Thinning Akamai AoJan Su and Aleksandar Kuzmanovic Department

  • Slides: 22
Download presentation
Thinning Akamai Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University USENIX/ACM SIGCOMM

Thinning Akamai Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University USENIX/ACM SIGCOMM IMC ’ 08

Motivation ● Ao-Jan Su >50% of online users would leave and never come back

Motivation ● Ao-Jan Su >50% of online users would leave and never come back to a streaming site when streaming quality is bad (Akamai’s user study ’ 07) Thinning Akamai 2

Akamai’s Streaming Architecture Entry Points Reflectors Edge Servers Can we degrade service to large-scale

Akamai’s Streaming Architecture Entry Points Reflectors Edge Servers Can we degrade service to large-scale streaming networks? Ao-Jan Su Thinning Akamai 3

DNS-based Load Balancing ● DNS-based load balancing is used in both edge and reflector

DNS-based Load Balancing ● DNS-based load balancing is used in both edge and reflector levels Global Monitoring Infrastructure update DNS Server feedback Edge Server 1 New edge server IP Ao-Jan Su Thinning Akamai Edge Server 2 4

Web vs. Streaming ● Web Insensitive to bandwidth and latency ■ Short-lived connections ■

Web vs. Streaming ● Web Insensitive to bandwidth and latency ■ Short-lived connections ■ − Server load quickly goes away ● Streaming Sensitive to bandwidth, jitter, and packet loss ■ Long-lived connections ■ − Clients connect to a streaming server for minutes/hours Is DNS-based load balancing resilient to Do. S attacks for streaming service? Ao-Jan Su Thinning Akamai 5

Slow Load Balancing Experiment Ao-Jan Su Thinning Akamai 6

Slow Load Balancing Experiment Ao-Jan Su Thinning Akamai 6

Redirection Time Scales Minimum redirection time is 20 seconds Is minimum redirection time scale

Redirection Time Scales Minimum redirection time is 20 seconds Is minimum redirection time scale small enough for streaming? Ao-Jan Su Thinning Akamai 7

Slow Load Balancing Result Edge server becomes overloaded Throughput recovers Start probing machines DNS-based

Slow Load Balancing Result Edge server becomes overloaded Throughput recovers Start probing machines DNS-based system is too slow to react to overloaded conditions DNS updated, stop probing machines Ao-Jan Su Thinning Akamai 8

No-isolation Experiment Live Video Ao-Jan Su Live Video Pay per View Live Video Vo.

No-isolation Experiment Live Video Ao-Jan Su Live Video Pay per View Live Video Vo. D Movie Thinning Akamai 9

Service Overlapping 25% of nodes observe overlap ratio > 0. 5 Would different streaming

Service Overlapping 25% of nodes observe overlap ratio > 0. 5 Would different streaming services interfere with each other? Ao-Jan Su Thinning Akamai 10

No-isolation Experiment (Live vs. Vo. D) Start probing machines Edge server attempts becomestooverloaded refill

No-isolation Experiment (Live vs. Vo. D) Start probing machines Edge server attempts becomestooverloaded refill client’s buffer DNS updated, stopto probing possible Do. S machines No-isolation makes it Video-on-Demand service by live streaming Ao-Jan Su Thinning Akamai 11

Reflector-level Experiments Customers § Issue: How to attack reflectors? § Facts: § Challenge: Information

Reflector-level Experiments Customers § Issue: How to attack reflectors? § Facts: § Challenge: Information about not publicly - Akamai gathers streams from reflectors different customers into available channels § Approach: Use the edge servers proxies - Streams from same regionas and the same channel map to the same reflector Need mapping between edge servers and reflectors Ao-Jan Su Thinning Akamai 12

Amplification Experiment Big edge server clusters are vulnerable to amplification attacks Can we attack

Amplification Experiment Big edge server clusters are vulnerable to amplification attacks Can we attack reflectors by using edge servers as proxies? Ao-Jan Su Thinning Akamai 13

Amplification Experiment Service degradation at similar pace It is possible to attack reflectors by

Amplification Experiment Service degradation at similar pace It is possible to attack reflectors by using edge servers as “proxies” Bottleneck observed, Start probing machines stop probing machines Ao-Jan Su Thinning Akamai Throughput recovery 14

Existing Countermeasures ● Stream replication ■ Waste bandwidth ● Resource-based admission control ■ Can’t

Existing Countermeasures ● Stream replication ■ Waste bandwidth ● Resource-based admission control ■ Can’t solve network or reflector bottlenecks ● Solving Puzzles ■ Ao-Jan Su Undermines Akamai’s service transparency Thinning Akamai 15

Our approaches ● Location-aware admission control Ao-Jan Su Thinning Akamai 16

Our approaches ● Location-aware admission control Ao-Jan Su Thinning Akamai 16

Our approaches (Cont. ) ● Reducing system transparency ■ Shielding administrative information − Keep

Our approaches (Cont. ) ● Reducing system transparency ■ Shielding administrative information − Keep state at edge servers ■ Shielding vincible IP addresses − Virtual IP addresses ● Key issue: ■ Ao-Jan Su Tradeoff between transparency and Do. S resiliency Thinning Akamai 17

Conclusions ● Large-scale, DNS-based load balancing systems are known to be resilient to attacks.

Conclusions ● Large-scale, DNS-based load balancing systems are known to be resilient to attacks. However, it is not exactly true in the case of streaming ● Identify vulnerabilities of DNS-based streaming service Slow load balancing ■ No isolation ■ Amplification attacks ■ ● Provide countermeasures to raise the bar for attackers Ao-Jan Su Thinning Akamai 18

Thank you! Ao-Jan Su Thinning Akamai 19

Thank you! Ao-Jan Su Thinning Akamai 19

Backup Slides Ao-Jan Su Thinning Akamai 20

Backup Slides Ao-Jan Su Thinning Akamai 20

Methodogy ● Protocol: Windows Media Server (mms) ■ Modify Mi. MMS software ● Setup:

Methodogy ● Protocol: Windows Media Server (mms) ■ Modify Mi. MMS software ● Setup: ■ Observers & experimental machines ● Collect 1400 unique live streams ■ assign 200 streams each to 7 experimental machines ● Bypass DNS redirections ■ Directly connect to edge server ● Abort experiment immediately when we observe bottleneck conditions Ao-Jan Su Thinning Akamai 21

Migration Ao-Jan Su Thinning Akamai

Migration Ao-Jan Su Thinning Akamai

AKAMAI Technologies www akamai com AKAMAI l AkamaiAKAMAI Technologies www akamai com AKAMAI l Akamai
Drafting Behind Akamai Travelocity Based Detouring Aleksandar KuzmanovicDrafting Behind Akamai Travelocity Based Detouring Aleksandar Kuzmanovic
Drafting Behind Akamai Travelocity Based Detouring AoJan SuDrafting Behind Akamai Travelocity Based Detouring AoJan Su
Drafting Behind Akamai Travelocity Based Detouring AoJan SuDrafting Behind Akamai Travelocity Based Detouring AoJan Su
Akamai Solutions Sr Solution Engineer kyyangakamai com AkamaiAkamai Solutions Sr Solution Engineer kyyangakamai com Akamai
Akamai Confidential 2011 Akamai Innovating at the EdgeAkamai Confidential 2011 Akamai Innovating at the Edge
Maui Akamai Program IndustryGovernment Big Island Akamai ProgramMaui Akamai Program IndustryGovernment Big Island Akamai Program
Akamai IO Stephen Ludin Chief Architect Akamai TechnologiesAkamai IO Stephen Ludin Chief Architect Akamai Technologies
Akamai Confidential 2011 Akamai In the Cloud SecurityAkamai Confidential 2011 Akamai In the Cloud Security
Akamai Maui Short Course 2006 Akamai Maui ShortAkamai Maui Short Course 2006 Akamai Maui Short
Measuring Service in MultiClass Networks Aleksandar Kuzmanovic andMeasuring Service in MultiClass Networks Aleksandar Kuzmanovic and
Countering LargeScale Internet Pollution and Poisoning Aleksandar KuzmanovicCountering LargeScale Internet Pollution and Poisoning Aleksandar Kuzmanovic
EECS 110 Lec 16 Projects Aleksandar Kuzmanovic NorthwesternEECS 110 Lec 16 Projects Aleksandar Kuzmanovic Northwestern
EECS 110 Lec 5 List Comprehensions Aleksandar KuzmanovicEECS 110 Lec 5 List Comprehensions Aleksandar Kuzmanovic
EECS 110 Lec 7 Program Planning Aleksandar KuzmanovicEECS 110 Lec 7 Program Planning Aleksandar Kuzmanovic
CS213 Introduction to Computer Systems Aleksandar Kuzmanovic 3272006CS213 Introduction to Computer Systems Aleksandar Kuzmanovic 3272006
Introduction to Networking Instructor Prof Aleksandar Kuzmanovic AdvancedIntroduction to Networking Instructor Prof Aleksandar Kuzmanovic Advanced
The Power of Explicit Congestion Notification Aleksandar KuzmanovicThe Power of Explicit Congestion Notification Aleksandar Kuzmanovic
EECS 110 Lec 5 List Comprehensions Aleksandar KuzmanovicEECS 110 Lec 5 List Comprehensions Aleksandar Kuzmanovic
EECS 110 Lec 7 Program Planning Aleksandar KuzmanovicEECS 110 Lec 7 Program Planning Aleksandar Kuzmanovic
CS213 Introduction to Computer Systems Aleksandar Kuzmanovic 3312008CS213 Introduction to Computer Systems Aleksandar Kuzmanovic 3312008