Attackers flooded Akamai’s domain name servers with spurious traffic, causing response times to drop sufficiently low that the majority of requests for web pages could not be delivered upon before they timed out.

According to Akamai, the sophisticated, large-scale attack was actually directed at four specific web sites that are Akamai customers. Because other Akamai customers are on the same DNS servers, all of those customers were affected.

An Akamai spokesperson said that the number of customers affected was in the single digits as a percentage of its overall customer base, which is 1,100 companies. Only customers taking DNS resolution services were affected.

The attack lasted from about 5.30am US Pacific Time to about 7.45am yesterday, according to Akamai. The spokesperson said reports that some customers switched away from Akamai’s DNS during the attack were not accurate.

Along with Google, Microsoft and Yahoo, Microsoft’s Windows Update site was hit, as were the virus definition update sites from Trend Micro Inc and Symantec Corp, according to NetCraft Ltd, which was watching the attack.

Akamai said it was not an outage as such, because its name servers continued to function, albeit with degraded performance, throughout the attack. But from the perspective of the end user and web site owner, the difference is academic.

The firm asserted, however, that the problems were not as bad as reported in several publications, many of which quoted officials from Keynote Systems Inc, which uses agents spread around the world to measure the performance of popular web sites.

Keynote reported that its index of 40 leading web sites dropped from its usual 100% availability to about 81% during the attack, because of the large number of completely unavailable Akamai clients among the 40.

But Akamai pointed out later in the day that Keynote’s measurement agents use private DNS servers, whereas the vast majority of web users share a name server with hundreds or thousands of other people on the same network.

If Akamai successfully resolved DNS for one person, the IP address for the web site would be cached for a short period for use by all the other people who use that server for their DNS. It’s not clear how much of an impact this caching had.

Regardless, it’s particularly embarrassing for Akamai, as its DNS services are specifically designed to prevent clients being DDoS’d in this way. Microsoft, for example, used Akamai to mitigate the Blaster worm’s DDoS attack last August.

We are aware of reports that Microsoft web properties may have been impacted by a reported outage suffered by Akamai Technologies’ domain name server system, Microsoft said in a statement, deferring further inquiries to Akamai.

Compounding the embarrassment, the attacks come less than a month after an Akamai outage on May 24, when a buggy software update made to its caching servers made Akamai-hosted content inaccessible for about 90 minutes.

In a distributed denial-of-service attack, attackers leverage the bandwidth of hundreds or thousands of compromised computers to flood their victim’s servers with traffic, either crashing them or rendering the inaccessible to legitimate traffic.

Akamai said it consulted with several network providers to have the source of the attack shut down, and that it is now cooperating with US federal law enforcement on tracking down the culprits.

If it was a DDoS, all the IP addresses will be in the logs, so somebody lost a large part of their bot herd today, said Russ Cooper of TruSecure Corp, who manages the NT Bugtraq security mailing list, refering to bots, or compromised PCs.

Two of Akamai’s competitors, Mirror Image Internet Inc and Speedera Networks Inc, said that companies could reduce their exposure to such problems by retaining two CDN providers and swapping over in case of outages.

Quite apart from the potential advantage given to the competition, Akamai will have to compensate its customers for the outage, due to its aggressive service level agreements.

Akamai’s spokesperson said the firm will fully honor the SLAs, but said the amount of compensation will be immaterial to its business due to the relatively small number of customers who were hit.

Akamai offers its customers a 100% SLA as standard. If it fails to provide 100% uptime it has to give the customer credit for that entire day’s fees, according to copies of its standard contracts found online.