Risk

8/1/2012
01:16 PM
50%
50%

Netflix Wants You To Adopt Chaos Monkey

Netflix has made its own automated disaster testing service, Chaos Monkey, available as a free public download. Should you turn it loose on your own systems?

Netflix is a high-profile consumer service. When things go wrong, people tend to notice. So it might seem strange that the company tries to make things go wrong with its service on a regular basis.

That's indeed the goal of "Chaos Monkey," the automated software Netflix developed to test its infrastructure's mettle. In layman's terms, Chaos Money tries to break stuff. The theory behind this is to build a stronger platform and avoid the types of major, unexpected problems that tend to make IT's phones ring at 2 a.m. (Netflix configures the tool to run only during normal business hours; that way IT staff handle any related issues during the day instead of on nights and weekends.)

Now everyone can embrace the chaos: Netflix just made the source code publicly available as a free download. You'll first need to ask yourself if you've got the guts for it. Or, as Netflix put it in a blog post: "Do you think your applications can handle a troop of mischievous monkeys loose in your infrastructure?"

[ Security researcher Dan Kaminsky wants to address security by changing the fundamental way code is written. Read more at Tired Of Security Problems? Change Rules Of Writing Code. ]

If you're picturing the band of winged monkeys from "The Wizard of Oz" running amok, you're not far off--they've just been reengineered for the cloud. Chaos Monkey deliberately shut downs virtual machines (VMs) within Amazon's Auto-Scaling Groups (ASGs). (Though the software was written with Amazon Web Services in mind, Netflix said Chaos Monkey is flexible enough to work with other cloud platforms.)

By causing intentional failures on individual instances--Netflix generated more than 65,000 failures in the last year, according to the company--you can learn from those errors and their resolutions. Basic example: Is your application hardy enough to weather a failed VM, or could that single instance bring the curtains down on the whole show?

That type of no-holds-barred testing can help unearth and resolve unknown issues before they become major outages. Better yet, it can lead to stronger applications as they're being built, rather than trying to retrofit them after the fact. "By having that constant idea that something's going to break, [Netflix has] within their dev ops and engineering departments the mindset that they have to make sure that no single point can take down the entire site," said Jim MacLeod, product manager at the networking firm WildPackets, in an interview.

In Netflix's case, it makes sense to try to rise to Chaos Monkey's challenge--their bottom line depends upon their site running smoothly. "If you look at Netflix's business model, what really differentiates them isn't just streaming media--it's the fact there's something immediate and easy for users to get to, but that means they have to be fairly reliable," MacLeod said. "Reliability and uptime are things that are difficult to put in afterwards if you don't design it in, just like security."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Embedded SW Dev
50%
50%
Embedded SW Dev,
User Rank: Apprentice
8/2/2012 | 5:44:30 PM
re: Netflix Wants You To Adopt Chaos Monkey
Apparently someone let the Chaos Monkey loose. Today's Infoweek daily's link to this story lead to a story about the errant stock trading on Wednesday. Was that a hint that Knight Capital was testing the Chaos Monkey, or did the Chaos Monkey infect the mailing?
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.