisoning and denial-of-service attacks. Moreover,
EDNS leverages a number of technologies, including IP
Anycast, secured zone transfers, router-protected name
servers, and non-BIND-based DNS to provide customers
with a highly secure and fault-tolerant solution.
Akamai Security Capabilities 7

Traffic and Origin Health Monitoring

With servers in 3,000 locations across 1,000 networks worldwide, the EdgePlatform
continually monitors and analyzes Internet health in real time. This includes data on traf-
fic levels across different geographies, backbone health, DNS server health, and BGP churn.
With aggregate and customer-specific alerting mechanisms triggered by unusual traffic
patterns, Akamai’s unique, up-to-the-minute view of the global Web enables proactive
identification of traffic attacks and their sources. Akamai can also provide origin health
monitoring for customers, which detects slowdowns in origin response times due to overload.

Additional DDoS Mitigation Capabilities

Because there is no simple, one-size-fits-all solution to combat the many varieties of DDoS
attacks, it is critical to have a defense system that can quickly be tailored to the characteris-
tics of each specific attack. Akamai’s flexible, metadata-driven EdgePlatform does this,
offering a broad suite of potential protective responses and the ability to dynamically
employ any number of them in the midst of an attack.

DDoS mitigation spans all the tiers of an application’s infrastructure, including the application,
network, and DNS layers. Thus, many of the services we have already covered — including
Web Application Firewall, SiteShield, Enhanced DNS, and Global Traffic Manager — provide
specific DDoS mitigation capabilities as mentioned in their descriptions above. The Edge-
Platform’s other DDoS capabilities include:

• Blocking or redirecting requests based on • Limiting the rate at which requests are forwarded
characteristics like IP address, originating to the origin server in order to safeguard its health
geographic location, or query string patterns
• Quarantining suspicious traffic to a small set of servers
• Black-holing attack traffic through
DNS responses • Serving customized error pages during the attack
(cached on the Akamai network)
• Using slow responses (tarpits) to shut down
attacking machines while minimizing effects • Cookie-checking to identify abnormally high levels
on legitimate users of new users, which may indicate an attack

• Directing traffic away from specific servers • Directing illegitimate traffic back to the requesting
or regions under attack machine via a DNS response.

Customer Case Study: DDoS Mitigation

 Akamai protects U.S. government from unprecedented DDoS attacks: Targeted site
sees eight years’ worth of traffic in a single day

On
 July 4th, 2009, the U.S. government faced the largest DDoS attack in its history, with
the top-targeted site receiving nearly 8 billion page views in a day, resulting in traffic levels
that peaked to nearly 600 times normal. The attack came in several waves and lasted more
than a week, with 48 sites targeted in all. Despite the unprecedented scale of the attack, all
of the U.S. government sites delivered via Akamai — including sites for the White House and
13 of the 15 Federal Cabinet level agencies — remained online, thwarting the attacker’s goals.

At the peak of the attack, Akamai absorbed more than 200 Gbps of attack traffic targeted
at the government sites. At the same time, Akamai continued serving traffic to legitimate users
and maintained 100% availability for all of its customers, delivering traffic at over a Terabit per
second for the rest of its customer base.
 Akamai Security Capabilities 8

Business Continuity Improved Reliability for Dynamic Content

With its Dynamic Site Solutions and Application Performance
Web site downtime can cost companies millions of dollars
Solutions, Akamai offers the ability to enhance reliability and
in lost revenue and productivity, making business continuity
performance even for dynamic, uncacheable content and
and disaster recovery planning more important than ever.
applications. Leveraging its SureRoute technology, the Edge-
Enterprises that rely on traditional, centralized Web infra-
Platform can route dynamic content around major Internet
structure are particularly vulnerable to disasters both natural
problems that can otherwise cut off connectivity.
and man-made — from earthquakes and denial-of-service
attacks to cable cuts, power outages, and misconfigured
During the Taiwan earthquake of 2006, for example, Akamai
routers. In contrast, Akamai’s highly distributed architecture
measured an 8-hour Internet outage as undersea network
provides multiple layers of protection that help to ensure the
cables were severed. However, Akamai was able to route
uptime of business-critical Web infrastructure.
around the problem and continue delivering dynamic content
without performance degradation, while online business not
Like DDoS mitigation, business continuity spans all the
leveraging Akamai experienced total failures or severe
different tiers of an application’s infrastructure. Previously
degradation for weeks.
described services such as Global Traffic Management
and User Prioritization are part of the arsenal of disaster
recovery tools offered by Akamai. These capabilities,
NetStorage
as well as the following ones, help enable our customers NetStorage is Akamai’s secure, distributed, high-availability
to continue their business operations — delivering site storage service. Customers can host any type of content,
and application functionality — in the face of serious including media libraries, software downloads, or entire Web
network, routing, or origin server failures. sites through this scalable, on-demand service. NetStorage
will automatically replicate the content to multiple locations.
Zero-Downtime Delivery Platform This ensures robust fault tolerance as well as improved
performance as content requests are directed to the optimal
Akamai’s massively distributed network was built from the
location. NetStorage is an ideal solution for companies looking
ground up with redundancy and fault tolerance at every lev-
to manage the most minimal, streamlined in-house
el. Designed to self-heal from all types of failures — whether
infrastructure possible.
at the machine, data center, network, or Internet-wide level
— Akamai’s network provides a true high-availability platform
for Web content and application delivery, reducing the
Site Failover
customer’s need to maintain their own failover infrastructure. By taking the first hit and absorbing traffic spikes for the origin
The EdgePlatform dynamically routes around failures and infrastructure, Akamai provides a strong layer of protection
trouble spots to continually deliver content, quickly and from flash crowds and denial-of-service attacks. However, with
reliably, from optimal edge servers near end users. its Site Failover solution, Akamai also provides multiple options
for Web site continuity in case of origin server failure.

Web Transaction Times Following the December 26 Earthquake in Taiwan

120.00
While other Internet transactions across
Asia suffered for weeks after an earth-
100.00
Total Internet Failure quake severed undersea network cables,
over 8 Hour Period Akamai continued delivering dynamic
80.00
content without interruption or perfor-
mance degradation.
60.00

40.00

20.00
Origin Transaction Performance
0.00 Akamai Transaction Performance
0 0 0 0 0 0 0 0 0 0 0 0 : 00 :00 00 0 0 0 0 0 0
0:
0
2:
0
4:
0
0:
0
2:
0
4:
0
0:
0
2:
0
4:
0
0:
0
2:
0
4:
0
20 12 4: 0:
0
2:
0
4:
0
0:
0
2:
0
4:
0
2 1 6 2 1 6 2 1 6 2 1 6 6 6 07 2 1
07
2 1
07
06 06 /0 06 06 /0 06 06 /0 06 06 /0 /0 /0 1/ 07 07 3/ 07 07 5/
2/ 3/ /24 4/ 5/ 26 6/ 7/ 28 8/ 9/ 30 30 31 1/ 1/ 2/ 1/ 3/ 4/ 1/
2/
2
2/
2
12 2/
2
2/
2
12
/
2/
2
2/
2
12
/
2/
2
2/
2
12
/
12
/
12
/ 1/ 1/ 1/ 1/
1 1 1 1 1 1 1 1
Akamai Security Capabilities 9

Site Failover offers three main options in case of origin failure:

• F ailover to edge servers. Customers can opt to either have Akamai’s edge servers
serve a default failover page or serve the most recent (expired) content in cache.

• F ailover to alternate site. Akamai will direct users to a backup site, which may
have reduced functionality or otherwise be different from the original site

Failover to Akamai NetStorage. Customers can host a full backup version of their site
• 
on Akamai’s high-availability NetStorage service. In case of origin server failure, Akamai will
direct end users to the customer site on NetStorage, so that, companies are guaranteed
a robust Web presence regardless of origin server availability or Internet conditions.

EdgeComputing
Akamai’s EdgeComputing service allows companies to deploy J2EE applications onto the
zero-downtime EdgePlatform network, bringing unmatched performance, scalability, and
reliability to Web applications. Both the presentation layer and application business logic
are executed on the Akamai network, so applications that are backend-light or are based
on infrequently changing data — such as product catalogs, store locators, contests and
giveaways, user registration, and site search — can be run with only minimal, occasional
roundtrips to an origin database, or without any origin infrastructure at all.

Payment Security
Edge Tokenization

Processing customer credit card information electronically comes with extremely high risks and
requirements. Meeting the stringent Payment Card Industry (PCI) compliance standards takes
repeated efforts, significant investment, and regular maintenance. That translates to high costs
to any corporation handling credit card data and PCI audit requirements create a routine impact
on IT resources. Akamai is pioneering value-added offload of payment security, assisting with
removing its customers from PCI scope and related liability with its Edge Tokenization offering
for online transactions. By leveraging Edge Tokenization, corporations never process or store
their consumer’s credit credentials, replacing them instead with a non-reversible and random
token identifier. Seamlessly and without disrupting existing infrastructure, Akamai’s EdgePlatform
network identifies these critical transactions in eCommerce and web-enabled call centers and
instantly removes personal credit data. Through direct partnerships with leading payment gateway
providers, Akamai redirects this high-risk data without ever storing it locally. Once replaced with
an anonymous token, the traffic continues to origin infrastructure, without impacting flow or
system functionality. The result is merchant customers processing and storing only unique tokens,
rather than consumer credit data, thereby reducing PCI scope or potentially removing merchant
customer from PCI compliance scope for online transactions. Additional benefits of Edge
Tokenization include:

• Leverages Akamai’s Level-1 PCI Compliant Network

• Enables web retailers to transact securely and at scale, without sacrificing performance

• Tight integration with leading payment gateway providers

• Preserves payment gateway functionality.

• Integrates into existing workflow, without needing externally hosted sites or form
fields – guaranteeing look, feel, and flow remain consistent

• Accelerates critical commerce transactions on Akamai’s high-performing and highly

resilient EdgePlatform.
Akamai: Building a Better, More Secure Web
As the capabilities of cyber attackers continue to grow in scale and sophistication, enterprises need to be innovative and proactive
in protecting their Web infrastructure and digital assets. Traditional, centralized security systems are no longer enough, as they lack
the scalability and reach to defend a perimeter that now extends to the edges of the Internet.

For this reason, highly distributed, cloud-based protections have become a necessary layer within any defense architecture. These
types of solutions help overcome the challenges posed by the inherently distributed nature of the Internet. They offer unprecedented,
on-demand scalability, flexibility, and performance, as well as the power to mitigate attacks at their source, before those attacks have
a chance to reach the company’s core infrastructure.

Akamai has spent the last decade making the Internet a better, faster, and more secure place to transact business. With thousands
of companies depending on its EdgePlatform to securely and reliably deliver an aggregate of 1 trillion Web interactions each day,
security is never a secondary priority at Akamai. Instead, it is comprehensively integrated into every aspect of Akamai’s network and
operations, from hardened servers and a self-healing architecture to the rigorous physical and operational security policies in place. 7

Organizations looking to lock down their perimeter at the edge of the Internet can leverage Akamai’s proven expertise and unique
global platform through its broad array of security solutions and capabilities. These capabilities, along with Akamai’s integrated,
flexible, and comprehensive set of content and application services, will continue to help enterprises across all industries achieve
their business goals, by delivering their mission-critical Web applications — securely, responsively, and reliably.

1
http://projects.webappsec.org/Web-Application-Security-Statistics
2
http://www.mobileactivedefense.com/faq/
3
http://www.riskandinsurancechalkboard.com/uploads/file/Ponemon%20Study(1).pdf
4
http://www.dasient.com/dasient-solution/threatscape/
5
http://www.arbornetworks.com/report Arbor Networks Worldwide Infrastructure Security Report, Volume VI. Feb 2010
6
http://www.arbornetworks.com/report Arbor Networks Worldwide Infrastructure Security Report, Volume VI. Feb 2010
7
For more information, see the Akamai Information Security Management System Overview, which discusses Akamai’s comprehensive network and operational
security policies in greater detail

The Akamai Difference

Simply put, Akamai® makes the Internet work for business. Addressing the challenges of the public Internet, the Akamai Intelligent Internet Platform™ provides its customers
with a robust platform for cloud computing, ecommerce, software downloads and HD video. The Akamai Intelligent Internet Platform™ delivers performance, scalability,
security and useful data and is made up of more than ninety thousand, globally distributed servers spanning most of the networks within the Internet. To learn more, please
visit www.akamai.com or follow @Akamai on Twitter.

Akamai Technologies, Inc.

U.S. Headquarters International Offices

8 Cambridge Center Unterfoehring, Germany Bangalore, India
Cambridge, MA 02142 Paris, France Sydney, Australia ©2011 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole
or in part in any form or medium without express written permission is prohibited.
Tel 617.444.3000 Milan, Italy Beijing, China
Akamai and the Akamai wave logo are registered trademarks. Other trademarks
Fax 617.444.3001 London, England Tokyo, Japan contained herein are the property of their respective owners. Akamai believes that
U.S. toll-free 877.4AKAMAI Madrid, Spain Seoul, Korea the information in this publication is accurate as of its publication date; such
(877.425.2624) Stockholm, Sweden Singapore information is subject to change without notice.

www.akamai.com