This document provides an overview of Akamai's content delivery network (CDN) services and security solutions. It describes how Akamai delivers massive web traffic volumes daily using over 240,000 servers in more than 130 countries. It also explains several of Akamai's security functions, including rate control, network list management, web application firewall, and site shield to protect customers' origin servers from threats like DDoS attacks and unauthorized access.

2. Akamai is the global leader in Content Delivery Network (CDN) services, making the
Internet fast, reliable and secure for its customers. The company's advanced web
performance, mobile performance, cloud security and media delivery solutions are
revolutionizing how businesses optimize consumer, enterprise and entertainment
experiences for any device, anywhere.
• Akamai delivers daily web traffic reaching more than 30 Terabits per second
• Akamai delivers nearly 3 trillion internet interactions each day
• Akamai has the most pervasive content delivery network(CDN) – more than 240.000
servers in over 130 countries and more than 1.600 networks around the world.
About Akamai

3. How the Akamai Intelligent Platform Works

4. Akamai Configuration Segment

5. Origin Server and DNS
- www.sony.co.uk
IN CNAME [Akamai
edge]
- origin.sony.co.uk
IN A [Origin server
IP]

6. SSL Certificate
Two types of certificate in Akamai
• Client to Akamai (①)
• Akamai to Origin (②, ③)

7. Redirection / Modify Path
There are two types of URL redirection methodologies in Akamai. One is general 301/302 redirection and
the other one is to change origin forwarding.
1) 301/302 Redirection
1) Redirection from a certain path to a different path
2) Redirection from a certain path to a different host
3) Redirection from a certain path to a different host and a different path
4) Relative path redirection
2) Modify path
Akamai modify path can forward a previously defined URL to a different origin server which is not main
origin.
www.sony.co.uk/electronics/*  GWT origin server
www.sony.co.uk/mysony/*  Region origin server

8. TTL – Time to Live / Cache rule
Two methodologies in Akamai
1) setting cache control by certain path
/mysony/* no-cache, /campaign/* 30 min
2) setting cache control by certain extension
.css 4hours, .js 30min

9. Failover
When and how to show “Sorry page”
When edge servers receives 500/503 error code from origin servers, Akamai will switch to “Sorry page”.
Note: “Sorry page” will not be cached in Akamai server. Instead of caching “Sorry page”, Akamai edge
remembers the exact Client IP for 30 seconds and during this moment Akamai keep showing “Sorry page”
to the same client. Since “Sorry page” is never be cached, there is no need to do a cache clear during
whole activity.

10. NetStorage
NetStorage is a storage service that provided by Akamai platform.
Sample of a NetStorage content link： www.sony.co.uk/test/eu/sample.jpg

11. Security Solution

12. Security Solution Overview

13. Security Solution Function List
# Function name Description Target of threat
1 Rate control Restrict requests from specific IP addresses temporarily when it
detected to be exceeded threshold by number of accesses in a
short period of time by same IP
DDoS
2 NW list
management
Apply Whitelist and Blacklist to block access to Akamai edge unauthorized
access and
Attacker IPs
3 WAF Based on OWASP mod-security rule set, Akamai WAF inspect
HTTP request body to protect against attacks such as SQL Injection
& Cross-Site Scripting
Site penetration,
SQL injection,
XSS etc.
4 Edge Servers Block other than HTTP and HTTPS protocols. Mitigates DDoS
attacks by distributed processing on over 100,000 servers
DDoS
5 Site Shield Allow accesses to origin servers via Akamai network only by
registering typical Akamai server IP to the Firewall
DDoS,
unauthorized
access

14. Rate Control
To protect origin server from the much requests during short time period like DDoS, there is a security
option service called Rate Control.
Rate Control has several rules. Each rules has 2 types of threshold based on actual access analysis.
If an IP exceeds with the threshold, Akamai blocks the request coming from the specific IP. After 15
minutes, Akamai will allows the access again unless it exceeding thresholds again.
Operation team analyzes Akamai access log periodically and redefine the thresholds.

15. DDoS mitigation
A Reverse Proxy & Load Balancer
Only accepts application layer traffic via ports 80 (HTTP) & 443 (HTTPS)
Network attacks dropped at Edge
UDP Fragments, ICMP Floods, SYN Floods, ACK Floods, RESET Floods, UDP Floods
Massive scalability
Average traffic volume of 6Tbps spiking in
excess of 9Tbps,
Defend one network hop from request – keep
away from Origin
Natively in path
No rerouting, no added latency,
no single point of failure

16. Network List Management
To protect non-prod environments from accesses of public internet, there is a security option
service called Network list management.
• Allow or restrict requests from
specific IP addresses
• Implement IP Blacklists &
Whitelists
• Geography-based blocking
• 10,000 CIDR entries supported
Named lists – e.g. Tor exit nodes

17. WAF
Application-layer controls inspect HTTP request body to protect against attacks such as
SQL Injection & Cross-Site Scripting
Akamai WAF is provided based on OWASP Mod-Security. By distributing processing on the large
number of Akamai servers, it does not affect to the performance even it received a large number of
malicious requests.
OWASP ModSecurity Core Rule Set
• Protocol Violations
• Protocol Anomalies
• Request Limits
• HTTP Policy
• Generic Attacks
• Trojans
• Outbound (Leakage)

18. WAF
Akamai WAF checks the request whether to match the rules one by one of more than 200.
Because each rules are defined based on anomaly score, Akamai checks that whether total
of anomaly score by the request exceed threshold. Each threshold for each Risk group such
as XSS/SQL injection are defined based on Best Practices by Akamai.
Custom Rules
Create policy-based rules that are enforced before or after execution of the
application layer controls

19. WAF : Scoring samples

20. Site Shield
To protect origin server from public internet, there is a security option service called Site
Shield.
With this service a list of Akamai edge server IPs is provided to Sony. Origin Servers in Sony
network need to whitelist those IPs in Firewall and also need to limit access only to those IPs.
Restricted access is aiming for protecting origin servers from various Internet security threats
comes to origin directly.
Notes: This IP list is updated regularly due to Akamai regular server maintenance. Sony
needs to update whitelist in each firewall that shielding origin servers.

21. Q & A