Contenu connexe Similaire à Content Growth by Kams Yueng (20) Content Growth by Kams Yueng2. Agenda
Akamai Introduction
• Who’s Akamai?
• Intelligent Platform
Basic CDN Technology
• Akamai mapping
Peering with Akamai
• Why Akamai peer with ISPs and Akamai connection to IX
Secure the Internet - DNS Security
• Open resolvers and reflection attacks
Internet Traffic Trend
• Connection Speed, Mobile connection, IPv6
©2012 AKAMAI | FASTER FORWARDTM
4. Akamai Overview
Who is Akamai?
Akamai is a leading provider of a Cloud platform, which delivers,
accelerates and secure content and APPLICATIONS over the
Internet. Our key differentiator is our highly distributed
(intelligent) platform, made up of more than 100,000 servers in
80 countries.
• Publicly traded: (NASDAQ: AKAM)
• Found: August1998
• Headquarters: Cambridge, MA, USA
• 30+ worldwide offices, including Europe and Asia
• 3,400+ employees worldwide
©2012 AKAMAI | FASTER FORWARDTM
5. The Akamai Intelligent Platform
The world’s largest on-demand, distributed computing
platform delivers all forms of web content and applications
The Akamai Intelligent Platform:
137,000
Servers
2,000+
Locations
1,150
Networks
700+
Cities
87
Countries
Typical daily traffic:
• More than 2 trillion requests served
• Delivering over 10 Terabits/second
• 15-30% of all daily web traffic
©2012 AKAMAI | FASTER FORWARDTM
7. How CDNs Work
When content is requested from CDNs, the user is
directed to the optimal server
• This is usually done through the DNS, especially for non-network
CDNs, e.g. Akamai
• It can be done through anycasting for network owned CDNs
Users who query DNS-based CDNs be returned
different A (and AAAA) records for the same hostname
This is called “mapping”
The better the mapping, the better the user experience.
©2012 AKAMAI | FASTER FORWARDTM
8. How Akamai CDN Work
Example of Akamai mapping
• Notice the different A records for different locations:
[Kuala Lumpur]% host www.akamai.com
www.akamai.com.
CNAME a152.dscb.akamai.net.
a152.dscb.akamai.net.
20 IN A 203.82.77.42
a152.dscb.akamai.net.
20 IN A 203.82.77.57
[Kuching]% host www.akami.com
www.akamai.com. CNAME a152.dscb.akamai.net.
a152.dscb.akamai.net.
20 IN A 203.82.76.27
a152.dscb.akamai.net.
20 IN A 203.82.76.26
©2012 AKAMAI | FASTER FORWARDTM
9. How Akamai CDN Work
Akamai uses multiple criteria to choose the optimal
server
• These include standard network metrics:
• Latency
• Throughput
• Packet loss
• These also include things like CPU load on the server, HD space,
network utilization, etc.
©2012 AKAMAI | FASTER FORWARDTM
11. Why Akamai Peers with ISPs
Improved performance
• Akamai tries to serve content as “close” to the end users
Peering gives better throughput
• Reduced latency and packet loss
Redundancy
• Having more possible vectors to deliver content
Burstability
• During large events, having multiple networks allows for higher
burstability
©2012 AKAMAI | FASTER FORWARDTM
12. Why Akamai Peers with ISPs
Peering reduces costs
• Reduces transit bill
Network Intelligence
• Receiving BGP directly from multiple ASes helps CDNs map the
Internet
Backup for on-net servers
• If there are servers on-net, the peering can act as a backup during
downtime and overflow
• Allows serving different content types
©2012 AKAMAI | FASTER FORWARDTM
13. How Akamai use IXes
Peer Network
IX
• Akamai (Non-network CDNs)
do not have a backbone, so
each IX instance is
independent
• Akamai uses transit to pull
content into the servers
• Content is then served to
peers over the IX
Content
CDN Servers
Transit
Origin Server
©2012 AKAMAI | FASTER FORWARDTM
14. How Akamai use IXes
Akamai usually do not announce large blocks of
address space because no one location has a large
number of servers
• It is not uncommon to see a single /24 from Akamai at an IX
This does not mean you will not see a lot of traffic
• How many web servers does it take to fill a gigabit these days?
©2012 AKAMAI | FASTER FORWARDTM
15. Akamai connection to MyIX
Akamai is going to connect to MyIX in mid-Dec 2013
Node: TM01 (Cyberjaya)
Port: 10G
IPv4 = 218.100.44.170/24
IPv6 = 2001:DE8:10::71/112
This does not mean you will see a lot of traffic
• The Akamai node connecting to MyIX is aim to serve mainly
HTTPS traffic at the beginning.
©2012 AKAMAI | FASTER FORWARDTM
17. Open Resolvers
Why resolver exists?
• Exist to aggregate and cache queries
• Not every computer run its own recursive resolver.
• ISPs, Large Enterprises run these
• Query through the root servers and DNS tree to resolve domains
• Cache results, and deliver cached results to clients.
Open resolvers
• Recursive lookup
• Answer recursive queries from any client
Some Public Services:
• Google DNS, OpenDNS, Level 3, etc.
• These are “special” set-ups and secured.
www.cloudflare.com
©2012 AKAMAI | FASTER FORWARDTM
17
18. Open Resolvers – The Problem!
Example of DNS-based reflection attack exceeding 70Gbit.
• There are millions of DNS resolvers.
• Many of these are not secured.
• Non secured DNS resolvers can and will be abused
• CloudFlare has seen DNS reflection attacks hit 300Gbit/s
traffic globally.
www.cloudflare.com
©2012 AKAMAI | FASTER FORWARDTM
18
19. Reflection Attack
• UDP Query
• Spoofed source
• Using the address of the person you want to attack
• DNS Server used to attack the victim (sourced address)
• Amplification used
• Querying domains like ripe.net or isc.org
• ~64 byte query (from attacker)
• ~3233 byte reply (from unsecured DNS Server)
• 50x amplification!
• Running an unsecured DNS server helps attackers!
www.cloudflare.com
©2012 AKAMAI | FASTER FORWARDTM
19
20. Reflection Attack
• What is a Reflection Attack?
In a reflection attack, an attacker makes a request to the
open resolver using a UDP packet whose source IP is
the IP address of the target. The request is usually one
that will result in a large response, such as a DNS ANY
request or a DNSSec request, which allows the attacker
to multiply up to 100x the amount of bandwidth sent to
the target web server. The "multiplication" factor is what
makes this particular attack dangerous, as traffic can
reach up to 200- 300Gbps. The Spamhaus attack is
one example of a recent reflection attack.
www.cloudflare.com
©2012 AKAMAI | FASTER FORWARDTM
20
22. Reflection Attack
• With 50x amplification:
• 1Gbit uplink from attacker (eg: Dedicated Servers)
• 50Gbit attack
• Enough to bring most services offline!
• Prevention is the best remedy.
• In recent attacks, we’ve seen around 80,000 open/
unsecured DNS Resolvers being used.
• At just 1Mbit each, that’s 80Gbit!
• 1Mbit of traffic may not be noticed by most operators.
• 80Gbit at target is easily noticed!
www.cloudflare.com
©2012 AKAMAI | FASTER FORWARDTM
22
23. Where are the open resolvers?
• Nearly Everywhere!
• As of: 24th Nov, 2013
• Observed from Open Resolver Project:
32,575,304 total responses to UDP/53 probe
31,925,357 unique IPs
28,160,599 responses had recursion-available bit set
Data on: 24th Nov 2013, Source: openresolverproject.org
©2012 AKAMAI | FASTER FORWARDTM
23
24. Where are the open resolvers?
Name servers per country that permit recursion
Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer
©2012 AKAMAI | FASTER FORWARDTM
24
25. Where are the open resolvers in Asia?
Country
Open resolvers
Country
Open resolvers
China
Taiwan
South
Korea
Japan
Thailand
India
Hong
Kong
Singapore
Indonesia
Australia
Pakistan
2657680
1292091
960114
273184
232914
195041
107286
69721
64362
62959
47728
New
Zealand
Nepal
New
Caledonia
Fiji
Cambodia
Laos
Sri
Lanka
Macau
Maldives
Mongolia
Afghanistan
12859
3913
3020
2522
2121
2024
1528
1225
790
480
444
Vietnam
Malaysia
Philippines
Bangladesh
45885
45667
31740
17826
Brunei
Darussalam
Papua
New
Guinea
Bhutan
Vanuatu
246
146
99
25
Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer
©2012 AKAMAI | FASTER FORWARDTM
25
26. Fixing this? Preventative Measures!
• BCP-38
• Source Filtering, you shouldn’t be able to spoof addresses.
• Needs to be done in hosting and ISP environments.
• If the victim’s IP can’t be spoofed the attack will stop
• Will also help stop other attack types
• (eg: Spoofed Syn Flood).
• BCP-140 / RFC-5358
• Preventing Use of Recursive Name Servers in Reflector
Attacks
• Provide recursive name lookup service to only the
intended clients.
www.cloudflare.com
©2012 AKAMAI | FASTER FORWARDTM
26
27. Fixing this? Preventative Measures!
• DNS Server Maintenance
• Secure the servers!
• Lock down recursion to your own IP addresses
• Disable recursion
• If the servers only purpose is authoritative DNS, disable
recursion
• Historical accidents / incorrect configuration
• Some Packages (eg, Plesk, cPanel) have included a
recursive DNS server on by default.
• Update Internet routers / modems firmware.
• Some older firmware has security bugs
• Allows administration from WAN (including DNS, SNMP)
www.cloudflare.com
©2012 AKAMAI | FASTER FORWARDTM
27
28. The Trend of Internet
State Of The Internet Report Q2 2013
29. Average Peak Connection Speed
• Malaysia is #8 in Asia
(#44 in Global)
• Represents an average
of the maximum
measured connection
speeds across all of the
unique IP addresses
seen by Akamai
• The average is used to
mitigate the impact of
unrepresentative
maximum measured
connection speeds.
Average Peak Connection Speed by Asia Pacific Country/Region
©2012 AKAMAI | FASTER FORWARDTM
30. Average Connection Speed
• Malaysia is #9 in Asia
(#64 in Global)
• Decrease of slow
countries (1Mbps or
less)
• Q4 2012 18 countries
àQ1 2013 14 countries
àQ2 2013 11 countries
Average Connection Speed by Asia Pacific Country/Region
©2012 AKAMAI | FASTER FORWARDTM
31. Average Connection Speed - MY
• Malaysia average connection speed increased from 1.2Mbps from 3 years
ago to 3.1Mbps in Jun, 2013
©2012 AKAMAI | FASTER FORWARDTM
32. What about mobile connection in Asia?
• Mobile average peak connection speed in MY is 39.8Mbps (Global average
is 18.9Mbps)
• Mobile average connection speed in MY is 3.4Mbps (Global average is
3.3Mbps)
ASN that classified as pure mobile operator
©2012 AKAMAI | FASTER FORWARDTM
33. Total Monthly Mobile traffic
• Observed by Ericsson
• Data traffic from Q2 2012 to Q2 2013 almost double!
• Voice keeps growing at the rate of 5% from Q2 2012 to Q2 2013
©2012 AKAMAI | FASTER FORWARDTM
34. Observations after World IPv6 Launch Anniversary
IPv6 traffic continue to growth steadily after World IPv6 Launch
•
As of Q2, 2013
•
20 billion content requests per day over IPv6
•
1-2% of total request volume
•
double the level seen in the second half of 2012
•
We really running out of IPv4!
©2012 AKAMAI | FASTER FORWARDTM
35. Summary
• Akamai Intelligent Platform
• Highly distributed edge servers, DNS-based mapping
• Peering with Akamai
• Improve user experience, reduce transit/peering cost
• Open Resolvers are harmful to the Internet community
• Secure your DNS server, secure the Internet
• Internet is growing
• Internet penetration and speed are growing
• Internet everywhere by mobile network
• IPv6 traffic is still small today, but catching up
©2012 AKAMAI | FASTER FORWARDTM
36. Questions?
Kams Yeung <kams@akamai.com>
More information:
Peering: http://as20940.peeringdb.com
SOTI Report: http://www.akamai.com/stateoftheinternet/
IPv6: http://www.akamai.com/ipv6
Acknowledgement:
Tomas Paseka <tom@cloudflare.com>
©2012 AKAMAI | FASTER FORWARDTM