content growth by kams yueng

Peering, Security and Traffic Trend Kams Yeung Akamai Technologies MyNOG-3 28th Nov, 2013

©2012 AKAMAI | FASTER FORWARDTM

Akamai Introduction • Who’s Akamai? • Intelligent Platform

Basic CDN Technology • Akamai mapping

Peering with Akamai • Why Akamai peer with ISPs and Akamai connection to IX

Secure the Internet - DNS Security • Open resolvers and reflection attacks

Internet Traffic Trend • Connection Speed, Mobile connection, IPv6

Agenda

Akamai Introduction


Akamai Overview

Who is Akamai?

Akamai is a leading provider of a Cloud platform, which delivers, accelerates and secure content and APPLICATIONS over the Internet. Our key differentiator is our highly distributed (intelligent) platform, made up of more than 100,000 servers in 80 countries.

• Publicly traded: (NASDAQ: AKAM) • Found: August1998 • Headquarters: Cambridge, MA, USA • 30+ worldwide offices, including Europe and Asia • 3,400+ employees worldwide


The world’s largest on-demand, distributed computing platform delivers all forms of web content and applications

The Akamai Intelligent Platform

Typical daily traffic: •  More than 2 trillion requests served •  Delivering over 10 Terabits/second •  15-30% of all daily web traffic

The Akamai Intelligent Platform:

137,000 Servers

2,000+ Locations

87 Countries

1,150 Networks

700+ Cities

Basic CDN Technology

Akamai mapping


How CDNs Work

When content is requested from CDNs, the user is directed to the optimal server • This is usually done through the DNS, especially for non-network CDNs, e.g. Akamai

• It can be done through anycasting for network owned CDNs Users who query DNS-based CDNs be returned different A (and AAAA) records for the same hostname This is called “mapping” The better the mapping, the better the user experience.


How Akamai CDN Work

Example of Akamai mapping • Notice the different A records for different locations: [Kuala Lumpur]% host www.akamai.com

www.akamai.com. CNAME a152.dscb.akamai.net.

a152.dscb.akamai.net. 20 IN A 203.82.77.42


[Kuching]% host www.akami.com

www.akamai.com. CNAME a152.dscb.akamai.net.




How Akamai CDN Work

Akamai uses multiple criteria to choose the optimal server • These include standard network metrics:

• Latency • Throughput • Packet loss

• These also include things like CPU load on the server, HD space, network utilization, etc.

Peering with Akamai

How Akamai uses IXes?


Why Akamai Peers with ISPs

Improved performance • Akamai tries to serve content as “close” to the end users

Peering gives better throughput • Reduced latency and packet loss

Redundancy • Having more possible vectors to deliver content

Burstability • During large events, having multiple networks allows for higher burstability


Why Akamai Peers with ISPs

Peering reduces costs • Reduces transit bill

Network Intelligence • Receiving BGP directly from multiple ASes helps CDNs map the Internet

Backup for on-net servers • If there are servers on-net, the peering can act as a backup during downtime and overflow

• Allows serving different content types


How Akamai use IXes

Transit

Peer Network

•  Akamai (Non-network CDNs) do not have a backbone, so each IX instance is independent

•  Akamai uses transit to pull content into the servers

•  Content is then served to peers over the IX

Origin Server

IX

Content

CDN Servers


How Akamai use IXes

Akamai usually do not announce large blocks of address space because no one location has a large number of servers • It is not uncommon to see a single /24 from Akamai at an IX This does not mean you will not see a lot of traffic • How many web servers does it take to fill a gigabit these days?


Akamai connection to MyIX

Akamai is going to connect to MyIX in mid-Dec 2013 Node: TM01 (Cyberjaya) Port: 10G IPv4 = 218.100.44.170/24 IPv6 = 2001:DE8:10::71/112 This does not mean you will see a lot of traffic • The Akamai node connecting to MyIX is aim to serve mainly HTTPS traffic at the beginning.

Secure the Internet

Open resolvers and DNS reflection attack

©2012 AKAMAI | FASTER FORWARDTM 17 www.cloudflare.com

Why resolver exists? • Exist to aggregate and cache queries

• Not every computer run its own recursive resolver. • ISPs, Large Enterprises run these • Query through the root servers and DNS tree to resolve domains • Cache results, and deliver cached results to clients.

Open resolvers • Recursive lookup • Answer recursive queries from any client

Some Public Services: • Google DNS, OpenDNS, Level 3, etc. • These are “special” set-ups and secured.

Open Resolvers


Example of DNS-based reflection attack exceeding 70Gbit. • There are millions of DNS resolvers. • Many of these are not secured. • Non secured DNS resolvers can and will be abused • CloudFlare has seen DNS reflection attacks hit 300Gbit/s traffic globally.

Open Resolvers – The Problem!


• UDP Query • Spoofed source

• Using the address of the person you want to attack • DNS Server used to attack the victim (sourced address)

• Amplification used • Querying domains like ripe.net or isc.org • ~64 byte query (from attacker) • ~3233 byte reply (from unsecured DNS Server) • 50x amplification!

• Running an unsecured DNS server helps attackers!

Reflection Attack


• What is a Reflection Attack? In a reflection attack, an attacker makes a request to the open resolver using a UDP packet whose source IP is the IP address of the target. The request is usually one that will result in a large response, such as a DNS ANY request or a DNSSec request, which allows the attacker to multiply up to 100x the amount of bandwidth sent to the target web server. The "multiplication" factor is what makes this particular attack dangerous, as traffic can reach up to 200- 300Gbps. The Spamhaus attack is one example of a recent reflection attack.

Reflection Attack


Reflection Attack

Attack Target

Unsecured DNS

Recursors

Unsecured DNS Recursors

Unsecured DNS

Recursors

Attacker ANY isc.or

g

ANY isc.or

g

ANY isc.or

g

Large Reply

Large Reply

Large Reply Large Reply Large Reply

Large Reply Large Reply

Large Reply Large Reply


• With 50x amplification: • 1Gbit uplink from attacker (eg: Dedicated Servers) • 50Gbit attack • Enough to bring most services offline!

• Prevention is the best remedy.

• In recent attacks, we’ve seen around 80,000 open/unsecured DNS Resolvers being used.

• At just 1Mbit each, that’s 80Gbit! • 1Mbit of traffic may not be noticed by most operators. • 80Gbit at target is easily noticed!

Reflection Attack

©2012 AKAMAI | FASTER FORWARDTM 23

• Nearly Everywhere!

• As of: 24th Nov, 2013 • Observed from Open Resolver Project:

32,575,304 total responses to UDP/53 probe 31,925,357 unique IPs 28,160,599 responses had recursion-available bit set

Where are the open resolvers?

Data on: 24th Nov 2013, Source: openresolverproject.org

©2012 AKAMAI | FASTER FORWARDTM 24 Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer

Name servers per country that permit recursion

Where are the open resolvers?

©2012 AKAMAI | FASTER FORWARDTM 25

Where are the open resolvers in Asia?

Country Open resolvers Country Open resolvers China 2657680 New Zealand 12859 Taiwan 1292091 Nepal 3913

South Korea 960114 New Caledonia 3020 Japan 273184 Fiji 2522

Thailand 232914 Cambodia 2121 India 195041 Laos 2024

Hong Kong 107286 Sri Lanka 1528 Singapore 69721 Macau 1225 Indonesia 64362 Maldives 790 Australia 62959 Mongolia 480 Pakistan 47728 Afghanistan 444

Vietnam 45885 Brunei Darussalam 246 Malaysia 45667 Papua New Guinea 146 Philippines 31740 Bhutan 99 Bangladesh 17826 Vanuatu 25

Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer


Fixing this? Preventative Measures!

• BCP-38 • Source Filtering, you shouldn’t be able to spoof addresses. • Needs to be done in hosting and ISP environments. •  If the victim’s IP can’t be spoofed the attack will stop • Will also help stop other attack types

•  (eg: Spoofed Syn Flood). • BCP-140 / RFC-5358

• Preventing Use of Recursive Name Servers in Reflector Attacks

• Provide recursive name lookup service to only the intended clients.


Fixing this? Preventative Measures!

• DNS Server Maintenance • Secure the servers! • Lock down recursion to your own IP addresses

• Disable recursion •  If the servers only purpose is authoritative DNS, disable

recursion • Historical accidents / incorrect configuration

• Some Packages (eg, Plesk, cPanel) have included a recursive DNS server on by default.

• Update Internet routers / modems firmware. • Some older firmware has security bugs

• Allows administration from WAN (including DNS, SNMP)

The Trend of Internet

State Of The Internet Report Q2 2013


Average Peak Connection Speed

•  Malaysia is #8 in Asia (#44 in Global)

•  Represents an average of the maximum measured connection speeds across all of the unique IP addresses seen by Akamai

•  The average is used to mitigate the impact of unrepresentative maximum measured connection speeds.

Average Peak Connection Speed by Asia Pacific Country/Region


Average Connection Speed

•  Malaysia is #9 in Asia (#64 in Global)

•  Decrease of slow countries (1Mbps or less)

•  Q4 2012 18 countries àQ1 2013 14 countries àQ2 2013 11 countries

Average Connection Speed by Asia Pacific Country/Region


Average Connection Speed - MY

•  Malaysia average connection speed increased from 1.2Mbps from 3 years ago to 3.1Mbps in Jun, 2013


What about mobile connection in Asia?

•  Mobile average peak connection speed in MY is 39.8Mbps (Global average is 18.9Mbps)

•  Mobile average connection speed in MY is 3.4Mbps (Global average is 3.3Mbps)

ASN that classified as pure mobile operator


Total Monthly Mobile traffic •  Observed by Ericsson •  Data traffic from Q2 2012 to Q2 2013 almost double! •  Voice keeps growing at the rate of 5% from Q2 2012 to Q2 2013


IPv6 traffic continue to growth steadily after World IPv6 Launch •  As of Q2, 2013 •  20 billion content requests per day over IPv6 •  1-2% of total request volume •  double the level seen in the second half of 2012 •  We really running out of IPv4!

Observations after World IPv6 Launch Anniversary


Summary

• Akamai Intelligent Platform • Highly distributed edge servers, DNS-based mapping

• Peering with Akamai • Improve user experience, reduce transit/peering cost

• Open Resolvers are harmful to the Internet community • Secure your DNS server, secure the Internet

• Internet is growing • Internet penetration and speed are growing • Internet everywhere by mobile network • IPv6 traffic is still small today, but catching up


Questions?

Kams Yeung <[email protected]> More information: Peering: http://as20940.peeringdb.com SOTI Report: http://www.akamai.com/stateoftheinternet/ IPv6: http://www.akamai.com/ipv6 Acknowledgement: Tomas Paseka <[email protected]>

content growth by kams yueng

Technology

akamai intelligent platform

open resolvers

reflection attack

optimal server

mobile connection

preventative measures

cname a152

network cdns