© A10 Networks, Inc. Handling massive number of subscribers and attacks June, 2014 APJ Solution Engagement, Solution Architect Takeki Kumamura
©A10 Networks, Inc.
Handling massive number of subscribers and attacks
June, 2014
APJ Solution Engagement, Solution Architect!Takeki Kumamura
Introductions
‹#›©A10 Networks, Inc.
A10 Corporate Introduction
2010 2011 2012 2013
142000000
120344000
91493028
54,700,000
Q4' 11 Q4' 12 Today
3000
2008
1080
CUSTOMER GROWTH
COMPANY GROWTH
Headquarters in San Jose 650 Employees Offices in 23 countriesCustomers in 65 countries
‹#›©A10 Networks, Inc.
3000+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4U.S. WIRELESS CARRIERS
7 of Top 10U.S. CABLE PROVIDERS
Top 3WIRELESS CARRIERS IN JAPAN
‹#›©A10 Networks, Inc.
A10 Product Portfolio Overview
Dedicated Network
Managed Hosting
Cloud IaaS IT Delivery Models
Application Networking Platform▪ Performance ▪ Scalability ▪ Extensibility ▪ Flexibility
CGN TPS
ADC
ACOS Platform
Product Lines▪ ADC – Application Acceleration & Security ▪ CGN – IPv4 Extension / IPv6 Migration ▪ TPS – Network Perimeter DDoS Security
Carrier Grade Networking
Application Delivery Controller
Threat Protection System
Handling Massive Number of Subscribers
‹#›©A10 Networks, Inc.
Exponential Rise in Devices, Users and TrafficDIG
ITAL
CONTENT
INTERNET
TRAFFIC
Extend IPv4
& Migrate to IPv6
IPv6 CONTENT
INTE
RNE
T OF
The Digital Universe: 50-fold Growth from the beginning of 2010 to the End of 2020
Source: IDC’s Digital Universe Study, sponsored by EMC, December 2012
IP Traffic by Year
Source: Cisco VNI, 2013
Akamai IPv6 Traffic Volume Total of Connected Devices, Billions of Units (Installed Bases)
Source: Gartner (November 2013)Source: Akamai
‹#›©A10 Networks, Inc.
How about a real example?
‹#›©A10 Networks, Inc.
1 China 330,600,960 (IPs) 1,365,160,000 (Pop.) 0.24 (IPs/Pop.)
2 Japan 201,530,368 127,090,000 1.58
3 Korea, Republic of 112,274,176 50,423,955 2.22
4 Australia 48,270,848 23,533,100 2.05
5 India 35,762,688 1,245,700,000 0.02
6 Taiwan, Province of China 35,430,656 23,386,883 1.51
7 Indonesia 17,588,480 247,424,598 0.07
8 Viet Nam 15,606,528 89,708,900 0.17
9 Hong Kong 11,807,232 7,219,700 1.63
10 Thailand 8,615,936 64,456,700 0.13
Delegated IPv4 Addresses (top 10) and Populations
http://www-public.it-sudparis.eu/~maigron/RIR_Stats/RIR_Delegations/APNIC/IPv4-ByNb.html http://en.wikipedia.org/wiki/List_of_countries_by_population
‹#›©A10 Networks, Inc.
What is actual number of users?
▪“Versus” Population = 247,424,598 = 0.07 IP/person – But who will actually be using the device with IP addresses?
– ISP home network, and mobile devices.
17,580,480 IPs vs
17,580,480 IPs vs
‹#›©A10 Networks, Inc.
2011 2012 2013 2014 2015 2016 2017
Smartphone users (Mil.)
11.7 26.3 41.6 61.2 74.8 89.8 103.6
--% of mobile phone users
9.0% 16.0% 24.0% 34.0% 40.0% 47.0% 53.0%
--% of population
4.8% 10.6% 16.6% 24.1% 29.2% 34.8% 39.8%
vs IPv4 addresses (17,580,480)
1.50 0.66 0.42 0.28 0.23 0.19 0.16
Increasing Smartphones in Indonesia
http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102
NAT “Compression rate” of private to global IP increases
‹#›©A10 Networks, Inc.
I am already doing NAT
‹#›©A10 Networks, Inc.
▪ Classic NAT does not allow outside originated traffic
▪ Legacy implementation lacks end-to-end transparency
▪ Causes peer-to-peer, voice, video, streaming applications to break
▪ Scale and Performance for Carrier Class applications
▪ Carrier Grade NAT or CGN supports transparent end-to-end connectivity
▪ Enables oversubscription of global IPv4 resources, helps scaling
▪ NAT44 or NAT444 options
Limitations with Classic NAT
Inside originated
NAT
Outside originated
Classic NAT
Inside originated
CGN
Outside originated
CGN
‹#›©A10 Networks, Inc.
▪ Two clients Host A and Host B behind a common NAT device
▪ Host A to Host B communication using the external binding – Ex: Hosts using SIP for communication registered to an external server (Ex: SIP service)
CGN Use Case : Hairpinning
Inside Outside
Inside IP/port
Inside originated
Inside originated
Outside IP/port
Hairpinning Traffic Allows inside clients to connect to their outside IP/port
Source: B :1024 Dest: X:9001
Source: S:8080 Dest: X :9001
Internal External Filter
A:1024/B:8080 X:9001/B:8080 *:*/X:9001
Source: S:8080 Dest: X :9002
Host A
Host S
Source: B :1024 Dest: S :8080
Source: A :1024 Dest: X:9002
Source: A :1024 Dest: S :8080
Host B
CGN
‹#›©A10 Networks, Inc.
Back to the story…
‹#›©A10 Networks, Inc.
Typical NAT Use Cases
ConsumerNAT/Private IPv4 Address
Private/CGN Scoped IPv4 Address
CGN/CGNAT/LSN
IPv4 Internet
Enterprise NAT44
Service ProviderNAT444
Mobile Provider NAT44
Service Provider or Enterprise IPv4 Network
IPv4 Clients
IPv4 Clients
Public IPv4 Address
• Increase of NAT “compression rate” here leads to: • Smaller number of
TCP/UDP sessions • Logging issues • No scale in business • etc, etc.
‹#›©A10 Networks, Inc.
2011 2012 2013 2014 2015 2016 2017
Smartphone users (Mil.)
11.7 26.3 41.6 61.2 74.8 89.8 103.6
vs IPv4 addresses (17,580,480)
1.50 0.66 0.42 0.28 0.23 0.19 0.16
User per IP (allocating 1 IP per user)
1 2 3 4 5 6 7
Userquota (=TCP/UDP sessions per user)
64000 32000 21300 16000 12800 10600 9100
Decreasing Userquota (= TCP/UDP sessions per user)
http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102
This may be a good case (using whole IP address pool of country at once)
‹#›©A10 Networks, Inc.
IPv4 preservation cannot last forever.
‹#›©A10 Networks, Inc.
Access Destination Migration
A10s IPv6 Migration Options
IPv6
IPv4
6rd
DS-Lite
Stateful
NAT64/DNS64
Stateless NAT46
A10 offers
One box solution!
Unique Service Provider featureLw-4o6
IPv4
IPv6
IPv4
IPv6
IPv6 Internet
IPv4 Internet
IPv6 Internet
IPv4 Internet CPE
CPE
CPE
‹#›©A10 Networks, Inc.
NAT64 & DNS64 – DNS Flow
IPv6 IPv4
www.example.com 192.2.0.33
AAAA Query www.example.com
AAAA Response: 2001:DB8:122:344::192.2.0.33
IPv4 Internet
DNS
NAT64/DNS64
IPv6+IPv4IPv6 Clients
AAAA www.example.com = Error
A www.example.com = 192.2.0.33
NAT64/DNS64 device owns IPv6 Prefix 2001:DB8:122:344::/96
IPv6.example.com
IPv6 Internet
‹#›©A10 Networks, Inc.
A10 IPv6 Migration: Use Cases
CGN | NAT64/DNS64
IPv4 Core
IPv6 Internet
IPv4 Clients
IPv4 Core
IPv6 Core
IPv6 Clients
CGN NAT64/ DNS64
New devices, and new services start with IPv6 for future expansions
NAT64/DNS64
IPv6 clients to IPv4
Enables IPv6 only clients to connect to IPv4 resources
Maintain current devices, and current services with IPv4
CGN IPv4 clients to
IPv4
Preserve IPv4 resources
‹#›©A10 Networks, Inc.
A10 CGN Benefits for Service Provider & Enterprise
App Reliability
▪ Application Layer gateways
▪ Support for diverse applications
▪ HA ensures sessions maintained
Extend IPv4
▪ Protect IPv4 investments
▪ Preserve existing address allocation
▪ Save time and cost
IPv4 IPv6 Transition
▪ Ensures smooth conversion
▪ Supports multiple bridging methods
▪ Simultaneous support for IPv4 and IPv6
IPv6
Handling Massive Number of Attacks
‹#›©A10 Networks, Inc.
DDoS Problems
Q3 2010 PayPal
Discloses cost of attack £3.5M(~$5.8 million)
Q1 2013 Credit Union Regulators
Recommend DDoS protection to all members
Q4 2012 Bank of the West
$900k stolen, DDoS as a distraction
Q1 2013 al Qassam Cyber Fighters
10-40 Gbps attacks target 9 major banks
Q1 2014 CloudFlare
400 Gbps NTP amplification attack
Q4 2013 60 Gbps attacks regularly seen,100 Gbps not uncommon
Q4 2013 26% YoY attack increase (17% L7, 28% L3-4)
Q4 2013 PPS reaches 35 million
Q4 2013 6.8 million mobile devices are potential attackers (LOIC and AnDOSid)
“High-bandwidth DDoS attacks are becoming the new norm and will continue wreaking havoc on unprepared enterprises”
Source: Gartner
‹#›©A10 Networks, Inc.
▪Attacks intentions: Make resources unavailable – Resource exhaustion
▪ Overwhelm equipment (application)capacity
–Volumetric
▪ Flood network capacity
▪Two attack vectors
–Network attacks (L3-4) ▪ TCP, UDP, ICMP, more…
–Application attacks (L7) ▪ HTTP, DNS, NTP, more…
▪Emergence of multi-vector attacks
–Multiple attack vectors per incident are on the rise
Common DDoS Attack Types
NEW!
‹#›©A10 Networks, Inc.
▪ Benefits: – Reduced CAPEX and OPEX
– Reduced data center footprint
– Easily integrated into their custom detection system
▪ Details: – Replaced market leader appliances
– 78 A10 devices, in 26 data centers
– $2.5 M+ savings per site,80%+ support savings
Thunder TPS for Top US Cloud Provider
Ra
ck
Un
its
Thunder TPS 6435
155 Gbps 200 MPPS, 1 U
Market leader 40G solution
160 Gbps 160 MPPS, 24 U
Sample comparison
‹#›©A10 Networks, Inc.
▪ Asymmetric reactive deployment – Classic deployment model
– Scalable solution for DDoS mitigation
– Suitable for Service Providers with ▪ DDoS scrubbing center service (MSSP) ▪ Protecting own services (content provider) ▪ Large scale core network
▪ Profile – Traffic redirected to TPS for scrubbing as
needed ▪ Support BGP for route injection
– Valid traffic forwarded into network for services ▪ Support GRE & IP-in-IP tunneling
Asymmetric Reactive Deployment
Core Network
End Customeror Data Center
Services
DDoS Detection System
aXAPI /Manual Action
Traffic Redirection
Telemetry
‹#›©A10 Networks, Inc.
▪ Asymmetric Proactive Deployment – For high performance DDoS detection and
mitigation
– DDoS detection and mitigation in one box
– Suitable for Large Enterprises and ISPs ▪ Protecting own services ▪ Protecting end customers ▪ Large-mid scale core network
▪ Profile – Inbound traffic always routed toward TPS
▪ Insight in peace-time and war-time
– DDoS detection and mitigation at sub-second scale
Asymmetric Proactive Deployment
Core Network
Services
End Customeror Data Center
‹#›©A10 Networks, Inc.
Real-time Detection
Flood Thresholds
Protocol Anomalies
Behavioral Anomalies
Resource Starvation
L7 Scripts
Black Lists
HTTP DNSTCPUDP
▪ Symmetric Deployment – Inline DDoS detection and mitigation in
one box
– Inspect both inbound and outbound traffic
– Suitable for Enterprises ▪ Protecting own services
▪ Profile – Fully aware of and inspect L3 – L7 traffic for
both inbound and outbound traffic
– DDoS detection and mitigation at sub-second scale
Symmetric Deployment
Telemetry
DDoS Detection System
Collection Device
Real-time
Threshold Tuning
Services
‹#›©A10 Networks, Inc.
Thunder Threat Protection System (TPS)
Next Generation DDoS Protection
Multi-vector protection !▪ Detect & mitigate
application & network attacks
▪ Flexible scripting & DPI for rapid response
High performance !▪ Mitigate 155 Gbps of attack
throughput, 200 M packets per second (PPS) in 1 rack unit
Broad Deployment and 3rd Party !▪ Symmetric, asymmetric, out-of-band
▪ Open SDK/RESTful API for 3rd party integration
Multi-vector Application &
Network Protection
High Performance Mitigation
Broad Deployment Options & 3rd Party
Integration
‹#›©A10 Networks, Inc.
Summary
CGN TPS
ADC
ACOS Platform
Carrier Grade Networking
Application Delivery Controller
Threat Protection System
Handling Massive
Number of Attacks
Handling Massive
Number of Subscribers
▪For expanding market, and expanding networks
Thank [email protected]