Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Content Growth by Kams Yueng


Published on

Content Growth by Kams Yueng

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Content Growth by Kams Yueng

  1. 1. Peering, Security and Traffic Trend Kams Yeung Akamai Technologies MyNOG-3 28th Nov, 2013
  2. 2. Agenda Akamai Introduction • Who’s Akamai? • Intelligent Platform Basic CDN Technology • Akamai mapping Peering with Akamai • Why Akamai peer with ISPs and Akamai connection to IX Secure the Internet - DNS Security • Open resolvers and reflection attacks Internet Traffic Trend • Connection Speed, Mobile connection, IPv6 ©2012 AKAMAI | FASTER FORWARDTM
  3. 3. Akamai Introduction
  4. 4. Akamai Overview Who is Akamai? Akamai is a leading provider of a Cloud platform, which delivers, accelerates and secure content and APPLICATIONS over the Internet. Our key differentiator is our highly distributed (intelligent) platform, made up of more than 100,000 servers in 80 countries. • Publicly traded: (NASDAQ: AKAM) • Found: August1998 • Headquarters: Cambridge, MA, USA • 30+ worldwide offices, including Europe and Asia • 3,400+ employees worldwide ©2012 AKAMAI | FASTER FORWARDTM
  5. 5. The Akamai Intelligent Platform The world’s largest on-demand, distributed computing platform delivers all forms of web content and applications The Akamai Intelligent Platform: 137,000 Servers 2,000+ Locations 1,150 Networks 700+ Cities 87 Countries Typical daily traffic: •  More than 2 trillion requests served •  Delivering over 10 Terabits/second •  15-30% of all daily web traffic ©2012 AKAMAI | FASTER FORWARDTM
  6. 6. Basic CDN Technology Akamai mapping
  7. 7. How CDNs Work When content is requested from CDNs, the user is directed to the optimal server • This is usually done through the DNS, especially for non-network CDNs, e.g. Akamai • It can be done through anycasting for network owned CDNs Users who query DNS-based CDNs be returned different A (and AAAA) records for the same hostname This is called “mapping” The better the mapping, the better the user experience. ©2012 AKAMAI | FASTER FORWARDTM
  8. 8. How Akamai CDN Work Example of Akamai mapping • Notice the different A records for different locations: [Kuala Lumpur]% host CNAME 20 IN A 20 IN A [Kuching]% host CNAME 20 IN A 20 IN A ©2012 AKAMAI | FASTER FORWARDTM
  9. 9. How Akamai CDN Work Akamai uses multiple criteria to choose the optimal server • These include standard network metrics: • Latency • Throughput • Packet loss • These also include things like CPU load on the server, HD space, network utilization, etc. ©2012 AKAMAI | FASTER FORWARDTM
  10. 10. Peering with Akamai How Akamai uses IXes?
  11. 11. Why Akamai Peers with ISPs Improved performance • Akamai tries to serve content as “close” to the end users Peering gives better throughput • Reduced latency and packet loss Redundancy • Having more possible vectors to deliver content Burstability • During large events, having multiple networks allows for higher burstability ©2012 AKAMAI | FASTER FORWARDTM
  12. 12. Why Akamai Peers with ISPs Peering reduces costs • Reduces transit bill Network Intelligence • Receiving BGP directly from multiple ASes helps CDNs map the Internet Backup for on-net servers • If there are servers on-net, the peering can act as a backup during downtime and overflow • Allows serving different content types ©2012 AKAMAI | FASTER FORWARDTM
  13. 13. How Akamai use IXes Peer Network IX •  Akamai (Non-network CDNs) do not have a backbone, so each IX instance is independent •  Akamai uses transit to pull content into the servers •  Content is then served to peers over the IX Content CDN Servers Transit Origin Server ©2012 AKAMAI | FASTER FORWARDTM
  14. 14. How Akamai use IXes Akamai usually do not announce large blocks of address space because no one location has a large number of servers • It is not uncommon to see a single /24 from Akamai at an IX This does not mean you will not see a lot of traffic • How many web servers does it take to fill a gigabit these days? ©2012 AKAMAI | FASTER FORWARDTM
  15. 15. Akamai connection to MyIX Akamai is going to connect to MyIX in mid-Dec 2013 Node: TM01 (Cyberjaya) Port: 10G IPv4 = IPv6 = 2001:DE8:10::71/112 This does not mean you will see a lot of traffic • The Akamai node connecting to MyIX is aim to serve mainly HTTPS traffic at the beginning. ©2012 AKAMAI | FASTER FORWARDTM
  16. 16. Secure the Internet Open resolvers and DNS reflection attack
  17. 17. Open Resolvers Why resolver exists? • Exist to aggregate and cache queries • Not every computer run its own recursive resolver. • ISPs, Large Enterprises run these • Query through the root servers and DNS tree to resolve domains • Cache results, and deliver cached results to clients. Open resolvers • Recursive lookup • Answer recursive queries from any client Some Public Services: • Google DNS, OpenDNS, Level 3, etc. • These are “special” set-ups and secured. ©2012 AKAMAI | FASTER FORWARDTM 17
  18. 18. Open Resolvers – The Problem! Example of DNS-based reflection attack exceeding 70Gbit. • There are millions of DNS resolvers. • Many of these are not secured. • Non secured DNS resolvers can and will be abused • CloudFlare has seen DNS reflection attacks hit 300Gbit/s traffic globally. ©2012 AKAMAI | FASTER FORWARDTM 18
  19. 19. Reflection Attack • UDP Query • Spoofed source • Using the address of the person you want to attack • DNS Server used to attack the victim (sourced address) • Amplification used • Querying domains like or • ~64 byte query (from attacker) • ~3233 byte reply (from unsecured DNS Server) • 50x amplification! • Running an unsecured DNS server helps attackers! ©2012 AKAMAI | FASTER FORWARDTM 19
  20. 20. Reflection Attack • What is a Reflection Attack? In a reflection attack, an attacker makes a request to the open resolver using a UDP packet whose source IP is the IP address of the target. The request is usually one that will result in a large response, such as a DNS ANY request or a DNSSec request, which allows the attacker to multiply up to 100x the amount of bandwidth sent to the target web server. The "multiplication" factor is what makes this particular attack dangerous, as traffic can reach up to 200- 300Gbps. The Spamhaus attack is one example of a recent reflection attack. ©2012 AKAMAI | FASTER FORWARDTM 20
  21. 21. Reflection Attack Attacker ANY ANY ANY isc.or isc.or isc.or g gg Attack Target Large Large Large Reply Reply Reply Large Large Large Reply Reply Reply Unsecured DNS Recursors Large Large Large Reply Reply Reply Unsecured DNS Recursors Unsecured ©2012 AKAMAI | FASTER FORWARD DNS Recursors TM 21
  22. 22. Reflection Attack • With 50x amplification: • 1Gbit uplink from attacker (eg: Dedicated Servers) • 50Gbit attack • Enough to bring most services offline! • Prevention is the best remedy. • In recent attacks, we’ve seen around 80,000 open/ unsecured DNS Resolvers being used. • At just 1Mbit each, that’s 80Gbit! • 1Mbit of traffic may not be noticed by most operators. • 80Gbit at target is easily noticed! ©2012 AKAMAI | FASTER FORWARDTM 22
  23. 23. Where are the open resolvers? • Nearly Everywhere! • As of: 24th Nov, 2013 • Observed from Open Resolver Project: 32,575,304 total responses to UDP/53 probe 31,925,357 unique IPs 28,160,599 responses had recursion-available bit set Data on: 24th Nov 2013, Source: ©2012 AKAMAI | FASTER FORWARDTM 23
  24. 24. Where are the open resolvers? Name servers per country that permit recursion Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer ©2012 AKAMAI | FASTER FORWARDTM 24
  25. 25. Where are the open resolvers in Asia? Country   Open resolvers   Country   Open resolvers   China   Taiwan   South  Korea   Japan   Thailand   India   Hong  Kong   Singapore   Indonesia   Australia   Pakistan   2657680   1292091   960114   273184   232914   195041   107286   69721   64362   62959   47728   New  Zealand   Nepal   New  Caledonia   Fiji   Cambodia   Laos   Sri  Lanka   Macau   Maldives   Mongolia   Afghanistan   12859   3913   3020   2522   2121   2024   1528   1225   790   480   444   Vietnam   Malaysia   Philippines   Bangladesh   45885   45667   31740   17826   Brunei  Darussalam   Papua  New  Guinea   Bhutan   Vanuatu   246   146   99   25   Data on: 17th Nov 2013, Source: DNS Amplification Attacks Observer ©2012 AKAMAI | FASTER FORWARDTM 25
  26. 26. Fixing this? Preventative Measures! • BCP-38 •  Source Filtering, you shouldn’t be able to spoof addresses. •  Needs to be done in hosting and ISP environments. •  If the victim’s IP can’t be spoofed the attack will stop •  Will also help stop other attack types • (eg: Spoofed Syn Flood). • BCP-140 / RFC-5358 • Preventing Use of Recursive Name Servers in Reflector Attacks • Provide recursive name lookup service to only the intended clients. ©2012 AKAMAI | FASTER FORWARDTM 26
  27. 27. Fixing this? Preventative Measures! • DNS Server Maintenance • Secure the servers! • Lock down recursion to your own IP addresses • Disable recursion • If the servers only purpose is authoritative DNS, disable recursion •  Historical accidents / incorrect configuration • Some Packages (eg, Plesk, cPanel) have included a recursive DNS server on by default. • Update Internet routers / modems firmware. •  Some older firmware has security bugs • Allows administration from WAN (including DNS, SNMP) ©2012 AKAMAI | FASTER FORWARDTM 27
  28. 28. The Trend of Internet State Of The Internet Report Q2 2013
  29. 29. Average Peak Connection Speed •  Malaysia is #8 in Asia (#44 in Global) •  Represents an average of the maximum measured connection speeds across all of the unique IP addresses seen by Akamai •  The average is used to mitigate the impact of unrepresentative maximum measured connection speeds. Average Peak Connection Speed by Asia Pacific Country/Region ©2012 AKAMAI | FASTER FORWARDTM
  30. 30. Average Connection Speed •  Malaysia is #9 in Asia (#64 in Global) •  Decrease of slow countries (1Mbps or less) •  Q4 2012 18 countries àQ1 2013 14 countries àQ2 2013 11 countries Average Connection Speed by Asia Pacific Country/Region ©2012 AKAMAI | FASTER FORWARDTM
  31. 31. Average Connection Speed - MY •  Malaysia average connection speed increased from 1.2Mbps from 3 years ago to 3.1Mbps in Jun, 2013 ©2012 AKAMAI | FASTER FORWARDTM
  32. 32. What about mobile connection in Asia? •  Mobile average peak connection speed in MY is 39.8Mbps (Global average is 18.9Mbps) •  Mobile average connection speed in MY is 3.4Mbps (Global average is 3.3Mbps) ASN that classified as pure mobile operator ©2012 AKAMAI | FASTER FORWARDTM
  33. 33. Total Monthly Mobile traffic •  Observed by Ericsson •  Data traffic from Q2 2012 to Q2 2013 almost double! •  Voice keeps growing at the rate of 5% from Q2 2012 to Q2 2013 ©2012 AKAMAI | FASTER FORWARDTM
  34. 34. Observations after World IPv6 Launch Anniversary IPv6 traffic continue to growth steadily after World IPv6 Launch •  As of Q2, 2013 •  20 billion content requests per day over IPv6 •  1-2% of total request volume •  double the level seen in the second half of 2012 •  We really running out of IPv4! ©2012 AKAMAI | FASTER FORWARDTM
  35. 35. Summary • Akamai Intelligent Platform • Highly distributed edge servers, DNS-based mapping • Peering with Akamai • Improve user experience, reduce transit/peering cost • Open Resolvers are harmful to the Internet community • Secure your DNS server, secure the Internet • Internet is growing • Internet penetration and speed are growing • Internet everywhere by mobile network • IPv6 traffic is still small today, but catching up ©2012 AKAMAI | FASTER FORWARDTM
  36. 36. Questions? Kams Yeung <> More information: Peering: SOTI Report: IPv6: Acknowledgement: Tomas Paseka <> ©2012 AKAMAI | FASTER FORWARDTM