Mais conteúdo relacionado
Semelhante a 04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura (20)
Mais de Indonesia Network Operators Group (20)
04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
- 1. ©A10 Networks, Inc.
Handling massive number of
subscribers and attacks
June, 2014
APJ Solution Engagement, Solution Architect!
Takeki Kumamura
- 3. ‹#›©A10 Networks, Inc.
A10 Corporate Introduction
2010 2011 2012 2013
142000000
120344000
91493028
54,700,000
Q4' 11 Q4' 12 Today
3000
2008
1080
CUSTOMER GROWTH
COMPANY GROWTH
Headquarters in San Jose
650 Employees
Offices in 23 countries
Customers in 65 countries
- 4. ‹#›©A10 Networks, Inc.
3000+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4
U.S. WIRELESS CARRIERS
7 of Top 10
U.S. CABLE PROVIDERS
Top 3
WIRELESS CARRIERS IN JAPAN
- 5. ‹#›©A10 Networks, Inc.
A10 Product Portfolio Overview
Dedicated
Network
Managed
Hosting
Cloud IaaS IT Delivery Models
Application Networking Platform
▪ Performance
▪ Scalability
▪ Extensibility
▪ Flexibility
CGN TPS
ADC
ACOS Platform
Product Lines
▪ ADC – Application Acceleration & Security
▪ CGN – IPv4 Extension / IPv6 Migration
▪ TPS – Network Perimeter DDoS Security
Carrier Grade
Networking
Application
Delivery Controller
Threat Protection
System
- 7. ‹#›©A10 Networks, Inc.
Exponential Rise in Devices, Users and Traffic
DIG
ITA
L
C
O
N
TEN
TIN
TERN
ET
TRA
FFIC
Extend
IPv4
& Migrate to
IPv6
IPv6
C
O
N
TEN
TIN
TERN
E
TO
F
The Digital Universe: 50-fold Growth from
the beginning of 2010 to the End of 2020
Source: IDC’s Digital Universe Study, sponsored by
EMC, December 2012
IP Traffic by Year
Source: Cisco VNI, 2013
Akamai IPv6 Traffic Volume Total of Connected Devices, Billions of
Units (Installed Bases)
Source: Gartner (November 2013)Source: Akamai
- 9. ‹#›©A10 Networks, Inc.
1 China 330,600,960 (IPs) 1,365,160,000 (Pop.) 0.24 (IPs/Pop.)
2 Japan 201,530,368 127,090,000 1.58
3 Korea, Republic of 112,274,176 50,423,955 2.22
4 Australia 48,270,848 23,533,100 2.05
5 India 35,762,688 1,245,700,000 0.02
6 Taiwan, Province of China 35,430,656 23,386,883 1.51
7 Indonesia 17,588,480 247,424,598 0.07
8 Viet Nam 15,606,528 89,708,900 0.17
9 Hong Kong 11,807,232 7,219,700 1.63
10 Thailand 8,615,936 64,456,700 0.13
Delegated IPv4 Addresses (top 10) and Populations
http://www-public.it-sudparis.eu/~maigron/RIR_Stats/RIR_Delegations/APNIC/IPv4-ByNb.html
http://en.wikipedia.org/wiki/List_of_countries_by_population
- 10. ‹#›©A10 Networks, Inc.
What is actual number of users?
▪“Versus” Population = 247,424,598 = 0.07 IP/person
– But who will actually be using the device with IP addresses?
– ISP home network, and mobile devices.
17,580,480 IPs vs
17,580,480 IPs vs
- 11. ‹#›©A10 Networks, Inc.
2011 2012 2013 2014 2015 2016 2017
Smartphone
users (Mil.)
11.7 26.3 41.6 61.2 74.8 89.8 103.6
--% of mobile
phone users
9.0% 16.0% 24.0% 34.0% 40.0% 47.0% 53.0%
--% of
population
4.8% 10.6% 16.6% 24.1% 29.2% 34.8% 39.8%
vs IPv4
addresses
(17,580,480)
1.50 0.66 0.42 0.28 0.23 0.19 0.16
Increasing Smartphones in Indonesia
http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102
NAT “Compression rate” of private to global IP increases
- 13. ‹#›©A10 Networks, Inc.
▪ Classic NAT does not allow outside
originated traffic
▪ Legacy implementation lacks
end-to-end transparency
▪ Causes peer-to-peer, voice, video,
streaming applications to break
▪ Scale and Performance for Carrier
Class applications
▪ Carrier Grade NAT or CGN supports
transparent end-to-end connectivity
▪ Enables oversubscription of global
IPv4 resources, helps scaling
▪ NAT44 or NAT444 options
Limitations with Classic NAT
Inside originated
NAT
Outside originated
Classic NAT
Inside originated
CGN
Outside originated
CGN
- 14. ‹#›©A10 Networks, Inc.
▪ Two clients Host A and Host B behind a common NAT device
▪ Host A to Host B communication using the external binding
– Ex: Hosts using SIP for communication registered to an external server (Ex: SIP service)
CGN Use Case : Hairpinning
Inside Outside
Inside IP/port
Inside originated
Inside originated
Outside IP/port
Hairpinning Traffic
Allows inside clients to connect to their outside IP/port
Source: B :1024
Dest: X:9001
Source: S:8080
Dest: X :9001
Internal External Filter
A:1024/B:8080 X:9001/B:8080 *:*/X:9001
Source: S:8080
Dest: X :9002
Host A
Host S
Source: B :1024
Dest: S :8080
Source: A :1024
Dest: X:9002
Source: A :1024
Dest: S :8080
Host B
CGN
- 16. ‹#›©A10 Networks, Inc.
Typical NAT Use Cases
Consumer
NAT/Private IPv4
Address
Private/CGN
Scoped IPv4
Address
CGN/CGNAT/LSN
IPv4
Internet
Enterprise
NAT44
Service Provider
NAT444
Mobile Provider
NAT44
Service Provider
or Enterprise
IPv4 Network
IPv4
Clients
IPv4
Clients
Public IPv4
Address
• Increase of NAT
“compression rate” here
leads to:
• Smaller number of
TCP/UDP sessions
• Logging issues
• No scale in business
• etc, etc.
- 17. ‹#›©A10 Networks, Inc.
2011 2012 2013 2014 2015 2016 2017
Smartphone
users (Mil.)
11.7 26.3 41.6 61.2 74.8 89.8 103.6
vs IPv4
addresses
(17,580,480)
1.50 0.66 0.42 0.28 0.23 0.19 0.16
User per IP
(allocating 1 IP per user)
1 2 3 4 5 6 7
Userquota
(=TCP/UDP sessions
per user)
64000
32000 21300 16000 12800 10600 9100
Decreasing Userquota (= TCP/UDP sessions per user)
http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102
This may be a good case
(using whole IP address pool of country at once)
- 19. ‹#›©A10 Networks, Inc.
Access Destination Migration
A10s IPv6 Migration Options
IPv6
IPv4
6rd
DS-Lite
Stateful
NAT64/DNS64
Stateless
NAT46
A10 offers
One box
solution!
Unique Service
Provider featureLw-4o6
IPv4
IPv6
IPv4
IPv6
IPv6
Internet
IPv4
Internet
IPv6
Internet
IPv4
Internet CPE
CPE
CPE
- 20. ‹#›©A10 Networks, Inc.
NAT64 & DNS64 – DNS Flow
IPv6 IPv4
www.example.com
192.2.0.33
AAAA Query www.example.com
AAAA Response: 2001:DB8:122:344::192.2.0.33
IPv4
Internet
DNS
NAT64/DNS64
IPv6+IPv4IPv6
Clients
AAAA www.example.com = Error
A www.example.com = 192.2.0.33
NAT64/DNS64 device owns IPv6 Prefix 2001:DB8:122:344::/96
IPv6.example.com
IPv6
Internet
- 21. ‹#›©A10 Networks, Inc.
A10 IPv6 Migration: Use Cases
CGN | NAT64/DNS64
IPv4
Core
IPv6
Internet
IPv4
Clients
IPv4
Core
IPv6
Core
IPv6
Clients
CGN NAT64/
DNS64
New devices, and new services
start with IPv6 for future
expansions
NAT64/
DNS64
IPv6 clients to
IPv4
Enables IPv6 only clients to
connect to IPv4 resources
Maintain current devices, and
current services with IPv4
CGN
IPv4 clients to
IPv4
Preserve IPv4 resources
- 22. ‹#›©A10 Networks, Inc.
A10 CGN Benefits for Service Provider & Enterprise
App Reliability
▪ Application Layer
gateways
▪ Support for diverse
applications
▪ HA ensures sessions
maintained
Extend IPv4
▪ Protect IPv4
investments
▪ Preserve existing
address allocation
▪ Save time and cost
IPv4 IPv6 Transition
▪ Ensures smooth
conversion
▪ Supports multiple
bridging methods
▪ Simultaneous support
for IPv4
and IPv6
IPv6
- 24. ‹#›©A10 Networks, Inc.
DDoS Problems
Q3 2010
PayPal
Discloses cost
of attack £3.5M
(~$5.8 million)
Q1 2013
Credit Union Regulators
Recommend
DDoS protection to
all members
Q4 2012
Bank of the West
$900k stolen, DDoS
as a distraction
Q1 2013
al Qassam Cyber Fighters
10-40 Gbps attacks target
9 major banks
Q1 2014
CloudFlare
400 Gbps NTP
amplification
attack
Q4 2013
60 Gbps attacks regularly
seen,100 Gbps not
uncommon
Q4 2013
26% YoY attack
increase (17% L7, 28% L3-4)
Q4 2013
PPS reaches 35 million
Q4 2013
6.8 million mobile devices
are potential attackers
(LOIC and AnDOSid)
“High-bandwidth DDoS attacks are becoming the new norm and will
continue wreaking havoc on unprepared enterprises”
Source: Gartner
- 25. ‹#›©A10 Networks, Inc.
▪Attacks intentions:
Make resources unavailable
– Resource exhaustion
▪ Overwhelm equipment
(application)capacity
– Volumetric
▪ Flood network capacity
▪Two attack vectors
– Network attacks (L3-4)
▪ TCP, UDP, ICMP, more…
– Application attacks (L7)
▪ HTTP, DNS, NTP, more…
▪Emergence of multi-vector
attacks
– Multiple attack vectors per
incident are on the rise
Common DDoS Attack Types
NEW!
- 26. ‹#›©A10 Networks, Inc.
▪ Benefits:
– Reduced CAPEX and OPEX
– Reduced data center footprint
– Easily integrated into their custom
detection system
▪ Details:
– Replaced market leader appliances
– 78 A10 devices, in 26 data centers
– $2.5 M+ savings per site,
80%+ support savings
Thunder TPS for Top US Cloud Provider
RackUnits
Thunder TPS 6435
155 Gbps
200 MPPS, 1 U
Market leader 40G
solution
160 Gbps
160 MPPS, 24 U
Sample comparison
- 27. ‹#›©A10 Networks, Inc.
▪ Asymmetric reactive deployment
– Classic deployment model
– Scalable solution for DDoS mitigation
– Suitable for Service Providers with
▪ DDoS scrubbing center service (MSSP)
▪ Protecting own services (content provider)
▪ Large scale core network
▪ Profile
– Traffic redirected to TPS for scrubbing as
needed
▪ Support BGP for route injection
– Valid traffic forwarded into network for
services
▪ Support GRE & IP-in-IP tunneling
Asymmetric Reactive Deployment
Core Network
End Customer
or Data Center
Services
DDoS Detection
System
aXAPI /
Manual Action
Traffic
Redirection
Telemetry
- 28. ‹#›©A10 Networks, Inc.
▪ Asymmetric Proactive Deployment
– For high performance DDoS detection and
mitigation
– DDoS detection and mitigation in one box
– Suitable for Large Enterprises and ISPs
▪ Protecting own services
▪ Protecting end customers
▪ Large-mid scale core network
▪ Profile
– Inbound traffic always routed toward TPS
▪ Insight in peace-time and war-time
– DDoS detection and mitigation at sub-
second scale
Asymmetric Proactive Deployment
Core Network
Services
End Customer
or Data Center
- 29. ‹#›©A10 Networks, Inc.
Real-time Detection
Flood Thresholds
Protocol Anomalies
Behavioral Anomalies
Resource Starvation
L7 Scripts
Black Lists
HTTP DNSTCPUDP
▪ Symmetric Deployment
– Inline DDoS detection and mitigation in
one box
– Inspect both inbound and outbound traffic
– Suitable for Enterprises
▪ Protecting own services
▪ Profile
– Fully aware of and inspect L3 – L7 traffic for
both inbound and outbound traffic
– DDoS detection and mitigation at sub-
second scale
Symmetric Deployment
Telemetry
DDoS Detection
System
Collection Device
Real-tim
e
Threshold
Tuning
Services
- 30. ‹#›©A10 Networks, Inc.
Thunder Threat Protection System (TPS)
Next Generation DDoS Protection
Multi-vector protection
!
▪ Detect & mitigate
application & network
attacks
▪ Flexible scripting & DPI
for rapid response
High performance
!
▪ Mitigate 155 Gbps of attack
throughput, 200 M packets per
second (PPS) in 1 rack unit
Broad Deployment and 3rd Party
!
▪ Symmetric, asymmetric, out-of-band
▪ Open SDK/RESTful API for 3rd party
integration
Multi-vector
Application &
Network Protection
High Performance
Mitigation
Broad Deployment
Options & 3rd Party
Integration
- 31. ‹#›©A10 Networks, Inc.
Summary
CGN TPS
ADC
ACOS Platform
Carrier Grade
Networking
Application
Delivery Controller
Threat Protection
System
Handling
Massive
Number of
Attacks
Handling
Massive
Number of
Subscribers
▪For expanding market, and expanding networks