The Akamai Blog

HTTP Request Smuggling (also known as an HTTP Desync Attack) has experienced a resurgence in security research recently, thanks in large part to the outstanding work by security researcher James Kettle. His 2019 Blackhat presentation on HTTP Desync attacks exposed vulnerabilities with different implementations of the HTTP Standards, particularly within proxy servers and Content Delivery Networks (CDNs).These implementation differences with regard to how proxy servers interpret the construction of web requests have led to new request smuggling vulnerabilities. (Direct link to information on new vulnerability).

Within hours from the moment our in-house built fuzzer, hAFL1, started running – it found a critical, CVSS 9.9 RCE vulnerability in Hyper-V’s virtual driver.

As I began my CSR Co-op position this year, I wanted to see up-close how a corporate foundation works. What I've found is that the work the Akamai Foundation does around the world is inspiring! Whether it's partnering with STEM educators, responding to the COVID-19 crisis, planning employee volunteerism efforts, or creating a hardship fund to support our community, what we do here has a positive impact across the globe. And, thanks to this co-op opportunity, I've been able to play a real part in driving this impact forward.

For more than 20 years, Akamai has worked very hard to earn the trust and confidence of our customers and partners by developing services that can be relied upon to be available and secure at all times.

The beginning of August is upon us, and if you haven’t already started thinking about the busiest time of the year, now is a good time to do so. Whether you’re an experienced veteran of managing peak traffic or new to the game, Q4 can bring surprises when it comes to performance and security. And while it’s nearly impossible to prepare for every situation, there are a number of options and solutions available at Akamai to help manage the surge of traffic (both good and bad) that will be hitting the retail industry during the holiday season, especially on Black Friday and Cyber Monday.

Maybe you’ve just found out that your company’s IT organization is implementing Zero Trust. Does that mean they don’t trust you? “Zero Trust” sure sounds that way. Maybe you’ve read about it online or heard somebody talk about it in terms that equate Zero Trust with the idea that users and devices are never trusted.

Guardicore Labs, in collaboration with SafeBreach Labs, found a critical vulnerability in Hyper-V’s virtual network switch driver (vmswitch.sys).

Akamai engineering has adopted new technology concepts to enhance and expand routing capabilities at the edge. Previously, Akamai’s traffic-steering capabilities were mainly focused on DNS-based routing. In this article, we would like to give you an in-depth look at how Akamai has embraced new routing technology concepts and merged them into the Akamai edge to enhance routing capabilities, provide faster and better traffic steering, and offer even better performance.

With the transition to remote work, we often hear the term remote access used in unison. Typically, remote work application access is facilitated via a remote access mechanism and, presumably, local work application access is facilitated via a local access mechanism. But I argue that this connection does not really hold true. Sure, remote work does require the use of a remote access mechanism, but the mechanism can and should also be used for local work. There's really no such thing as local access.

If I had a dollar for every time I heard the phrase “digital transformation,” I would have a lot of dollars. I’m sure you would too. We’d have even more if we counted the term “Zero Trust.” (Maybe we should start counting them, now that I think about it!)

Backhauling traffic destroys performance, and backhauling attack traffic can destroy even more. Nevertheless, in a traditional security deployment model, we are faced with the lose-lose options of either backhauling all traffic to the security stack or allowing some accesses to not go through the security stack. Of course, in the modern world where cyberattacks can cause enormous damage, the latter option is not really an option at all. All traffic must route through a robust security stack. So how do we accomplish this goal without backhauling? The answer is Zero Trust security deployed and delivered as an edge service.

Near the end of March 2020, G2A.COM saw its traffic virtually double overnight. The pandemic had just begun, and people were looking for ways to stay entertained and connected under lockdown. Not surprisingly, a lot of people turned to video games, and G2A.COM was one of the first places they went to for affordable game keys and activation codes.

Last week, we gathered a few of the most prominent leaders and experts from every corner of the federal space to talk about all things cybersecurity and digital transformation. Discussions ranged from the move toward Zero Trust Network Access (ZTNA), and effectively managing identities and access with a secure web gateway (SWG) to keep data safe, to what the executive order on cybersecurity means for agencies -- time to implement a multi-factor authentication (MFA) solution.

At 15:45 UTC on July 22, 2021, a software configuration update triggered a bug in our Secure Edge Content Delivery Network impacting that network's domain name service (DNS) system (the system that directs browsers to websites for that specific service). This caused a disruption impacting availability of some customer websites. The disruption lasted up to an hour. Upon rolling back the software configuration update, the services resumed normal operations.

Though Zero Trust is really quite simple and should be viewed as a very strong form of the age-old principle of least privilege, that does not mean that it is the same thing. In fact, one of the most significant differences from what came before is that when it comes to access, Zero Trust is based on application access, not network access. I was surprised, then, when Gartner's new SASE (secure access service edge) model included something called Zero Trust Network Access (ZTNA). This term is an oxymoron, and I make this point because it matters. The distinction between network access and application access is important.

On July 2, 2021, Kaseya disclosed an active attack against customers using its VSA product, and urged all on-premise customers to switch-off Kaseya VSA. Shortly before this alert, users on Reddit started describing ransomware incidents against managed security providers (MSPs), and the common thread among them was on-premise VSA deployments. In the hours to follow, several indicators of compromise (IOCs) were released, and Akamai was able to observe some of that traffic. A patch for the VSA product was released by Kaseya on July 11.

If the term Zero Trust has been popping up in your news feed with astonishing frequency lately, you may be tempted to think that Zero Trust must be a brand-new technology cooked up in a research lab at MIT and powered by the latest artificial intelligence, machine learning, quantum computing, and a 1.21 gigawatt flux capacitor. In this and subsequent blog posts, I want to make the case that, in fact, Zero Trust is all about simplicity, and that at its core, Zero Trust is a strong form of the age-old principle of least privilege.

I've spent my entire career in technology and can still recall the time when a desktop PC was the only way to work. (Truth be told, I'm also old enough to remember dumb terminals.) I also remember my first company laptop -- a beast of a thing with a monochrome display so thick it came with an integrated 2.5" floppy drive and a battery life that made it barely usable. My first mobile phone was a Motorola Timeport, the first tri-band mobile phone that could work in Europe and North America.

The video streaming traffic that Akamai delivered for more than 30 rights-holding customers during the July 11 Italy-England football (soccer) final as part of the delayed-to-2021European soccer tournament peaked at 34.9 Tbps on the Akamai edge platform. The traffic peak during the final match was the highest that Akamai reached for the tournament and was nearly 5x greater than the 7.3 Tbps peak of the 2016 Portugal-France championship match. Traffic during the June 29, 2021, round-of-16 match between Germany and England was the second-highest peak for the tournament, reaching 33.9 Tbps; third-highest was the July 6 Italy-Spain semi-final at 32.6 Tbps.

One year and a half following the start of the COVID-19 pandemic, we're seeing most companies either maintaining their remote work policies or slowly moving to a hybrid model. In fact, an estimated 36.2 million Americans will be working remotely by 2025, which is nearly double pre-pandemic levels.