Content Growth by Kams Yueng

Peering, Security and Traffic Trend
Kams Yeung
Akamai Technologies
MyNOG-3
28th Nov, 2013

Agenda
Akamai Introduction
• Who’s Akamai?
• Intelligent Platform

Basic CDN Technology
• Akamai mapping

Peering with Akamai
• Why Akamai peer with ISPs and Akamai connection to IX

Secure the Internet - DNS Security
• Open resolvers and reflection attacks

Internet Traffic Trend
• Connection Speed, Mobile connection, IPv6

©2012 AKAMAI | FASTER FORWARDTM

Akamai Overview
Who is Akamai?
Akamai is a leading provider of a Cloud platform, which delivers,
accelerates and secure content and APPLICATIONS over the
Internet. Our key differentiator is our highly distributed
(intelligent) platform, made up of more than 100,000 servers in
80 countries.

• Publicly traded: (NASDAQ: AKAM)
• Found: August1998
• Headquarters: Cambridge, MA, USA
• 30+ worldwide offices, including Europe and Asia
• 3,400+ employees worldwide


The Akamai Intelligent Platform
The world’s largest on-demand, distributed computing
platform delivers all forms of web content and applications
The Akamai Intelligent Platform:
137,000
Servers

2,000+

Locations

1,150

Networks

700+
Cities

87

Countries

Typical daily traffic:
•  More than 2 trillion requests served
•  Delivering over 10 Terabits/second
•  15-30% of all daily web traffic


Basic CDN Technology
Akamai mapping

How CDNs Work
When content is requested from CDNs, the user is
directed to the optimal server
• This is usually done through the DNS, especially for non-network
CDNs, e.g. Akamai
• It can be done through anycasting for network owned CDNs

Users who query DNS-based CDNs be returned
different A (and AAAA) records for the same hostname
This is called “mapping”
The better the mapping, the better the user experience.


How Akamai CDN Work
Example of Akamai mapping
• Notice the different A records for different locations:

[Kuala Lumpur]% host www.akamai.com
www.akamai.com.
CNAME a152.dscb.akamai.net.
a152.dscb.akamai.net.
20 IN A 203.82.77.42
20 IN A 203.82.77.57
[Kuching]% host www.akami.com
www.akamai.com. CNAME a152.dscb.akamai.net.
20 IN A 203.82.76.27
20 IN A 203.82.76.26


How Akamai CDN Work
Akamai uses multiple criteria to choose the optimal
server
• These include standard network metrics:
• Latency
• Throughput
• Packet loss
• These also include things like CPU load on the server, HD space,
network utilization, etc.


Peering with Akamai
How Akamai uses IXes?

Why Akamai Peers with ISPs
Improved performance
• Akamai tries to serve content as “close” to the end users

Peering gives better throughput
• Reduced latency and packet loss

Redundancy
• Having more possible vectors to deliver content

Burstability
• During large events, having multiple networks allows for higher
burstability


Why Akamai Peers with ISPs
Peering reduces costs
• Reduces transit bill

Network Intelligence
• Receiving BGP directly from multiple ASes helps CDNs map the
Internet

Backup for on-net servers
• If there are servers on-net, the peering can act as a backup during
downtime and overflow
• Allows serving different content types


How Akamai use IXes

Peer Network

IX

•  Akamai (Non-network CDNs)
do not have a backbone, so
each IX instance is
independent
•  Akamai uses transit to pull
content into the servers
•  Content is then served to
peers over the IX

Content

CDN Servers

Transit
Origin Server

How Akamai use IXes
Akamai usually do not announce large blocks of
address space because no one location has a large
number of servers
• It is not uncommon to see a single /24 from Akamai at an IX

This does not mean you will not see a lot of traffic
• How many web servers does it take to fill a gigabit these days?


Akamai connection to MyIX
Akamai is going to connect to MyIX in mid-Dec 2013
Node: TM01 (Cyberjaya)
Port: 10G
IPv4 = 218.100.44.170/24
IPv6 = 2001:DE8:10::71/112

This does not mean you will see a lot of traffic
• The Akamai node connecting to MyIX is aim to serve mainly
HTTPS traffic at the beginning.


Secure the Internet
Open resolvers and DNS reflection attack

Open Resolvers
Why resolver exists?
• Exist to aggregate and cache queries
• Not every computer run its own recursive resolver.
• ISPs, Large Enterprises run these
• Query through the root servers and DNS tree to resolve domains
• Cache results, and deliver cached results to clients.

Open resolvers
• Recursive lookup
• Answer recursive queries from any client

Some Public Services:
• Google DNS, OpenDNS, Level 3, etc.
• These are “special” set-ups and secured.

www.cloudflare.com

17

Open Resolvers – The Problem!

Example of DNS-based reflection attack exceeding 70Gbit.

• There are millions of DNS resolvers.
• Many of these are not secured.
• Non secured DNS resolvers can and will be abused
• CloudFlare has seen DNS reflection attacks hit 300Gbit/s
traffic globally.
www.cloudflare.com

18

Reflection Attack
• UDP Query
• Spoofed source
• Using the address of the person you want to attack
• DNS Server used to attack the victim (sourced address)
• Amplification used
• Querying domains like ripe.net or isc.org
• ~64 byte query (from attacker)
• ~3233 byte reply (from unsecured DNS Server)
• 50x amplification!
• Running an unsecured DNS server helps attackers!
www.cloudflare.com

19

Reflection Attack
• What is a Reflection Attack?
In a reflection attack, an attacker makes a request to the
open resolver using a UDP packet whose source IP is
the IP address of the target. The request is usually one
that will result in a large response, such as a DNS ANY
request or a DNSSec request, which allows the attacker
to multiply up to 100x the amount of bandwidth sent to
the target web server. The "multiplication" factor is what
makes this particular attack dangerous, as traffic can
reach up to 200- 300Gbps. The Spamhaus attack is
one example of a recent reflection attack.

www.cloudflare.com

20

Reflection Attack

Attacker

ANY
ANY
ANY
isc.or
isc.or
isc.or
g
gg

Attack Target

Large
Large
Large
Reply
Reply
Reply

Large
Large
Large
Reply
Reply
Reply
Unsecured
DNS
Recursors

www.cloudflare.com

Large
Large
Large
Reply
Reply
Reply

Unsecured DNS
Recursors

Unsecured
©2012 AKAMAI | FASTER FORWARD
DNS
Recursors

TM

21

Reflection Attack
• With 50x amplification:
• 1Gbit uplink from attacker (eg: Dedicated Servers)
• 50Gbit attack
• Enough to bring most services offline!
• Prevention is the best remedy.
• In recent attacks, we’ve seen around 80,000 open/
unsecured DNS Resolvers being used.
• At just 1Mbit each, that’s 80Gbit!
• 1Mbit of traffic may not be noticed by most operators.
• 80Gbit at target is easily noticed!
www.cloudflare.com

22

Where are the open resolvers?

• Nearly Everywhere!
• As of: 24th Nov, 2013
• Observed from Open Resolver Project:
32,575,304 total responses to UDP/53 probe
31,925,357 unique IPs
28,160,599 responses had recursion-available bit set

Data on: 24th Nov 2013, Source: openresolverproject.org

23

Where are the open resolvers?
Name servers per country that permit recursion

Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer

24

Where are the open resolvers in Asia?
Country

Open resolvers

Country

Open resolvers

China

Taiwan

South
Korea

Japan

Thailand

India

Hong
Kong

Singapore

Indonesia

Australia

Pakistan

2657680

1292091

960114

273184

232914

195041

107286

69721

64362

62959

47728

New
Zealand

Nepal

New
Caledonia

Fiji

Cambodia

Laos

Sri
Lanka

Macau

Maldives

Mongolia

Afghanistan

12859

3913

3020

2522

2121

2024

1528

1225

790

480

444

Vietnam

Malaysia

Philippines

Bangladesh

45885

45667

31740

17826

Brunei
Darussalam

Papua
New
Guinea

Bhutan

Vanuatu

246

146

99

25

Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer

25

Fixing this? Preventative Measures!
• BCP-38
•  Source Filtering, you shouldn’t be able to spoof addresses.
•  Needs to be done in hosting and ISP environments.
•  If the victim’s IP can’t be spoofed the attack will stop
•  Will also help stop other attack types

• (eg: Spoofed Syn Flood).
• BCP-140 / RFC-5358

• Preventing Use of Recursive Name Servers in Reﬂector
Attacks

• Provide recursive name lookup service to only the
intended clients.

www.cloudflare.com

26

Fixing this? Preventative Measures!
• DNS Server Maintenance
• Secure the servers!

• Lock down recursion to your own IP addresses
• Disable recursion
• If the servers only purpose is authoritative DNS, disable
recursion
•  Historical accidents / incorrect configuration
• Some Packages (eg, Plesk, cPanel) have included a
recursive DNS server on by default.
• Update Internet routers / modems firmware.
•  Some older firmware has security bugs
• Allows administration from WAN (including DNS, SNMP)
www.cloudflare.com

27

The Trend of Internet
State Of The Internet Report Q2 2013

Average Peak Connection Speed
•  Malaysia is #8 in Asia
(#44 in Global)
•  Represents an average
of the maximum
measured connection
speeds across all of the
unique IP addresses
seen by Akamai
•  The average is used to
mitigate the impact of
unrepresentative
maximum measured
connection speeds.
Average Peak Connection Speed by Asia Pacific Country/Region


Average Connection Speed
•  Malaysia is #9 in Asia
(#64 in Global)
•  Decrease of slow
countries (1Mbps or
less)
•  Q4 2012 18 countries
àQ1 2013 14 countries
àQ2 2013 11 countries

Average Connection Speed by Asia Pacific Country/Region


Average Connection Speed - MY
•  Malaysia average connection speed increased from 1.2Mbps from 3 years
ago to 3.1Mbps in Jun, 2013


What about mobile connection in Asia?
•  Mobile average peak connection speed in MY is 39.8Mbps (Global average
is 18.9Mbps)
•  Mobile average connection speed in MY is 3.4Mbps (Global average is
3.3Mbps)

ASN that classified as pure mobile operator

Total Monthly Mobile traffic
•  Observed by Ericsson
•  Data traﬃc from Q2 2012 to Q2 2013 almost double!
•  Voice keeps growing at the rate of 5% from Q2 2012 to Q2 2013


Observations after World IPv6 Launch Anniversary

IPv6 traffic continue to growth steadily after World IPv6 Launch
• 
As of Q2, 2013
• 
20 billion content requests per day over IPv6
• 
1-2% of total request volume
• 
double the level seen in the second half of 2012
• 
We really running out of IPv4!


Summary
• Akamai Intelligent Platform
• Highly distributed edge servers, DNS-based mapping
• Peering with Akamai
• Improve user experience, reduce transit/peering cost
• Open Resolvers are harmful to the Internet community
• Secure your DNS server, secure the Internet
• Internet is growing
• Internet penetration and speed are growing
• Internet everywhere by mobile network
• IPv6 traffic is still small today, but catching up


Questions?

Kams Yeung <kams@akamai.com>
More information:
Peering: http://as20940.peeringdb.com
SOTI Report: http://www.akamai.com/stateoftheinternet/
IPv6: http://www.akamai.com/ipv6
Acknowledgement:
Tomas Paseka <tom@cloudflare.com>

Content Growth by Kams Yueng

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (11)

Similaire à Content Growth by Kams Yueng

Similaire à Content Growth by Kams Yueng (20)

Plus de MyNOG

Plus de MyNOG (20)

Dernier

Dernier (20)

Content Growth by Kams Yueng