Transcript Thinning Akamai - Northwestern Networks Group

Thinning Akamai
Ao-Jan Su and
Aleksandar Kuzmanovic
Department of EECS
Northwestern University
USENIX/ACM SIGCOMM IMC ’08
Motivation
●
>50% of online users would leave and never
come back to a streaming site when streaming
quality is bad (Akamai’s user study ’07)
2
Ao-Jan Su
Thinning Akamai
Akamai’s Streaming Architecture
Entry Points
Reflectors
Edge Servers
Can we degrade service to large-scale streaming networks?
3
Ao-Jan Su
Thinning Akamai
DNS-based Load Balancing
● DNS-based load balancing is used in both
edge and reflector levels
Global Monitoring
Infrastructure
update
feedback
DNS Server
Edge Server 1
New edge server IP
Edge Server 2
4
Ao-Jan Su
Thinning Akamai
Web vs. Streaming
● Web
■ Insensitive to bandwidth and latency
■ Short-lived connections
− Server load quickly goes away
● Streaming
■ Sensitive to bandwidth, jitter, and packet loss
■ Long-lived connections
− Clients connect to a streaming server for minutes/hours
Is DNS-based load balancing resilient to
DoS attacks for streaming service?
5
Ao-Jan Su
Thinning Akamai
Slow Load Balancing Experiment
6
Ao-Jan Su
Thinning Akamai
Redirection Time Scales
Minimum
redirection time is
20 seconds
Is minimum redirection time scale small enough
for streaming?
7
Ao-Jan Su
Thinning Akamai
Slow Load Balancing Result
Edge server
becomes overloaded
Throughput
recovers
Start probing machines
DNS-based system is too slow
to react to overloaded conditions
DNS updated,
stop probing machines
8
Ao-Jan Su
Thinning Akamai
No-isolation Experiment
Live Video
Live Video
Live Video
Live Video
Pay per View Live Video
VoD Movie
9
Ao-Jan Su
Thinning Akamai
Service Overlapping
25% of nodes observe
overlap ratio > 0.5
Would different streaming services
interfere with each other?
10
Ao-Jan Su
Thinning Akamai
No-isolation Experiment (Live vs. VoD)
Start probing machines
Edge
server
Edge
server attempts
becomestooverloaded
refill client’s buffer
DNS updated,
stopto
probing
possible
DoS machines
No-isolation makes it
Video-on-Demand service by live streaming
11
Ao-Jan Su
Thinning Akamai
Reflector-level Experiments
Customers
 Issue: How to attack reflectors?
 Facts:
 Challenge:
Information
about
not publicly
available
- Akamai gathers
streams
from reflectors
different customers
into channels
 Approach:
Use the
edge
servers
proxies
- Streams from
same
regionas
and
the same channel map to the
same reflector
Need mapping between edge servers and reflectors
12
Ao-Jan Su
Thinning Akamai
Amplification Experiment
Big edge server clusters
are vulnerable to
amplification attacks
Can we attack reflectors by using edge
servers as proxies?
13
Ao-Jan Su
Thinning Akamai
Amplification Experiment
Service degradation
at similar pace
It is possible to attack reflectors by using
edge servers as “proxies”
Bottleneck
observed,
Start probing
machines
stop probing machines
Throughput recovery
14
Ao-Jan Su
Thinning Akamai
Existing Countermeasures
● Stream replication
■ Waste bandwidth
● Resource-based admission control
■ Can’t solve network or reflector bottlenecks
● Solving Puzzles
■ Undermines Akamai’s service
transparency
15
Ao-Jan Su
Thinning Akamai
Our approaches
● Location-aware admission control
16
Ao-Jan Su
Thinning Akamai
Our approaches (Cont.)
● Reducing system transparency
■ Shielding administrative information
− Keep state at edge servers
■
Shielding vincible IP addresses
− Virtual IP addresses
● Key issue:
■ Tradeoff between transparency and DoS resiliency
17
Ao-Jan Su
Thinning Akamai
Conclusions
● Large-scale, DNS-based load balancing
systems are known to be resilient to attacks.
However, it is not exactly true in the case of
streaming
● Identify vulnerabilities of DNS-based streaming
service
■
■
■
Slow load balancing
No isolation
Amplification attacks
● Provide countermeasures to raise the bar for
attackers
18
Ao-Jan Su
Thinning Akamai
Thank you!
19
Ao-Jan Su
Thinning Akamai
Backup Slides
20
Ao-Jan Su
Thinning Akamai
Methodogy
● Protocol: Windows Media Server (mms)
■ Modify MiMMS software
● Setup:
■ Observers & experimental machines
● Collect 1400 unique live streams
■ assign 200 streams each to 7 experimental
machines
● Bypass DNS redirections
■ Directly connect to edge server
● Abort experiment immediately when we
observe bottleneck conditions
21
Ao-Jan Su
Thinning Akamai
Migration
Ao-Jan Su
Thinning Akamai