1. Akamai vs. Flash Crowds and Distributed Denial of Service Akamai Technologies & Carnegie Mellon Bruce Maggs

2. Outline AkamaiAkamai Content Delivery on 9/11Content Delivery on 9/11 Impact of the “Slammer” WormImpact of the “Slammer” Worm FirstPointFirstPoint SiteShieldSiteShield

3. Akamai Services and Products http://www.google.com www.google.com http://www.yahoo.com www.yahoo.com http://windowsupdate.microsoft.com/ windowsupdate.microsoft.com/ http://www.apple.com/quicktime/qtv/mwsf04/ www.apple.com/quicktime/qtv/mwsf04/ http://www.CRITICAL.gov www.CRITICAL.gov

4. Akamai’s Platform for Delivering Content and Applications Akamai Servers at Network Edge Content Providers End Users NAP

5. Current Installations Network Deployment 15000+ Servers 1000+ Networks 65+ Countries

6. Content Delivery Using Akamai <html><head> Welcome to xyz.com! Welcome to xyz.com! </head><body> <img src=“ Welcome to our Web site! Welcome to our Web site! Click here to enter Click here to enter </body></html> http://www.xyz.com/logos/logo.gif”> http://www.xyz.com/jpgs/navbar1.jpg”> Embedded URLs are Converted to ARLs ak

7. End User Akamai DNS Resolution Akamai High-Level DNS Servers 10 g.akamai.net 1 Browser’s Cache OS 2 Local Name Server 3 xyz.com’s nameserver 6 ak.xyz.com 7 a212.g.akamai.net 9 15.15.125.6 16 15 11 20.20.123.55 Akamai Low-Level DNS Servers 12 a212.g.akamai.net 30.30.123.5 13 14 4 xyz.com.com.net Root (InterNIC) 10.10.123.55 akamai.net8 select cluster select servers within cluster

8. Content Delivery on 9/11 Akamai’s network had capacity for all content providers requesting serviceAkamai’s network had capacity for all content providers requesting service Total bits served on September 11 was approximately 3.5 times normalTotal bits served on September 11 was approximately 3.5 times normal Traffic was higher on September 12Traffic was higher on September 12 (But not as high as January 7, 2002)(But not as high as January 7, 2002)

9. News Site A – FreeFlow Traffic

10. News Site A – FreeFlow Streaming

11. News Site B – EdgeSuite Traffic

12. News Site B – FreeFlow Traffic

13. News Site B – FreeFlow Streaming

14. Portal A – FreeFlow traffic

15. Sports Site A – FreeFlow traffic

16. Steve Jobs Keynote

17. Impact of Sapphire/Slammer Worm Web site performance severely impacted Congestion in core of Internet Significant route flapping

18. Military Web Site - Performance

19. 71 content providers; 17 agents

20. Military Web Site - Reliability

21. Video

22. Aggregate Routing Activity 11:30 PM EST Friday

23. Routing Activity by Network 11:30 PM EST Friday

24. DOS attacks Coordinated attacks From multiple compromised machines On website or upstream Goal – to overwhelm Hacker-based e.g., – Microsoft, Yahoo! Voluntary sit-ins e.g., – World Economic Forum

25. Microsoft

26. What is FirstPoint Traffic management system for mirrored websitesTraffic management system for mirrored websites Directs browser to the optimal mirrorDirects browser to the optimal mirror DNS basedDNS based Application level anycastApplication level anycast

27. Why FirstPoint Content providers have mirrored websitesContent providers have mirrored websites Content providers only want to offload embedded contentContent providers only want to offload embedded content -Control -Security -Performance

28. Mapping Problem How to improve user experience?

29. What is the Mapping Problem Problem of directing requests to servers so as to optimize end-user experienceProblem of directing requests to servers so as to optimize end-user experience -reduce latency -reduce loss -reduce jitter Assumption - servers are fine Assumption - servers are fine Applicable to 2 mirrors or 1500 Akamai locationsApplicable to 2 mirrors or 1500 Akamai locations

30. Attempt Measure which is closerMeasure which is closer -Closeness changes over time Measure frequentlyMeasure frequently -Bothers people -Too many to do ~500,000 unique nameservers on any given day 10 sec per measurement cycle

31. Idea TopologyTopology -relatively static -changes in BGP time -order of hours if not days CongestionCongestion -dynamic -changes in round-trip time -order of milliseconds

32. Topology Discovery - Proxy points Data exchange

33. Topology Discovery 500,000 nameservers 500,000 nameservers reduced to 90,000 proxy points (clusters)

34. Congestion Measurement Problem - Still too many measurements to do. 90,000 measurements every 10s with 32B packets requires a few Mbps per mirror. Problem - Still too many measurements to do. 90,000 measurements every 10s with 32B packets requires a few Mbps per mirror. Solution - Importance based sampling Solution - Importance based sampling

35. CDF of End-user Load

36. Load Estimation 500,000 nameservers reduced to 90,000 clusters 90,000 clusters 7,000 account for 95% end-user load!

37. Mapping Problem – Solved? Maps built every 10s

38. FirstPoint Customers - how to tell?Customers - how to tell? -look for CNAME to akadns.net Customers - who?Customers - who? -High traffic content providers -Yahoo!, Microsoft, TicketMaster etc Price - don’t ask :)Price - don’t ask :) Competitors - whoCompetitors - who -one-of-a-kind service -boxes: Cisco, F5, Foundry

39. FirstPoint - other aspects Load-balancingLoad-balancing -estimate-based -feedback-based : https, snmp -cost-based: 95/5 Fast cutout in case of failoverFast cutout in case of failover Highly fault-tolerantHighly fault-tolerant -hardware duplication, leader election -overlay routing, BGP-based anycast Integration with other servicesIntegration with other services -DOS/Load failover

41. SiteShield Content provider’s website Hacker! AKAMAIAKAMAI AKAMAIAKAMAI AKAMAIAKAMAI

42. SiteShield IP address of origin shielded Akamai can be attacked But Akamai will respond by Diffusion – load balancing, & Resurrection – reviving unpinned servers