1 / 22

Thinning Akamai

Thinning Akamai. Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University. USENIX/ACM SIGCOMM IMC ’08. Motivation. >50% of online users would leave and never come back to a streaming site when streaming quality is bad (Akamai’s user study ’07).

tomas
Download Presentation

Thinning Akamai

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Thinning Akamai Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University USENIX/ACM SIGCOMM IMC ’08

  2. Motivation • >50% of online users would leave and never come back to a streaming site when streaming quality is bad (Akamai’s user study ’07)

  3. Akamai’s Streaming Architecture Entry Points Reflectors Edge Servers Can we degrade service to large-scale streaming networks?

  4. DNS-based Load Balancing • DNS-based load balancing is used in both edge and reflector levels Global Monitoring Infrastructure update feedback DNS Server Edge Server 1 New edge server IP Edge Server 2

  5. Web vs. Streaming • Web • Insensitive to bandwidth and latency • Short-lived connections • Server load quickly goes away • Streaming • Sensitive to bandwidth, jitter, and packet loss • Long-lived connections • Clients connect to a streaming server for minutes/hours Is DNS-based load balancing resilient to DoS attacks for streaming service?

  6. Slow Load Balancing Experiment

  7. Redirection Time Scales Minimum redirection time is 20 seconds Is minimum redirection time scale small enough for streaming?

  8. Slow Load Balancing Result Edge server becomes overloaded Throughput recovers Start probing machines DNS-based system is too slow to react to overloaded conditions DNS updated, stop probing machines

  9. No-isolation Experiment Live Video Live Video Live Video Pay per View VoD Movie Live Video Live Video

  10. Service Overlapping 25% of nodes observe overlap ratio > 0.5 Would different streaming services interfere with each other?

  11. No-isolation Experiment (Live vs. VoD) Edge server becomes overloaded Edge server attempts to refill client’s buffer Start probing machines DNS updated, stop probing machines No-isolation makes it possible to DoS Video-on-Demand service by live streaming

  12. Reflector-level Experiments Customers • Issue: How to attack reflectors? • Challenge: Information about reflectors not publicly available • Approach: Use edge servers as proxies • Need mapping between edge servers and reflectors • Facts: • Akamai gathers streams from different customers into channels • Streams from the same region and the same channel map to the same reflector

  13. Amplification Experiment Big edge server clusters are vulnerable to amplification attacks Can we attack reflectors by using edge servers as proxies?

  14. Amplification Experiment Service degradation at similar pace It is possible to attack reflectors by using edge servers as “proxies” Bottleneck observed, stop probing machines Start probing machines Throughput recovery

  15. Existing Countermeasures • Stream replication • Waste bandwidth • Resource-based admission control • Can’t solve network or reflector bottlenecks • Solving Puzzles • Undermines Akamai’s service transparency

  16. Our approaches • Location-aware admission control

  17. Our approaches (Cont.) • Reducing system transparency • Shielding administrative information • Keep state at edge servers • Shielding vincible IP addresses • Virtual IP addresses • Keyissue: • Tradeoff between transparency and DoS resiliency

  18. Conclusions • Large-scale, DNS-based load balancing systems are known to be resilient to attacks. However, it is not exactly true in the case of streaming • Identify vulnerabilities of DNS-based streaming service • Slow load balancing • No isolation • Amplification attacks • Provide countermeasures to raise the bar for attackers

  19. Thank you!

  20. Backup Slides

  21. Methodogy • Protocol: Windows Media Server (mms) • Modify MiMMS software • Setup: • Observers & experimental machines • Collect 1400 unique live streams • assign 200 streams each to 7 experimental machines • Bypass DNS redirections • Directly connect to edge server • Abort experiment immediately when we observe bottleneck conditions

  22. Migration

More Related