Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
©A10 Networks, Inc.
Handling massive number of
subscribers and attacks
June, 2014
APJ Solution Engagement, Solution Archit...
Introductions
‹#›©A10 Networks, Inc.
A10 Corporate Introduction
2010 2011 2012 2013
142000000
120344000
91493028
54,700,000
Q4' 11 Q4' 1...
‹#›©A10 Networks, Inc.
3000+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4

U.S. WIRELESS CA...
‹#›©A10 Networks, Inc.
A10 Product Portfolio Overview
Dedicated
Network
Managed

Hosting
Cloud IaaS IT Delivery Models
App...
Handling Massive Number
of Subscribers
‹#›©A10 Networks, Inc.
Exponential Rise in Devices, Users and Traffic
DIG
ITA
L
C
O
N
TEN
TIN
TERN
ET
TRA
FFIC
Extend
IPv4...
‹#›©A10 Networks, Inc.
How about a real
example?
‹#›©A10 Networks, Inc.
1 China 330,600,960 (IPs) 1,365,160,000 (Pop.) 0.24 (IPs/Pop.)
2 Japan 201,530,368 127,090,000 1.58...
‹#›©A10 Networks, Inc.
What is actual number of users?
▪“Versus” Population = 247,424,598 = 0.07 IP/person
– But who will ...
‹#›©A10 Networks, Inc.
2011 2012 2013 2014 2015 2016 2017
Smartphone
users (Mil.)
11.7 26.3 41.6 61.2 74.8 89.8 103.6
--% ...
‹#›©A10 Networks, Inc.
I am already doing NAT
‹#›©A10 Networks, Inc.
▪ Classic NAT does not allow outside
originated traffic
▪ Legacy implementation lacks 

end-to-end ...
‹#›©A10 Networks, Inc.
▪ Two clients Host A and Host B behind a common NAT device
▪ Host A to Host B communication using t...
‹#›©A10 Networks, Inc.
Back to the story…
‹#›©A10 Networks, Inc.
Typical NAT Use Cases
Consumer

NAT/Private IPv4
Address
Private/CGN
Scoped IPv4
Address
CGN/CGNAT/...
‹#›©A10 Networks, Inc.
2011 2012 2013 2014 2015 2016 2017
Smartphone
users (Mil.)
11.7 26.3 41.6 61.2 74.8 89.8 103.6
vs I...
‹#›©A10 Networks, Inc.
IPv4 preservation cannot
last forever.
‹#›©A10 Networks, Inc.
Access Destination Migration
A10s IPv6 Migration Options
IPv6
IPv4
6rd
DS-Lite
Stateful
NAT64/DNS64...
‹#›©A10 Networks, Inc.
NAT64 & DNS64 – DNS Flow
IPv6 IPv4
www.example.com
192.2.0.33
AAAA Query www.example.com
AAAA Respo...
‹#›©A10 Networks, Inc.
A10 IPv6 Migration: Use Cases
CGN | NAT64/DNS64
IPv4
Core
IPv6
Internet
IPv4
Clients
IPv4
Core
IPv6...
‹#›©A10 Networks, Inc.
A10 CGN Benefits for Service Provider & Enterprise
App Reliability
▪ Application Layer
gateways
▪ S...
Handling Massive Number
of Attacks
‹#›©A10 Networks, Inc.
DDoS Problems
Q3 2010
PayPal
Discloses cost 

of attack £3.5M

(~$5.8 million)
Q1 2013
Credit Union...
‹#›©A10 Networks, Inc.
▪Attacks intentions: 

Make resources unavailable
– Resource exhaustion
▪ Overwhelm equipment
(appl...
‹#›©A10 Networks, Inc.
▪ Benefits:
– Reduced CAPEX and OPEX
– Reduced data center footprint
– Easily integrated into their...
‹#›©A10 Networks, Inc.
▪ Asymmetric reactive deployment
– Classic deployment model
– Scalable solution for DDoS mitigation...
‹#›©A10 Networks, Inc.
▪ Asymmetric Proactive Deployment
– For high performance DDoS detection and
mitigation
– DDoS detec...
‹#›©A10 Networks, Inc.
Real-time Detection
Flood Thresholds
Protocol Anomalies
Behavioral Anomalies
Resource Starvation
L7...
‹#›©A10 Networks, Inc.
Thunder Threat Protection System (TPS)
Next Generation DDoS Protection
Multi-vector protection
!
▪ ...
‹#›©A10 Networks, Inc.
Summary
CGN TPS
ADC
ACOS Platform
Carrier Grade 

Networking
Application 

Delivery Controller
Thre...
Thank you
tkumamura@a10networks.com
Upcoming SlideShare
Loading in …5
×

04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura

839 views

Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura

  1. 1. ©A10 Networks, Inc. Handling massive number of subscribers and attacks June, 2014 APJ Solution Engagement, Solution Architect! Takeki Kumamura
  2. 2. Introductions
  3. 3. ‹#›©A10 Networks, Inc. A10 Corporate Introduction 2010 2011 2012 2013 142000000 120344000 91493028 54,700,000 Q4' 11 Q4' 12 Today 3000 2008 1080 CUSTOMER GROWTH COMPANY GROWTH Headquarters in San Jose 650 Employees
 Offices in 23 countries
 Customers in 65 countries
  4. 4. ‹#›©A10 Networks, Inc. 3000+ Customers in 65 Countries Web GiantsEnterprisesService Providers 3 of Top 4
 U.S. WIRELESS CARRIERS 7 of Top 10
 U.S. CABLE PROVIDERS Top 3
 WIRELESS CARRIERS IN JAPAN
  5. 5. ‹#›©A10 Networks, Inc. A10 Product Portfolio Overview Dedicated Network Managed
 Hosting Cloud IaaS IT Delivery Models Application Networking Platform ▪ Performance ▪ Scalability ▪ Extensibility ▪ Flexibility CGN TPS ADC ACOS Platform Product Lines ▪ ADC – Application Acceleration & Security ▪ CGN – IPv4 Extension / IPv6 Migration ▪ TPS – Network Perimeter DDoS Security Carrier Grade 
 Networking Application 
 Delivery Controller Threat Protection 
 System
  6. 6. Handling Massive Number of Subscribers
  7. 7. ‹#›©A10 Networks, Inc. Exponential Rise in Devices, Users and Traffic DIG ITA L C O N TEN TIN TERN ET TRA FFIC Extend IPv4 & Migrate to IPv6 IPv6 C O N TEN TIN TERN E TO F The Digital Universe: 50-fold Growth from the beginning of 2010 to the End of 2020 Source: IDC’s Digital Universe Study, sponsored by EMC, December 2012 IP Traffic by Year Source: Cisco VNI, 2013 Akamai IPv6 Traffic Volume Total of Connected Devices, Billions of Units (Installed Bases) Source: Gartner (November 2013)Source: Akamai
  8. 8. ‹#›©A10 Networks, Inc. How about a real example?
  9. 9. ‹#›©A10 Networks, Inc. 1 China 330,600,960 (IPs) 1,365,160,000 (Pop.) 0.24 (IPs/Pop.) 2 Japan 201,530,368 127,090,000 1.58 3 Korea, Republic of 112,274,176 50,423,955 2.22 4 Australia 48,270,848 23,533,100 2.05 5 India 35,762,688 1,245,700,000 0.02 6 Taiwan, Province of China 35,430,656 23,386,883 1.51 7 Indonesia 17,588,480 247,424,598 0.07 8 Viet Nam 15,606,528 89,708,900 0.17 9 Hong Kong 11,807,232 7,219,700 1.63 10 Thailand 8,615,936 64,456,700 0.13 Delegated IPv4 Addresses (top 10) and Populations http://www-public.it-sudparis.eu/~maigron/RIR_Stats/RIR_Delegations/APNIC/IPv4-ByNb.html http://en.wikipedia.org/wiki/List_of_countries_by_population
  10. 10. ‹#›©A10 Networks, Inc. What is actual number of users? ▪“Versus” Population = 247,424,598 = 0.07 IP/person – But who will actually be using the device with IP addresses? – ISP home network, and mobile devices. 17,580,480 IPs vs 17,580,480 IPs vs
  11. 11. ‹#›©A10 Networks, Inc. 2011 2012 2013 2014 2015 2016 2017 Smartphone users (Mil.) 11.7 26.3 41.6 61.2 74.8 89.8 103.6 --% of mobile phone users 9.0% 16.0% 24.0% 34.0% 40.0% 47.0% 53.0% --% of population 4.8% 10.6% 16.6% 24.1% 29.2% 34.8% 39.8% vs IPv4 addresses (17,580,480) 1.50 0.66 0.42 0.28 0.23 0.19 0.16 Increasing Smartphones in Indonesia http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102 NAT “Compression rate” of private to global IP increases
  12. 12. ‹#›©A10 Networks, Inc. I am already doing NAT
  13. 13. ‹#›©A10 Networks, Inc. ▪ Classic NAT does not allow outside originated traffic ▪ Legacy implementation lacks 
 end-to-end transparency ▪ Causes peer-to-peer, voice, video, streaming applications to break ▪ Scale and Performance for Carrier 
 Class applications ▪ Carrier Grade NAT or CGN supports transparent end-to-end connectivity ▪ Enables oversubscription of global 
 IPv4 resources, helps scaling ▪ NAT44 or NAT444 options Limitations with Classic NAT Inside originated NAT Outside originated Classic NAT Inside originated CGN Outside originated CGN
  14. 14. ‹#›©A10 Networks, Inc. ▪ Two clients Host A and Host B behind a common NAT device ▪ Host A to Host B communication using the external binding – Ex: Hosts using SIP for communication registered to an external server (Ex: SIP service) CGN Use Case : Hairpinning Inside Outside Inside IP/port Inside originated Inside originated Outside IP/port Hairpinning Traffic Allows inside clients to connect to their outside IP/port Source: B :1024 Dest: X:9001 Source: S:8080 Dest: X :9001 Internal External Filter A:1024/B:8080 X:9001/B:8080 *:*/X:9001 Source: S:8080 Dest: X :9002 Host A Host S Source: B :1024 Dest: S :8080 Source: A :1024 Dest: X:9002 Source: A :1024 Dest: S :8080 Host B CGN
  15. 15. ‹#›©A10 Networks, Inc. Back to the story…
  16. 16. ‹#›©A10 Networks, Inc. Typical NAT Use Cases Consumer
 NAT/Private IPv4 Address Private/CGN Scoped IPv4 Address CGN/CGNAT/LSN IPv4 Internet Enterprise NAT44 Service Provider
 NAT444 Mobile Provider
 NAT44 Service Provider or Enterprise IPv4 Network IPv4 Clients IPv4 Clients Public IPv4 Address • Increase of NAT “compression rate” here leads to: • Smaller number of TCP/UDP sessions • Logging issues • No scale in business • etc, etc.
  17. 17. ‹#›©A10 Networks, Inc. 2011 2012 2013 2014 2015 2016 2017 Smartphone users (Mil.) 11.7 26.3 41.6 61.2 74.8 89.8 103.6 vs IPv4 addresses (17,580,480) 1.50 0.66 0.42 0.28 0.23 0.19 0.16 User per IP (allocating 1 IP per user) 1 2 3 4 5 6 7 Userquota (=TCP/UDP sessions per user) 64000
 32000 21300 16000 12800 10600 9100 Decreasing Userquota (= TCP/UDP sessions per user) http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102 This may be a good case 
 (using whole IP address pool of country at once)
  18. 18. ‹#›©A10 Networks, Inc. IPv4 preservation cannot last forever.
  19. 19. ‹#›©A10 Networks, Inc. Access Destination Migration A10s IPv6 Migration Options IPv6 IPv4 6rd DS-Lite Stateful NAT64/DNS64 Stateless NAT46 A10 offers One box solution! Unique Service Provider featureLw-4o6 IPv4 IPv6 IPv4 IPv6 IPv6 Internet IPv4 Internet IPv6 Internet IPv4 Internet CPE CPE CPE
  20. 20. ‹#›©A10 Networks, Inc. NAT64 & DNS64 – DNS Flow IPv6 IPv4 www.example.com 192.2.0.33 AAAA Query www.example.com AAAA Response: 2001:DB8:122:344::192.2.0.33 IPv4 Internet DNS NAT64/DNS64 IPv6+IPv4IPv6 Clients AAAA www.example.com = Error A www.example.com = 192.2.0.33 NAT64/DNS64 device owns IPv6 Prefix 2001:DB8:122:344::/96 IPv6.example.com IPv6 Internet
  21. 21. ‹#›©A10 Networks, Inc. A10 IPv6 Migration: Use Cases CGN | NAT64/DNS64 IPv4 Core IPv6 Internet IPv4 Clients IPv4 Core IPv6 Core IPv6 Clients CGN NAT64/ DNS64 New devices, and new services start with IPv6 for future expansions NAT64/ DNS64 IPv6 clients to IPv4 Enables IPv6 only clients to connect to IPv4 resources Maintain current devices, and current services with IPv4 CGN IPv4 clients to IPv4 Preserve IPv4 resources
  22. 22. ‹#›©A10 Networks, Inc. A10 CGN Benefits for Service Provider & Enterprise App Reliability ▪ Application Layer gateways ▪ Support for diverse applications ▪ HA ensures sessions maintained Extend IPv4 ▪ Protect IPv4 investments ▪ Preserve existing address allocation ▪ Save time and cost IPv4 IPv6 Transition ▪ Ensures smooth conversion ▪ Supports multiple bridging methods ▪ Simultaneous support for IPv4 
 and IPv6 IPv6
  23. 23. Handling Massive Number of Attacks
  24. 24. ‹#›©A10 Networks, Inc. DDoS Problems Q3 2010 PayPal Discloses cost 
 of attack £3.5M
 (~$5.8 million) Q1 2013 Credit Union Regulators Recommend 
 DDoS protection to 
 all members Q4 2012 Bank of the West $900k stolen, DDoS 
 as a distraction Q1 2013 al Qassam Cyber Fighters 10-40 Gbps attacks target 
 9 major banks Q1 2014 CloudFlare 400 Gbps NTP 
 amplification attack Q4 2013 60 Gbps attacks regularly seen,100 Gbps not uncommon Q4 2013 26% YoY attack 
 increase (17% L7, 28% L3-4) Q4 2013 PPS reaches 35 million Q4 2013 6.8 million mobile devices 
 are potential attackers 
 (LOIC and AnDOSid) “High-bandwidth DDoS attacks are becoming the new norm and will continue wreaking havoc on unprepared enterprises” Source: Gartner
  25. 25. ‹#›©A10 Networks, Inc. ▪Attacks intentions: 
 Make resources unavailable – Resource exhaustion ▪ Overwhelm equipment (application)capacity – Volumetric ▪ Flood network capacity ▪Two attack vectors – Network attacks (L3-4) ▪ TCP, UDP, ICMP, more… – Application attacks (L7) ▪ HTTP, DNS, NTP, more… ▪Emergence of multi-vector attacks – Multiple attack vectors per incident are on the rise Common DDoS Attack Types NEW!
  26. 26. ‹#›©A10 Networks, Inc. ▪ Benefits: – Reduced CAPEX and OPEX – Reduced data center footprint – Easily integrated into their custom detection system ▪ Details: – Replaced market leader appliances – 78 A10 devices, in 26 data centers – $2.5 M+ savings per site,
 80%+ support savings Thunder TPS for Top US Cloud Provider RackUnits Thunder TPS 6435 155 Gbps 200 MPPS, 1 U Market leader 40G solution 160 Gbps 160 MPPS, 24 U Sample comparison
  27. 27. ‹#›©A10 Networks, Inc. ▪ Asymmetric reactive deployment – Classic deployment model – Scalable solution for DDoS mitigation – Suitable for Service Providers with ▪ DDoS scrubbing center service (MSSP) ▪ Protecting own services (content provider) ▪ Large scale core network ▪ Profile – Traffic redirected to TPS for scrubbing as needed ▪ Support BGP for route injection – Valid traffic forwarded into network for services ▪ Support GRE & IP-in-IP tunneling Asymmetric Reactive Deployment Core Network End Customer
 or Data Center Services DDoS Detection System aXAPI /
 Manual Action Traffic Redirection Telemetry
  28. 28. ‹#›©A10 Networks, Inc. ▪ Asymmetric Proactive Deployment – For high performance DDoS detection and mitigation – DDoS detection and mitigation in one box – Suitable for Large Enterprises and ISPs ▪ Protecting own services ▪ Protecting end customers ▪ Large-mid scale core network ▪ Profile – Inbound traffic always routed toward TPS ▪ Insight in peace-time and war-time – DDoS detection and mitigation at sub- second scale Asymmetric Proactive Deployment Core Network Services End Customer
 or Data Center
  29. 29. ‹#›©A10 Networks, Inc. Real-time Detection Flood Thresholds Protocol Anomalies Behavioral Anomalies Resource Starvation L7 Scripts Black Lists HTTP DNSTCPUDP ▪ Symmetric Deployment – Inline DDoS detection and mitigation in
 one box – Inspect both inbound and outbound traffic – Suitable for Enterprises ▪ Protecting own services ▪ Profile – Fully aware of and inspect L3 – L7 traffic for both inbound and outbound traffic – DDoS detection and mitigation at sub- second scale Symmetric Deployment Telemetry DDoS Detection System Collection Device Real-tim e
 Threshold Tuning Services
  30. 30. ‹#›©A10 Networks, Inc. Thunder Threat Protection System (TPS) Next Generation DDoS Protection Multi-vector protection ! ▪ Detect & mitigate application & network attacks ▪ Flexible scripting & DPI 
 for rapid response High performance ! ▪ Mitigate 155 Gbps of attack throughput, 200 M packets per second (PPS) in 1 rack unit Broad Deployment and 3rd Party ! ▪ Symmetric, asymmetric, out-of-band ▪ Open SDK/RESTful API for 3rd party integration Multi-vector 
 Application & 
 Network Protection High Performance Mitigation Broad Deployment Options & 3rd Party Integration
  31. 31. ‹#›©A10 Networks, Inc. Summary CGN TPS ADC ACOS Platform Carrier Grade 
 Networking Application 
 Delivery Controller Threat Protection 
 System Handling Massive Number of Attacks Handling Massive Number of Subscribers ▪For expanding market, and expanding networks
  32. 32. Thank you tkumamura@a10networks.com

×