04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
•
1 gostou•921 visualizações
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a 04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
Semelhante a 04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura (20)
Mais de Indonesia Network Operators Group
Mais de Indonesia Network Operators Group (20)
Último
Último (20)
04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
- 1. ©A10 Networks, Inc. Handling massive number of subscribers and attacks June, 2014 APJ Solution Engagement, Solution Architect! Takeki Kumamura
- 3. ‹#›©A10 Networks, Inc. A10 Corporate Introduction 2010 2011 2012 2013 142000000 120344000 91493028 54,700,000 Q4' 11 Q4' 12 Today 3000 2008 1080 CUSTOMER GROWTH COMPANY GROWTH Headquarters in San Jose 650 Employees Offices in 23 countries Customers in 65 countries
- 4. ‹#›©A10 Networks, Inc. 3000+ Customers in 65 Countries Web GiantsEnterprisesService Providers 3 of Top 4 U.S. WIRELESS CARRIERS 7 of Top 10 U.S. CABLE PROVIDERS Top 3 WIRELESS CARRIERS IN JAPAN
- 5. ‹#›©A10 Networks, Inc. A10 Product Portfolio Overview Dedicated Network Managed Hosting Cloud IaaS IT Delivery Models Application Networking Platform ▪ Performance ▪ Scalability ▪ Extensibility ▪ Flexibility CGN TPS ADC ACOS Platform Product Lines ▪ ADC – Application Acceleration & Security ▪ CGN – IPv4 Extension / IPv6 Migration ▪ TPS – Network Perimeter DDoS Security Carrier Grade Networking Application Delivery Controller Threat Protection System
- 6. Handling Massive Number of Subscribers
- 7. ‹#›©A10 Networks, Inc. Exponential Rise in Devices, Users and Traffic DIG ITA L C O N TEN TIN TERN ET TRA FFIC Extend IPv4 & Migrate to IPv6 IPv6 C O N TEN TIN TERN E TO F The Digital Universe: 50-fold Growth from the beginning of 2010 to the End of 2020 Source: IDC’s Digital Universe Study, sponsored by EMC, December 2012 IP Traffic by Year Source: Cisco VNI, 2013 Akamai IPv6 Traffic Volume Total of Connected Devices, Billions of Units (Installed Bases) Source: Gartner (November 2013)Source: Akamai
- 8. ‹#›©A10 Networks, Inc. How about a real example?
- 9. ‹#›©A10 Networks, Inc. 1 China 330,600,960 (IPs) 1,365,160,000 (Pop.) 0.24 (IPs/Pop.) 2 Japan 201,530,368 127,090,000 1.58 3 Korea, Republic of 112,274,176 50,423,955 2.22 4 Australia 48,270,848 23,533,100 2.05 5 India 35,762,688 1,245,700,000 0.02 6 Taiwan, Province of China 35,430,656 23,386,883 1.51 7 Indonesia 17,588,480 247,424,598 0.07 8 Viet Nam 15,606,528 89,708,900 0.17 9 Hong Kong 11,807,232 7,219,700 1.63 10 Thailand 8,615,936 64,456,700 0.13 Delegated IPv4 Addresses (top 10) and Populations http://www-public.it-sudparis.eu/~maigron/RIR_Stats/RIR_Delegations/APNIC/IPv4-ByNb.html http://en.wikipedia.org/wiki/List_of_countries_by_population
- 10. ‹#›©A10 Networks, Inc. What is actual number of users? ▪“Versus” Population = 247,424,598 = 0.07 IP/person – But who will actually be using the device with IP addresses? – ISP home network, and mobile devices. 17,580,480 IPs vs 17,580,480 IPs vs
- 11. ‹#›©A10 Networks, Inc. 2011 2012 2013 2014 2015 2016 2017 Smartphone users (Mil.) 11.7 26.3 41.6 61.2 74.8 89.8 103.6 --% of mobile phone users 9.0% 16.0% 24.0% 34.0% 40.0% 47.0% 53.0% --% of population 4.8% 10.6% 16.6% 24.1% 29.2% 34.8% 39.8% vs IPv4 addresses (17,580,480) 1.50 0.66 0.42 0.28 0.23 0.19 0.16 Increasing Smartphones in Indonesia http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102 NAT “Compression rate” of private to global IP increases
- 12. ‹#›©A10 Networks, Inc. I am already doing NAT
- 13. ‹#›©A10 Networks, Inc. ▪ Classic NAT does not allow outside originated traffic ▪ Legacy implementation lacks end-to-end transparency ▪ Causes peer-to-peer, voice, video, streaming applications to break ▪ Scale and Performance for Carrier Class applications ▪ Carrier Grade NAT or CGN supports transparent end-to-end connectivity ▪ Enables oversubscription of global IPv4 resources, helps scaling ▪ NAT44 or NAT444 options Limitations with Classic NAT Inside originated NAT Outside originated Classic NAT Inside originated CGN Outside originated CGN
- 14. ‹#›©A10 Networks, Inc. ▪ Two clients Host A and Host B behind a common NAT device ▪ Host A to Host B communication using the external binding – Ex: Hosts using SIP for communication registered to an external server (Ex: SIP service) CGN Use Case : Hairpinning Inside Outside Inside IP/port Inside originated Inside originated Outside IP/port Hairpinning Traffic Allows inside clients to connect to their outside IP/port Source: B :1024 Dest: X:9001 Source: S:8080 Dest: X :9001 Internal External Filter A:1024/B:8080 X:9001/B:8080 *:*/X:9001 Source: S:8080 Dest: X :9002 Host A Host S Source: B :1024 Dest: S :8080 Source: A :1024 Dest: X:9002 Source: A :1024 Dest: S :8080 Host B CGN
- 15. ‹#›©A10 Networks, Inc. Back to the story…
- 16. ‹#›©A10 Networks, Inc. Typical NAT Use Cases Consumer NAT/Private IPv4 Address Private/CGN Scoped IPv4 Address CGN/CGNAT/LSN IPv4 Internet Enterprise NAT44 Service Provider NAT444 Mobile Provider NAT44 Service Provider or Enterprise IPv4 Network IPv4 Clients IPv4 Clients Public IPv4 Address • Increase of NAT “compression rate” here leads to: • Smaller number of TCP/UDP sessions • Logging issues • No scale in business • etc, etc.
- 17. ‹#›©A10 Networks, Inc. 2011 2012 2013 2014 2015 2016 2017 Smartphone users (Mil.) 11.7 26.3 41.6 61.2 74.8 89.8 103.6 vs IPv4 addresses (17,580,480) 1.50 0.66 0.42 0.28 0.23 0.19 0.16 User per IP (allocating 1 IP per user) 1 2 3 4 5 6 7 Userquota (=TCP/UDP sessions per user) 64000 32000 21300 16000 12800 10600 9100 Decreasing Userquota (= TCP/UDP sessions per user) http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102 This may be a good case (using whole IP address pool of country at once)
- 18. ‹#›©A10 Networks, Inc. IPv4 preservation cannot last forever.
- 19. ‹#›©A10 Networks, Inc. Access Destination Migration A10s IPv6 Migration Options IPv6 IPv4 6rd DS-Lite Stateful NAT64/DNS64 Stateless NAT46 A10 offers One box solution! Unique Service Provider featureLw-4o6 IPv4 IPv6 IPv4 IPv6 IPv6 Internet IPv4 Internet IPv6 Internet IPv4 Internet CPE CPE CPE
- 20. ‹#›©A10 Networks, Inc. NAT64 & DNS64 – DNS Flow IPv6 IPv4 www.example.com 192.2.0.33 AAAA Query www.example.com AAAA Response: 2001:DB8:122:344::192.2.0.33 IPv4 Internet DNS NAT64/DNS64 IPv6+IPv4IPv6 Clients AAAA www.example.com = Error A www.example.com = 192.2.0.33 NAT64/DNS64 device owns IPv6 Prefix 2001:DB8:122:344::/96 IPv6.example.com IPv6 Internet
- 21. ‹#›©A10 Networks, Inc. A10 IPv6 Migration: Use Cases CGN | NAT64/DNS64 IPv4 Core IPv6 Internet IPv4 Clients IPv4 Core IPv6 Core IPv6 Clients CGN NAT64/ DNS64 New devices, and new services start with IPv6 for future expansions NAT64/ DNS64 IPv6 clients to IPv4 Enables IPv6 only clients to connect to IPv4 resources Maintain current devices, and current services with IPv4 CGN IPv4 clients to IPv4 Preserve IPv4 resources
- 22. ‹#›©A10 Networks, Inc. A10 CGN Benefits for Service Provider & Enterprise App Reliability ▪ Application Layer gateways ▪ Support for diverse applications ▪ HA ensures sessions maintained Extend IPv4 ▪ Protect IPv4 investments ▪ Preserve existing address allocation ▪ Save time and cost IPv4 IPv6 Transition ▪ Ensures smooth conversion ▪ Supports multiple bridging methods ▪ Simultaneous support for IPv4 and IPv6 IPv6
- 23. Handling Massive Number of Attacks
- 24. ‹#›©A10 Networks, Inc. DDoS Problems Q3 2010 PayPal Discloses cost of attack £3.5M (~$5.8 million) Q1 2013 Credit Union Regulators Recommend DDoS protection to all members Q4 2012 Bank of the West $900k stolen, DDoS as a distraction Q1 2013 al Qassam Cyber Fighters 10-40 Gbps attacks target 9 major banks Q1 2014 CloudFlare 400 Gbps NTP amplification attack Q4 2013 60 Gbps attacks regularly seen,100 Gbps not uncommon Q4 2013 26% YoY attack increase (17% L7, 28% L3-4) Q4 2013 PPS reaches 35 million Q4 2013 6.8 million mobile devices are potential attackers (LOIC and AnDOSid) “High-bandwidth DDoS attacks are becoming the new norm and will continue wreaking havoc on unprepared enterprises” Source: Gartner
- 25. ‹#›©A10 Networks, Inc. ▪Attacks intentions: Make resources unavailable – Resource exhaustion ▪ Overwhelm equipment (application)capacity – Volumetric ▪ Flood network capacity ▪Two attack vectors – Network attacks (L3-4) ▪ TCP, UDP, ICMP, more… – Application attacks (L7) ▪ HTTP, DNS, NTP, more… ▪Emergence of multi-vector attacks – Multiple attack vectors per incident are on the rise Common DDoS Attack Types NEW!
- 26. ‹#›©A10 Networks, Inc. ▪ Benefits: – Reduced CAPEX and OPEX – Reduced data center footprint – Easily integrated into their custom detection system ▪ Details: – Replaced market leader appliances – 78 A10 devices, in 26 data centers – $2.5 M+ savings per site, 80%+ support savings Thunder TPS for Top US Cloud Provider RackUnits Thunder TPS 6435 155 Gbps 200 MPPS, 1 U Market leader 40G solution 160 Gbps 160 MPPS, 24 U Sample comparison
- 27. ‹#›©A10 Networks, Inc. ▪ Asymmetric reactive deployment – Classic deployment model – Scalable solution for DDoS mitigation – Suitable for Service Providers with ▪ DDoS scrubbing center service (MSSP) ▪ Protecting own services (content provider) ▪ Large scale core network ▪ Profile – Traffic redirected to TPS for scrubbing as needed ▪ Support BGP for route injection – Valid traffic forwarded into network for services ▪ Support GRE & IP-in-IP tunneling Asymmetric Reactive Deployment Core Network End Customer or Data Center Services DDoS Detection System aXAPI / Manual Action Traffic Redirection Telemetry
- 28. ‹#›©A10 Networks, Inc. ▪ Asymmetric Proactive Deployment – For high performance DDoS detection and mitigation – DDoS detection and mitigation in one box – Suitable for Large Enterprises and ISPs ▪ Protecting own services ▪ Protecting end customers ▪ Large-mid scale core network ▪ Profile – Inbound traffic always routed toward TPS ▪ Insight in peace-time and war-time – DDoS detection and mitigation at sub- second scale Asymmetric Proactive Deployment Core Network Services End Customer or Data Center
- 29. ‹#›©A10 Networks, Inc. Real-time Detection Flood Thresholds Protocol Anomalies Behavioral Anomalies Resource Starvation L7 Scripts Black Lists HTTP DNSTCPUDP ▪ Symmetric Deployment – Inline DDoS detection and mitigation in one box – Inspect both inbound and outbound traffic – Suitable for Enterprises ▪ Protecting own services ▪ Profile – Fully aware of and inspect L3 – L7 traffic for both inbound and outbound traffic – DDoS detection and mitigation at sub- second scale Symmetric Deployment Telemetry DDoS Detection System Collection Device Real-tim e Threshold Tuning Services
- 30. ‹#›©A10 Networks, Inc. Thunder Threat Protection System (TPS) Next Generation DDoS Protection Multi-vector protection ! ▪ Detect & mitigate application & network attacks ▪ Flexible scripting & DPI for rapid response High performance ! ▪ Mitigate 155 Gbps of attack throughput, 200 M packets per second (PPS) in 1 rack unit Broad Deployment and 3rd Party ! ▪ Symmetric, asymmetric, out-of-band ▪ Open SDK/RESTful API for 3rd party integration Multi-vector Application & Network Protection High Performance Mitigation Broad Deployment Options & 3rd Party Integration
- 31. ‹#›©A10 Networks, Inc. Summary CGN TPS ADC ACOS Platform Carrier Grade Networking Application Delivery Controller Threat Protection System Handling Massive Number of Attacks Handling Massive Number of Subscribers ▪For expanding market, and expanding networks