Peering, Security and Traffic Trend Kams Yeung Akamai Technologies MyNOG-3 28 th Nov, 2013
Nov 10, 2014
Peering, Security and Traffic Trend Kams Yeung Akamai Technologies MyNOG-3 28th Nov, 2013
©2012 AKAMAI | FASTER FORWARDTM
Akamai Introduction • Who’s Akamai? • Intelligent Platform
Basic CDN Technology • Akamai mapping
Peering with Akamai • Why Akamai peer with ISPs and Akamai connection to IX
Secure the Internet - DNS Security • Open resolvers and reflection attacks
Internet Traffic Trend • Connection Speed, Mobile connection, IPv6
Agenda
Akamai Introduction
©2012 AKAMAI | FASTER FORWARDTM
Akamai Overview
Who is Akamai?
Akamai is a leading provider of a Cloud platform, which delivers, accelerates and secure content and APPLICATIONS over the Internet. Our key differentiator is our highly distributed (intelligent) platform, made up of more than 100,000 servers in 80 countries.
• Publicly traded: (NASDAQ: AKAM) • Found: August1998 • Headquarters: Cambridge, MA, USA • 30+ worldwide offices, including Europe and Asia • 3,400+ employees worldwide
©2012 AKAMAI | FASTER FORWARDTM
The world’s largest on-demand, distributed computing platform delivers all forms of web content and applications
The Akamai Intelligent Platform
Typical daily traffic: • More than 2 trillion requests served • Delivering over 10 Terabits/second • 15-30% of all daily web traffic
The Akamai Intelligent Platform:
137,000 Servers
2,000+ Locations
87 Countries
1,150 Networks
700+ Cities
Basic CDN Technology
Akamai mapping
©2012 AKAMAI | FASTER FORWARDTM
How CDNs Work
When content is requested from CDNs, the user is directed to the optimal server • This is usually done through the DNS, especially for non-network CDNs, e.g. Akamai
• It can be done through anycasting for network owned CDNs Users who query DNS-based CDNs be returned different A (and AAAA) records for the same hostname This is called “mapping” The better the mapping, the better the user experience.
©2012 AKAMAI | FASTER FORWARDTM
How Akamai CDN Work
Example of Akamai mapping • Notice the different A records for different locations: [Kuala Lumpur]% host www.akamai.com
www.akamai.com. CNAME a152.dscb.akamai.net.
a152.dscb.akamai.net. 20 IN A 203.82.77.42
a152.dscb.akamai.net. 20 IN A 203.82.77.57
[Kuching]% host www.akami.com
www.akamai.com. CNAME a152.dscb.akamai.net.
a152.dscb.akamai.net. 20 IN A 203.82.76.27
a152.dscb.akamai.net. 20 IN A 203.82.76.26
©2012 AKAMAI | FASTER FORWARDTM
How Akamai CDN Work
Akamai uses multiple criteria to choose the optimal server • These include standard network metrics:
• Latency • Throughput • Packet loss
• These also include things like CPU load on the server, HD space, network utilization, etc.
Peering with Akamai
How Akamai uses IXes?
©2012 AKAMAI | FASTER FORWARDTM
Why Akamai Peers with ISPs
Improved performance • Akamai tries to serve content as “close” to the end users
Peering gives better throughput • Reduced latency and packet loss
Redundancy • Having more possible vectors to deliver content
Burstability • During large events, having multiple networks allows for higher burstability
©2012 AKAMAI | FASTER FORWARDTM
Why Akamai Peers with ISPs
Peering reduces costs • Reduces transit bill
Network Intelligence • Receiving BGP directly from multiple ASes helps CDNs map the Internet
Backup for on-net servers • If there are servers on-net, the peering can act as a backup during downtime and overflow
• Allows serving different content types
©2012 AKAMAI | FASTER FORWARDTM
How Akamai use IXes
Transit
Peer Network
• Akamai (Non-network CDNs) do not have a backbone, so each IX instance is independent
• Akamai uses transit to pull content into the servers
• Content is then served to peers over the IX
Origin Server
IX
Content
CDN Servers
©2012 AKAMAI | FASTER FORWARDTM
How Akamai use IXes
Akamai usually do not announce large blocks of address space because no one location has a large number of servers • It is not uncommon to see a single /24 from Akamai at an IX This does not mean you will not see a lot of traffic • How many web servers does it take to fill a gigabit these days?
©2012 AKAMAI | FASTER FORWARDTM
Akamai connection to MyIX
Akamai is going to connect to MyIX in mid-Dec 2013 Node: TM01 (Cyberjaya) Port: 10G IPv4 = 218.100.44.170/24 IPv6 = 2001:DE8:10::71/112 This does not mean you will see a lot of traffic • The Akamai node connecting to MyIX is aim to serve mainly HTTPS traffic at the beginning.
Secure the Internet
Open resolvers and DNS reflection attack
©2012 AKAMAI | FASTER FORWARDTM 17 www.cloudflare.com
Why resolver exists? • Exist to aggregate and cache queries
• Not every computer run its own recursive resolver. • ISPs, Large Enterprises run these • Query through the root servers and DNS tree to resolve domains • Cache results, and deliver cached results to clients.
Open resolvers • Recursive lookup • Answer recursive queries from any client
Some Public Services: • Google DNS, OpenDNS, Level 3, etc. • These are “special” set-ups and secured.
Open Resolvers
©2012 AKAMAI | FASTER FORWARDTM 18 www.cloudflare.com
Example of DNS-based reflection attack exceeding 70Gbit. • There are millions of DNS resolvers. • Many of these are not secured. • Non secured DNS resolvers can and will be abused • CloudFlare has seen DNS reflection attacks hit 300Gbit/s traffic globally.
Open Resolvers – The Problem!
©2012 AKAMAI | FASTER FORWARDTM 19 www.cloudflare.com
• UDP Query • Spoofed source
• Using the address of the person you want to attack • DNS Server used to attack the victim (sourced address)
• Amplification used • Querying domains like ripe.net or isc.org • ~64 byte query (from attacker) • ~3233 byte reply (from unsecured DNS Server) • 50x amplification!
• Running an unsecured DNS server helps attackers!
Reflection Attack
©2012 AKAMAI | FASTER FORWARDTM 20 www.cloudflare.com
• What is a Reflection Attack? In a reflection attack, an attacker makes a request to the open resolver using a UDP packet whose source IP is the IP address of the target. The request is usually one that will result in a large response, such as a DNS ANY request or a DNSSec request, which allows the attacker to multiply up to 100x the amount of bandwidth sent to the target web server. The "multiplication" factor is what makes this particular attack dangerous, as traffic can reach up to 200- 300Gbps. The Spamhaus attack is one example of a recent reflection attack.
Reflection Attack
©2012 AKAMAI | FASTER FORWARDTM 21 www.cloudflare.com
Reflection Attack
Attack Target
Unsecured DNS
Recursors
Unsecured DNS Recursors
Unsecured DNS
Recursors
Attacker ANY isc.or
g
ANY isc.or
g
ANY isc.or
g
Large Reply
Large Reply
Large Reply Large Reply Large Reply
Large Reply Large Reply
Large Reply Large Reply
©2012 AKAMAI | FASTER FORWARDTM 22 www.cloudflare.com
• With 50x amplification: • 1Gbit uplink from attacker (eg: Dedicated Servers) • 50Gbit attack • Enough to bring most services offline!
• Prevention is the best remedy.
• In recent attacks, we’ve seen around 80,000 open/unsecured DNS Resolvers being used.
• At just 1Mbit each, that’s 80Gbit! • 1Mbit of traffic may not be noticed by most operators. • 80Gbit at target is easily noticed!
Reflection Attack
©2012 AKAMAI | FASTER FORWARDTM 23
• Nearly Everywhere!
• As of: 24th Nov, 2013 • Observed from Open Resolver Project:
32,575,304 total responses to UDP/53 probe 31,925,357 unique IPs 28,160,599 responses had recursion-available bit set
Where are the open resolvers?
Data on: 24th Nov 2013, Source: openresolverproject.org
©2012 AKAMAI | FASTER FORWARDTM 24 Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer
Name servers per country that permit recursion
Where are the open resolvers?
©2012 AKAMAI | FASTER FORWARDTM 25
Where are the open resolvers in Asia?
Country Open resolvers Country Open resolvers China 2657680 New Zealand 12859 Taiwan 1292091 Nepal 3913
South Korea 960114 New Caledonia 3020 Japan 273184 Fiji 2522
Thailand 232914 Cambodia 2121 India 195041 Laos 2024
Hong Kong 107286 Sri Lanka 1528 Singapore 69721 Macau 1225 Indonesia 64362 Maldives 790 Australia 62959 Mongolia 480 Pakistan 47728 Afghanistan 444
Vietnam 45885 Brunei Darussalam 246 Malaysia 45667 Papua New Guinea 146 Philippines 31740 Bhutan 99 Bangladesh 17826 Vanuatu 25
Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer
©2012 AKAMAI | FASTER FORWARDTM 26 www.cloudflare.com
Fixing this? Preventative Measures!
• BCP-38 • Source Filtering, you shouldn’t be able to spoof addresses. • Needs to be done in hosting and ISP environments. • If the victim’s IP can’t be spoofed the attack will stop • Will also help stop other attack types
• (eg: Spoofed Syn Flood). • BCP-140 / RFC-5358
• Preventing Use of Recursive Name Servers in Reflector Attacks
• Provide recursive name lookup service to only the intended clients.
©2012 AKAMAI | FASTER FORWARDTM 27 www.cloudflare.com
Fixing this? Preventative Measures!
• DNS Server Maintenance • Secure the servers! • Lock down recursion to your own IP addresses
• Disable recursion • If the servers only purpose is authoritative DNS, disable
recursion • Historical accidents / incorrect configuration
• Some Packages (eg, Plesk, cPanel) have included a recursive DNS server on by default.
• Update Internet routers / modems firmware. • Some older firmware has security bugs
• Allows administration from WAN (including DNS, SNMP)
The Trend of Internet
State Of The Internet Report Q2 2013
©2012 AKAMAI | FASTER FORWARDTM
Average Peak Connection Speed
• Malaysia is #8 in Asia (#44 in Global)
• Represents an average of the maximum measured connection speeds across all of the unique IP addresses seen by Akamai
• The average is used to mitigate the impact of unrepresentative maximum measured connection speeds.
Average Peak Connection Speed by Asia Pacific Country/Region
©2012 AKAMAI | FASTER FORWARDTM
Average Connection Speed
• Malaysia is #9 in Asia (#64 in Global)
• Decrease of slow countries (1Mbps or less)
• Q4 2012 18 countries àQ1 2013 14 countries àQ2 2013 11 countries
Average Connection Speed by Asia Pacific Country/Region
©2012 AKAMAI | FASTER FORWARDTM
Average Connection Speed - MY
• Malaysia average connection speed increased from 1.2Mbps from 3 years ago to 3.1Mbps in Jun, 2013
©2012 AKAMAI | FASTER FORWARDTM
What about mobile connection in Asia?
• Mobile average peak connection speed in MY is 39.8Mbps (Global average is 18.9Mbps)
• Mobile average connection speed in MY is 3.4Mbps (Global average is 3.3Mbps)
ASN that classified as pure mobile operator
©2012 AKAMAI | FASTER FORWARDTM
Total Monthly Mobile traffic • Observed by Ericsson • Data traffic from Q2 2012 to Q2 2013 almost double! • Voice keeps growing at the rate of 5% from Q2 2012 to Q2 2013
©2012 AKAMAI | FASTER FORWARDTM
IPv6 traffic continue to growth steadily after World IPv6 Launch • As of Q2, 2013 • 20 billion content requests per day over IPv6 • 1-2% of total request volume • double the level seen in the second half of 2012 • We really running out of IPv4!
Observations after World IPv6 Launch Anniversary
©2012 AKAMAI | FASTER FORWARDTM
Summary
• Akamai Intelligent Platform • Highly distributed edge servers, DNS-based mapping
• Peering with Akamai • Improve user experience, reduce transit/peering cost
• Open Resolvers are harmful to the Internet community • Secure your DNS server, secure the Internet
• Internet is growing • Internet penetration and speed are growing • Internet everywhere by mobile network • IPv6 traffic is still small today, but catching up
©2012 AKAMAI | FASTER FORWARDTM
Questions?
Kams Yeung <[email protected]> More information: Peering: http://as20940.peeringdb.com SOTI Report: http://www.akamai.com/stateoftheinternet/ IPv6: http://www.akamai.com/ipv6 Acknowledgement: Tomas Paseka <[email protected]>