Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University Thinning Akamai USENIX/ACM SIGCOMM IMC ’08.

Slides:

Advertisements

Similar presentations

Denial of Service By: Samarth Shah and Navin Soni.

Advertisements

Jaringan Informasi Pengantar Sistem Terdistribusi oleh Ir. Risanuri Hidayat, M.Sc.

On the Effectiveness of Measurement Reuse for Performance-Based Detouring David Choffnes Fabian Bustamante Fabian Bustamante Northwestern University INFOCOM.

Cache Coherent Distributed Shared Memory. Motivations Small processor count –SMP machines –Single shared memory with multiple processors interconnected.

1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.

King of Limitations Present by: Ao-Jan Su. Accuracy? Accuracy depends on the distance of end hosts and their authoritative name servers. Not true for.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

2/23/2004 Load Balancing February 23, /23/2004 Assignments Work on Registrar Assignment.

CSE 190: Internet E-Commerce Lecture 16: Performance.

1 A Comparison of Load Balancing Techniques for Scalable Web Servers Haakon Bryhni, University of Oslo Espen Klovning and Øivind Kure, Telenor Reserch.

MobiDesk: Mobile Virtual Desktop Computing Ricardo A. Baratto, Shaya Potter, Gong Su, Jason Nieh Network Computing Laboratory Columbia University September.

1 Action Breakout Session Anil, AP, Nina Bhatti, Charles Berdnall, Joe Hellerstein, Wei Hu, Anthony Joseph, Randy Katz, Li, Machi Mukund Kimmo Raatikanen,

OSD Metadata Management

MobiDesk: Mobile Virtual Desktop Computing Ricardo A. Baratto, Shaya Potter, Gong Su, Jason Nieh Network Computing Laboratory Columbia University.

EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Drafting Behind Akamai (Travelocity-Based Detouring) Aleksandar Kuzmanovic Northwestern University Joint work with: A. Su, D. Choffnes, and F. Bustamante.

1 Drafting Behind Akamai (Travelocity-Based Detouring) AoJan Su, David R. Choffnes, Aleksandar Kuzmanovic, and Fabian E. Bustamante Department of Electrical.

Countering Large-Scale Internet Pollution and Poisoning Aleksandar Kuzmanovic Northwestern University

The Future of the Internet Jennifer Rexford ’91 Computer Science Department Princeton University

Content Networking - CON Content Overlay Network Vishal Kumar Singh Eilon Yardeni April, 28 th 2005.

Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.

Transis 1 Fault Tolerant Video-On-Demand Services Tal Anker, Danny Dolev, Idit Keidar, The Transis Project.

Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.

Microsoft Load Balancing and Clustering. Outline Introduction Load balancing Clustering.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

Research on cloud computing application in the peer-to-peer based video-on-demand systems Speaker : 吳靖緯 MA0G rd International Workshop.

{ Content Distribution Networks ECE544 Dhananjay Makwana Principal Software Engineer, Semandex Networks 5/2/14ECE544.

1 One-Click Hosting Services: A File-Sharing Hideout Demetris Antoniades Evangelos P. Markatos ICS-FORTH Heraklion,

Enhancement of IPTV using a Wireless Sensor Network Sandeep Kakumanu,Sriram Lakshmanan, and Raghupathy Sivakumar GNAN Research Group Georgia Institute.

Ao-Jan Su, David R. Choffnes, Fabián E. Bustamante and Aleksandar Kuzmanovic Department of EECS Northwestern University Relative Network Positioning via.

End-to-end QoE Optimization Through Overlay Network Deployment Bart De Vleeschauwer, Filip De Turck, Bart Dhoedt and Piet Demeester Ghent University -

Cluster Heartbeats Node health monitoring CSV I/O Built-in resiliency for storage volume access Intra-Cluster Synchronization Replicated state.

Chapter 8 Implementing Disaster Recovery and High Availability Hands-On Virtual Computing.

2/1/00 Porcupine: a highly scalable service Authors: Y. Saito, B. N. Bershad and H. M. Levy This presentation by: Pratik Mukhopadhyay CSE 291 Presentation.

This document is for informational purposes only, and Tekelec reserves the right to change any aspect of the products, features or functionality described.

Outline Introduction Overview of the Akamai platform Akamai HD network

Putting Intelligence in Internetworking: an Architecture of Two Level Overlay EE228 Project Anshi Liang Ye Zhou.

1 On the Placement of Web Server Replicas Lili Qiu, Microsoft Research Venkata N. Padmanabhan, Microsoft Research Geoffrey M. Voelker, UCSD IEEE INFOCOM’2001,

Wide-Area Service Composition: Performance, Availability and Scalability Bhaskaran Raman SAHARA, EECS, U.C.Berkeley Presentation at Ericsson, Jan 2002.

Server Performance, Scaling, Reliability and Configuration Norman White.

Large-scale Virtualization in the Emulab Network Testbed Mike Hibler, Robert Ricci, Leigh Stoller Jonathon Duerig Shashi Guruprasad, Tim Stack, Kirk Webb,

DYNAMIC LOAD BALANCING ON WEB-SERVER SYSTEMS by Valeria Cardellini Michele Colajanni Philip S. Yu.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Globally Distributed Content Delivery Presenter: Baoning Wu 03/25/2003.

Content Distribution Network, Proxy CDN: Distributed Environment

Nexthink V5 Demo ITSM – Users Impacted. Situation › It’s Wednesday morning › Last night the infrastructure team we worked hard on a proxy migration We.

6.894: Distributed Operating System Engineering Lecturers: Frans Kaashoek Robert Morris

CS 6401 Overlay Networks Outline Overlay networks overview Routing overlays Resilient Overlay Networks Content Distribution Networks.

You there? Yes Network Health Monitoring Heartbeats are sent to monitor health status of network interfaces Are sent over all cluster.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Content Delivery Networks: Status and Trends Speaker: Shao-Fen Chou Advisor: Dr. Ho-Ting Wu 5/8/

Content Distribution Networks (CDNs)

Googling the Internet (and Beyond) Aleksandar Kuzmanovic EECS Department Northwestern University

CIS679: Anycast r Review of Last lecture r Network-layer Anycast m Single-path routing for anycast messages r Application-layer anycast.

1 Evaluation of Cooperative Web Caching with Web Polygraph Ping Du and Jaspal Subhlok Department of Computer Science University of Houston presented at.

John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante Northwestern, EECS.

Drafting Behind Akamai (Travelocity-Based Detouring) Ao-Jan Su, David R. Choffnes, Aleksandar Kuzmanovic and Fabián E. Bustamante Department of EECS Northwestern.

Scaling Network Load Balancing Clusters

Action Breakout Session

Mohammad Malli Chadi Barakat, Walid Dabbous Alcatel meeting

VIDIZMO Deployment Options

Introduction to Networks

AKAMAI INTELLIGENT PLATFORM™

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Content Distribution Networks

Research Opportunities in IP Wide Area Storage

Specialized Cloud Architectures

Ron Carovano Manager, Business Development F5 Networks

Content Delivery and Remote DNS services

Presentation transcript:

Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University Thinning Akamai USENIX/ACM SIGCOMM IMC ’08

Ao-Jan SuThinning Akamai 2 Motivation ● >50% of online users would leave and never come back to a streaming site when streaming quality is bad (Akamai’s user study ’07)

Ao-Jan SuThinning Akamai 3 Akamai’s Streaming Architecture Entry Points Reflectors Edge Servers Can we degrade service to large-scale streaming networks?

Ao-Jan SuThinning Akamai 4 DNS-based Load Balancing ● DNS-based load balancing is used in both edge and reflector levels Global Monitoring Infrastructure Edge Server 1 Edge Server 2 feedback update DNS Server New edge server IP

Ao-Jan SuThinning Akamai 5 Web vs. Streaming ● Web ■ Insensitive to bandwidth and latency ■ Short-lived connections − Server load quickly goes away ● Streaming ■ Sensitive to bandwidth, jitter, and packet loss ■ Long-lived connections − Clients connect to a streaming server for minutes/hours Is DNS-based load balancing resilient to DoS attacks for streaming service?

Ao-Jan SuThinning Akamai 6 Slow Load Balancing Experiment

Ao-Jan SuThinning Akamai 7 Redirection Time Scales Minimum redirection time is 20 seconds Is minimum redirection time scale small enough for streaming?

Ao-Jan SuThinning Akamai 8 Slow Load Balancing Result Start probing machines Edge server becomes overloaded DNS updated, stop probing machines DNS updated, stop probing machines Throughput recovers DNS-based system is too slow to react to overloaded conditions DNS-based system is too slow to react to overloaded conditions

Ao-Jan SuThinning Akamai 9 No-isolation Experiment Pay per View VoD Movie Live Video

Ao-Jan SuThinning Akamai 10 Service Overlapping Would different streaming services interfere with each other? 25% of nodes observe overlap ratio > 0.5

Ao-Jan SuThinning Akamai 11 No-isolation Experiment (Live vs. VoD) Start probing machines Edge server becomes overloaded Edge server attempts to refill client’s buffer No-isolation makes it possible to DoS Video-on-Demand service by live streaming No-isolation makes it possible to DoS Video-on-Demand service by live streaming DNS updated, stop probing machines DNS updated, stop probing machines

Ao-Jan SuThinning Akamai 12  Facts: -Akamai gathers streams from different customers into channels -Streams from the same region and the same channel map to the same reflector  Facts: -Akamai gathers streams from different customers into channels -Streams from the same region and the same channel map to the same reflector  Issue: How to attack reflectors?  Challenge: Information about reflectors not publicly available  Approach: Use edge servers as proxies Need mapping between edge servers and reflectors  Issue: How to attack reflectors?  Challenge: Information about reflectors not publicly available  Approach: Use edge servers as proxies Need mapping between edge servers and reflectors Reflector-level Experiments Customers

Ao-Jan SuThinning Akamai 13 Amplification Experiment Big edge server clusters are vulnerable to amplification attacks Big edge server clusters are vulnerable to amplification attacks Can we attack reflectors by using edge servers as proxies?

Ao-Jan SuThinning Akamai 14 Amplification Experiment Service degradation at similar pace Service degradation at similar pace Throughput recovery It is possible to attack reflectors by using edge servers as “proxies” It is possible to attack reflectors by using edge servers as “proxies” Start probing machines Bottleneck observed, stop probing machines

Ao-Jan SuThinning Akamai 15 Existing Countermeasures ● Stream replication ■ Waste bandwidth ● Resource-based admission control ■ Can’t solve network or reflector bottlenecks ● Solving Puzzles ■ Undermines Akamai’s service transparency

Ao-Jan SuThinning Akamai 16 Our approaches ● Location-aware admission control

Ao-Jan SuThinning Akamai 17 Our approaches (Cont.) ● Reducing system transparency ■ Shielding administrative information − Keep state at edge servers ■ Shielding vincible IP addresses − Virtual IP addresses ● Key issue: ■ Tradeoff between transparency and DoS resiliency

Ao-Jan SuThinning Akamai 18 Conclusions ● Large-scale, DNS-based load balancing systems are known to be resilient to attacks. However, it is not exactly true in the case of streaming ● Identify vulnerabilities of DNS-based streaming service ■ Slow load balancing ■ No isolation ■ Amplification attacks ● Provide countermeasures to raise the bar for attackers

Ao-Jan SuThinning Akamai 19 Thank you!

Ao-Jan SuThinning Akamai 20 Backup Slides

Ao-Jan SuThinning Akamai 21 Methodogy ● Protocol: Windows Media Server (mms) ■ Modify MiMMS software ● Setup: ■ Observers & experimental machines ● Collect 1400 unique live streams ■ assign 200 streams each to 7 experimental machines ● Bypass DNS redirections ■ Directly connect to edge server ● Abort experiment immediately when we observe bottleneck conditions

Ao-Jan SuThinning Akamai Migration