Presentation is loading. Please wait.

Presentation is loading. Please wait.

Does Your Time to First Byte Bite?

Published byAbraham Goodwin Modified over 6 years ago

Similar presentations

Presentation on theme: "Does Your Time to First Byte Bite?"— Presentation transcript:

1 Does Your Time to First Byte Bite?
Nate Brown, Solutions Engineer Does Your Time to First Byte Bite? Data Connectors Atlanta

2 Oracle Confidential – Internal/Restricted/Highly Restricted

3 Authoritative and Recursive DNS
Oracle + Dyn is Authoritative DNS not Recursive DNS. Authoritative DNS serves those that are outside of your firewall Looking to purchase products/services from your website Remote employees that connect via VPN Partners that need to access a portal to process orders with you Recursive is filtering people inside of your firewall Authoritative and Recursive DNS partners.example.com shop.example.com vpn.example.com Oracle Confidential – Internal/Restricted/Highly Restricted 3

4 First in the Chain Initial Connection Content DNS Lookup TTFB Back-end
Front-end Initial Connection - Network: global perspective metrics - BGP: routing changes and reachability - Providers: market performance analysis - Prefix: monitoring and alerting BGP performance Content -CDN: latency optimization and vendor diversity - Geo: planning for geographic reach - Reach: provider reachability alerts DNS Lookup - Query: always available answers - Trace: DNS query hierarchy - Server: authoritative or caching name servers - DNSSEC: keychain validation TTFB - Geolocation: reduce latency & hops - Failure routing: only route to live site - Security: ensure route to server is secure "First in the Chain" - changed the end item on the right to be a grouping of devices. There were complaints that the original Akamai pull made it seem like DNS was not a big enough part to worry about, and that content was a larger slice Oracle Confidential – Internal/Restricted/Highly Restricted 4

5 First in the Chain Matters
The first 2 items in the waterfall are DNS LinkedIn uses Dyn for DNS and sees resolution times of 7ms and 3ms for the first two lookups Compare that to netflix.com on AWS Route 53 and the first two lookups take 58ms and 104ms Most websites have at least 2 DNS lookups and some are up to as many as 10 lookups First in the Chain Matters DNS query resolution is the first step in loading a web page with each new page triggering multiple DNS lookups Milliseconds count. Web pages can have 20, 30 or even 50 DNS lookups Images, video, audio, ads, social media buttons 100ms difference per object = 2 or more second delay in loading the page URL: Host: tapestry.tapad.com IP: Error/Status Code: 200 Client Port: 63187 Request Start: s DNS Lookup: 388 ms Oracle Confidential – Internal/Restricted/Highly Restricted 5

6 DNS Configurations

7 Primary Cloud DNS Users Recursives Primary 1.1.1.1 1.1.1.1 APM
Example.com? Example.com? Oracle Confidential – Internal/Restricted/Highly Restricted 7

8 Primary DNS CON’s PRO’s Still a single point of failure
Faster resolution times No on prem expense Use of Dyn’s NOC for DDOS mitigation APM Oracle Confidential – Internal/Restricted/Highly Restricted 8

9 Example.com Delegation
Nameserver Selection DNS is Performance Based Recursives send traffic to any nameserver in delegation based on performance, not if one vendor is “Primary” or “Secondary” for zonefile management. Any nameserver in delegation will see traffic and attacks Example.com Delegation Time Nameserver 13ms ns1.p43.dynect.net 26ms ns2.p43.dynect.net 12ms ns3.p43.dynect.net 20ms ns4.p43.dynect.net dns1.example.net. dns2.example.net. 16ms dns3.example.net. 18ms dns4.example.net. Recursives Queries sent to fastest performing NS

10 Example.com Delegation
Nameserver Selection in DR DNS Failover is Automatic Should one provider have a failure, resolvers will naturally prefer the now faster nameservers. What is important is that both vendors are in delegation, the resolver will handle failure automatically. Example.com Delegation Time Nameserver 13ms ns1.p43.dynect.net 26ms ns2.p43.dynect.net 12ms ns3.p43.dynect.net 20ms ns4.p43.dynect.net 2000ms dns1.example.net. dns2.example.net. dns3.example.net. dns4.example.net. Recursives Queries still sent to fastest performing NS

11 Secondary DNS Primary/Master Users Recursives Secondary* 1.1.1.1
Everyone is in Delegation Primary = Manages the zone, gives updates Secondary = Only receives updates from primary Primary/Master APM Users Recursives Example.com? Notify via AXFR/IXFR Example.com? Example.com? Secondary* *This is where that confusing secondary term comes from. Oracle Confidential – Internal/Restricted/Highly Restricted 11

12 Secondary DNS PRO’s CON’s Multiple Vendors for Resiliency
Fastest Responder Wins Extremely easy to set up Use of Dyn’s NOC for DDOS mitigation APM CON’s If primary goes down, no changing records Not all vendors support AXFR and/or IXFR Not all vendors support NOTIFY Advanced intelligent routing schemes cannot be replicated Oracle Confidential – Internal/Restricted/Highly Restricted 12

13 Hidden Master Hidden Master Data! Users Recursives Authoritative
How it works: The PRIMARY is on the side of the customer, outside the delegation. The SECONDARY is Dyn which receives updates just like a normal primary - secondary. Hidden Master APM Data! Users Recursives Authoritative Example.com? Example.com? Oracle Confidential – Internal/Restricted/Highly Restricted 13

14 Hidden Master PRO’s CON’s Works great with in-house solutions
Extremely easy to set up Dyn handles Zero day attacks Performance and scale DDoS protection CON’s Not the master server Responsible for zone management APM Oracle Confidential – Internal/Restricted/Highly Restricted 14

15 Health Monitoring Independent Health Checks
Probes sent from Dyn’s 3 closest POPs to each endpoint. Performs an end-to-end HTTP GET with string match Majority consensus used for determining up/down Enables operators to base traffic decisions on how the general internet can access the endpoint Ability to create different monitor criteria per record set per pool for total control HTTP, HTTPS, SMTP, TCP, PING

16 Operational Control Via DNS
DNS traffic control Endpoint agnostic traffic direction to a preferred endpoint Load balancing or geo- targeting in-region to adjust cost Health monitoring with cascading failover optimizing performance Rule changes benefit from our fast propagation time to reduce impairment time

17 Security

18 Growth of DDoS DNS is UDP based, making it easy and cheap to spoof and reflect. DDoS to take the asset offline, ransom, or use as a smokescreen for other attacks DDoS attacks, Q vs. Q1 2017 28% increase in total DDoS attacks 27% increase in infrastructure layer (L3 & 4) 21% increase in reflection-based attacks 28% increase in average number of attacks per target Even if attack is not explicitly DNS queries (e.g. UDP fragment), often the other vectors are targeting DNS infrastructure. Akamai State of the Internet Report Q2 2017

19 DNS Reflection Attacks
Each bot machine issues one or more DNS queries, but uses the IP address of the target system as its source IP address (i.e spoofing) The DNS service replies to the target IP address (not the IP address of the querying computer). The effect of the reflection attack is twofold. First, the target system is overwhelmed by thousands or millions of DNS query responses (one or more for each bot). Second, the DNS name server is consumed by bogus requests and may lack the Compute/Elastic resources or Bandwidth This type of attack is the most common at over 55% of all attacks seen DNS reflection attacks work by flooding a target with bogus DNS responses. In short, a perpetrator implants a “bot” on hundreds or thousands of compromised computers.6 Each bot machine issues one or more DNS queries, but uses the IP address of the target system as its source IP address (a technique known as address spoofing). The DNS service replies to the target IP address (not the IP address of the querying computer). The effect of the reflection attack is twofold. First, the target system is overwhelmed by thousands or millions of DNS query responses (one or more for each bot). Second, the DNS name server is consumed by bogus requests and may lack the computational resources or netwo Oracle Confidential – Internal/Restricted/Highly Restricted 19

20 DNS Amplification Attacks
DNS query messages < 50 bytes. Traditional DNS response (such as an DNS messages can contain lots of other information. (For example, anti-spam technologies include cryptographic material.) These extended response messages can be quite large—1 KB or greater DNS is designed to send many responses very quickly. If an attacker issues 100,000 short DNS queries of 50 bytes each (5 MB total). If each reply is 1 KB, that’s an aggregate response of 100 MB. An attacker with 5.6Gbps of bandwidth has generated a 112Gbps attack Amplification attacks work by issuing requests that generate large responses, potentially flooding the network. DNS infrastructure is a common target for amplification attacks. DNS query messages are very small—often under 50 bytes. But a traditional DNS response (such as an answer containing an IPv4 address) can be ten times larger than the request. And on the internet today, DNS messages can contain lots of other information. (For example, anti-spam technologies include cryptographic material.) These extended response messages can be quite large—1 KB or greater (SEE FIGURE 2). An individual 1 KB response may not seem particularly troublesome, but DNS is designed to send many responses very quickly. Say an attacker issues 100,000 short DNS queries of 50 bytes each (5 MB total). If each reply is 1 KB, that’s an aggregate response of 100 MB. Oracle Confidential – Internal/Restricted/Highly Restricted 20

21 Result of DDoS Attack This is the result of a very short lived DDoS attack that our NOC team was able to handle with very little effort. Can you handle this kind of query volume with your existing bandwidth If you are currently supporting DNS on premise? How well can your ISP- or registrar-based DNS solution mitigate this type of attack? Do they have the bandwidth on a single provider to absorb these attacks? DNS reflection attacks work by flooding a target with bogus DNS responses. In short, a perpetrator implants a “bot” on hundreds or thousands of compromised computers.6 Each bot machine issues one or more DNS queries, but uses the IP address of the target system as its source IP address (a technique known as address spoofing). The DNS service replies to the target IP address (not the IP address of the querying computer). The effect of the reflection attack is twofold. First, the target system is overwhelmed by thousands or millions of DNS query responses (one or more for each bot). Second, the DNS name server is consumed by bogus requests and may lack the computational resources or netwo Oracle Confidential – Internal/Restricted/Highly Restricted 21

22 DDoS Mitigation Monitoring
Sometimes the cure is similar to the poison Union Bank uses Verisign for DDoS mitigation Verisign failed to propagate Union Bank routes globally so some of Dyn’s peers still have a route the attacker can use (noted in red on graph and bolded in trace) Dyn receives full routing tables from over 700 IPv4 and v6 networks. border5.ae2-bbnet2.phx010.pnap.net Internap Network Services Phoenix United States unionb-9.edge1.phx010.pnap.net Internap Network Services Phoenix United States Union Bank of California Monterey Park United States border5.ae2-bbnet2.phx010.pnap.net Internap Network Services Phoenix United States unionb-9.edge1.phx010.pnap.net Internap Network Services Phoenix United States Union Bank of California Monterey Park United States chns2.unionbank.com Union Bank of California Monterey Park United States Oracle Confidential – Internal/Restricted/Highly Restricted 22

23 About Dyn

24 DNS Unique Value Oracle + Dyn Unique Value
Consistently High Performance Response Times Worldwide DNS propagation time < 1 minute Highly Resilient Optimized Transit Connections at each POP Advanced DDoS Attack Processes Superior Geolocation Accuracy Extreme Industry Expertise Dyn NOC successfully mitigates 2 to 3 significant DDoS attacks/week Dyn’s NOC sees up to 50 DDoS events/month but are absorbed by our network and architecture Dyn detects & mitigate all attacks to our services at the infrastructure layer Spanning multiple protocols: DNS, SSDP, NTP, UDP fragments, etc. Typical mitigation time is less than 10 minutes > 80+% of all attacks reported are here Network layer attacks (layers 3 & 4) UDP floods, Syn attacks and ICMP Session layer attacks (layers 5 & 6) DNS floods and SSL floods Unique ability to discover and quickly mitigate low volume attacks Architecture combined with size & expertise of team Oracle Confidential – Internal/Restricted/Highly Restricted 24

25 “ Anycast Network Dyn delivers the best DNS response time worldwide.
– CloudHarmony     Fully redundant anycast network with no outages. Anycast network will be able to provide responses very fast with low latency from every region POPs globally to quickly service your DNS requests. We have analyzed the global internet to strategically place the POPs so they are just a few network hops away. User’s query resolved and directed to closest available endpoint Speed: average response times North America < 15ms Europe < 30ms Asia < 45ms Dbind Servers (dell R430) with dBIND 200,000 Queries on an individual nameserver (one dns4 box) Anycast A consists of NTT and TATA Anycast B Consists of Telia, Level3, Cogent, Bharti, Telstra, PCCW and Pacnet Anycast C Consists of NTT and Tata Anycast D Consists of Telia, Durand, Telstra, PCCW, Cogent, and Level3 Gig Links (except mumbai and sao paulo, APAC) 25

26 Collecting Traceroute and BGP
“It’s good to see this great data being exposed for operational purposes. The internet is so critical for for almost every business today.” – Gartner (Jonah Kowall, VP) Active monitoring of BGP. Real-time global routing table from over 700 sessions 300+ collectors sending traceroutes to over 1.5 million targets daily resulting in over 6B measurements per day Updates and alerts 30 seconds from real time Oracle Confidential – Internal/Restricted/Highly Restricted 26

27 Endpoint Agnostic Routing
Route to Anything: Datacenters Load balancers CDNs Cloud Hosting Filtration services VOIP Pick and Choose Geography Round Robin Weighted Performance To cure Internet blindness: Dyn monitors the whole Internet across multiple datasets Dyn views Internet organizations from the outside in, just like their customers do Only correlation across these diverse datasets reveals the high value problem root causes Only Dyn has non-archived datasets reaching back to 2002 for a unique historic context Only accept incomplete datasets if you want incomplete Internet performance or security! Oracle Confidential – Internal/Restricted/Highly Restricted 27

28 Things to Consider DNS of today is not your father’s DNS
DDOS attacks are larger and more complex than ever before. You need an expert NOC to partner with Customer steering to improve experience does not need to be done by a box in your data center Monitoring and failover can be done while you are sleeping Oracle Confidential – Internal/Restricted/Highly Restricted 28

Download ppt "Does Your Time to First Byte Bite?"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
An Engineering Approach to Computer Networking

An Engineering Approach to Computer Networking
Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg

Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.

Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.

Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
{ Content Distribution Networks ECE544 Dhananjay Makwana Principal Software Engineer, Semandex Networks 5/2/14ECE544.

{ Content Distribution Networks ECE544 Dhananjay Makwana Principal Software Engineer, Semandex Networks 5/2/14ECE544.
Global NetWatch Copyright © 2003 Global NetWatch, Inc. Factors Affecting Web Performance Getting Maximum Performance Out Of Your Web Server.

Global NetWatch Copyright © 2003 Global NetWatch, Inc. Factors Affecting Web Performance Getting Maximum Performance Out Of Your Web Server.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.

AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.
1 Mean Time to Innocence Your Dashboards are Green – but your end users are still complaining. Now What? Phil Stanhope October 2015.

1 Mean Time to Innocence Your Dashboards are Green – but your end users are still complaining. Now What? Phil Stanhope October 2015.
1 Mean Time to Innocence Your Dashboards are Green – but your end users are still complaining. Now What? Phil Stanhope October 2015.

1 Mean Time to Innocence Your Dashboards are Green – but your end users are still complaining. Now What? Phil Stanhope October 2015.
D-Link TSD 2009 workshop D-Link Net-Defends Firewall Training ©Copyright 2009. By D-Link HQ TSD Benson Wu.

D-Link TSD 2009 workshop D-Link Net-Defends Firewall Training ©Copyright By D-Link HQ TSD Benson Wu.
The Internet Technological Background. Topic Objectives At the end of this topic, you should be able to do the following: Able to define the Internet.

The Internet Technological Background. Topic Objectives At the end of this topic, you should be able to do the following: Able to define the Internet.
THE DNS (DOMAIN NAME SYSTEM). Before the DNS, all computers connected to the internet through ARPANET (the worlds first operational packet switching network).

THE DNS (DOMAIN NAME SYSTEM). Before the DNS, all computers connected to the internet through ARPANET (the worlds first operational packet switching network).
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos 110512.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Similar presentations

Ads by Google