Content Distribution Networks (CDNs) A content distribution network - - PDF document

content distribution networks cdns
SMART_READER_LITE
LIVE PREVIEW

Content Distribution Networks (CDNs) A content distribution network - - PDF document

Oct 17, 2022 96 likes •224 views

229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web server replication. main idea: each replica is located in a different geographic area, main idea: each replica is located in a

slide-1
SLIDE 1

115

229

Content Distribution Networks (CDNs)

  • A content distribution network can be viewed as a global web server

replication.

main idea: each replica is located in a different geographic area, main idea: each replica is located in a different geographic area,

rather then in the same server farm.

  • A CDN usually consists of the following components:

A set of web servers and/or cache servers A dedicated intelligent distribution mechanism to move data

between the various servers

A mechanism to intelligently match the requesting user with the

most efficient server.

Reuven Cohen Internet networking

  • main issues of a CDN:

to which replica should a user’s request be forwarded how to direct a request (“global redirection”) how to ensure consistency among the various replicas:

  • how to synchronize changes such that the same request to two

different replicas at the same time will get the same response

230

Content Distribution Networks (cont.)

  • Like web caching, a CDN helps in

reducing the response time to users’ requests saving expensive bandwidth saving expensive bandwidth

  • However, whereas a web cache is usually operated by an ISP, a CDN

is operated by (of for) a content provider like CNN.com

the CDN saves the cost of an expensive access link from the

content provider to its ISP.

Reuven Cohen Internet networking

slide-2
SLIDE 2

116

Request-routing using HTTP-redirect

  • The request is received by a single director
  • The director determines the IP address of the server closest to the user

It th d b HTTP di t (301)

231

  • It then responds by an HTTP redirect (301) message
  • The client browser transparently connects to the selected server.

client in Boston director server 1 (NY) server 2 (LA)

Reuven Cohen Internet networking

client in Boston director

GET

server 1 (NY) server 2 (LA)

Redirect (NY) GET Response

Request routing using a DNS director when the CDN is operated by a CDN provider

  • A DNS director is used in order to balance the access to mirror servers.
  • The client searches for the IP address of www.com1.com

Th li t l l DNS d DNS f 1

232

  • The client local DNS server sends a DNS query for www.com1.com
  • The com1.com DNS server refers the client’s DNS server to

dd.cdn.com

cdn.com is a CDN provider

  • The local DNS sends to dd.cdn.com a DNS query for www.com1.com
  • Based on IP address of the calling DNS serve and on information about

the location of the relevant mirror servers, the distributor director d t i th b t f th li t d t th IP dd f

Reuven Cohen Internet networking

determines the best server for the client and returns the IP address of that server to the client.

slide-3
SLIDE 3

117

Part 6 : Network Attacks and Security

  • Security vulnerabilities are

everywhere:

In the IP protocol

  • There is no generic tool for

addressing all security vulnerabilities.

233

new slide

p

In TCP In HTTP In routing protocols In DNS, in ARP, and so on…

  • Where do the problem come

from?

Protocol-level vulnerabilities

  • I

li it t t ti

  • However, two common tools are

very often used:

firewalls cryptography

Reuven Cohen Internet networking

  • Implicit trust assumptions

in design

Implementation vulnerabilities

  • Both on routers and end-

hosts

  • Incomplete specifications

Often left to the imagination of

programmers

234

IP spoofing

  • The attacker alters the source IP address of its packets, so that they

appear to have come from another source

since the attacker does not get the response packets, this is also since the attacker does not get the response packets, this is also

considered as a “blind spoofing”

with “blind spoofing” it is difficult for the attacker to complete the

setup of a TCP connection because of the random initial sequence number selected by the server

  • Main motivation for IP address spoofing:

to gain access to protected resources, from servers that honor

requests only from specific addresses

Reuven Cohen Internet networking

to hide the source in a Distributed Denial of Service (DDoS) attack.

slide-4
SLIDE 4

118

235

SYN attack

  • This attack takes advantage of vulnerability of IP and of TCP.
  • The idea: an attacker sends thousands of SYN packets to a given

source, usually from multiple spoofed addresses. source, usually from multiple spoofed addresses.

  • The response of the server is not received by the attacker, but in any

case the attacked machine tries to open a TCP connection.

It waits for a long time (naïve implementations wait up to 9 minutes)

for the ACK of the initiator, and then drops the connection.

The number of pending connections, which wait for an ACK, is

upper bounded, and when this maximum is reached, any new SYN is dropped.

Reuven Cohen Internet networking

  • This attack is popular because:

It is very difficult to locate an attacker who uses a spoofed IP

addresses.

It is very difficult to block this attack, especially if the attacker uses

multiple spoofed IP addresses.

236

Prevention of source address spoofing

  • RFC-2827 proposes to block packets with spoofed IP addresses using

the concept of “ingress filtering”.

main idea: don’t allow a packet to be received over an interface

which does not lead to the source.

  • E.g., if R2 receives from Net-5 an IP packet whose source IP address

belongs to Net-1, the packet is dropped

  • Because the shortest path to Net-1 is through interface Net-2

Net-1

R1 R2

Net-2 Net 5 Net-7

Reuven Cohen Internet networking

  • But this approach does not work for Inter-AS routing

R3 R4

Net-4 Net-3 Net-5 Net-6

slide-5
SLIDE 5

119

237

More attack examples

  • An attack on a router:

the attacker floods an ISP’s router with IP packets carrying

uncommon destination IP addresses

These packets blows the router’s router cache, and therefore

reduces the router speed substantially.

  • ICMP flooding:

send an “ICMP Echo Request” message whose destination

address is directed broadcast and source address is a forged IP address

all the hosts in the destination network will send an “ICMP Echo

Reply” to the forged address

Reuven Cohen Internet networking

  • DNS cache poison:

works if the victim server support recursive queries the attacker sends a request to the attacked DNS server the server forwards this request to another server the attacker sends a reply, pretending to be the contacted server

  • this requires the attacker to predict the sequence number used

by the victim server

238

More attack examples (cont.)

  • Web server “man in the middle” attack

attacker uses DNS cache poisoning to associate the IP of its server

with the name www.abc.com of a real server. with the name www.abc.com of a real server.

when a client accesses the attacker server, this server acts as a

proxy

  • it forwards the client request to the real server and the server’s

response to the client

  • consequently, the attacker is able to listen to the whole session

between the real client and the real server

Reuven Cohen Internet networking

slide-6
SLIDE 6

120

239

What’s a firewall

  • A security mechanism usually used to protect data and computers on a

private network from the uncontrolled activities of untrusted users.

Security: enables to selectively permit or deny access to the

network, on the basis of protocol used, source/destination hosts, time-of-day etc.

Policy: may enforce restrictions on outbound traffic. Auditing: may gather usage statistics.

  • The main issue in the firewall design: at what layer should it operate.

higher layer security has more intelligence but lower layer security is more efficient

Reuven Cohen Internet networking

firewall

A Private network The Internet

240

Three types of firewalls

TCP/UDP TCP

Application

TCP

Application internal host a packet filtering firewall external host

IP TCP IP TCP IP TCP

Application

IP TCP

internal host a transport layer firewall external host Application

IP IP IP

Reuven Cohen Internet networking

IP TCP

Application

IP TCP

App.

IP TCP

Application

IP TCP

App. internal host an application layer firewall external host

slide-7
SLIDE 7

121

241

A packet filtering firewall

  • Works on a per-packet basis.

Looks at the various fields in the IP and UDP/TCP headers.

  • Determines whether or not to pass a packet based on the source and
  • Determines whether or not to pass a packet based on the source and

destination IP addresses and port numbers.

  • E.g. a firewall administrator may not allow any incoming packets,

except those destined for the local web server.

  • E.g. a firewall administrator may allow local users to contact remote

web servers by allowing outgoing packets whose destination port is 80 and incoming packets whose source port is 80

But this does not work if the remote web sever is set up on port

Reuven Cohen Internet networking

But this does not work if the remote web sever is set up on port

8080 or any other port.

242

Examples for a packet filtering firewall

  • Using the following rules, only traffic for the local web server can pass

through the firewall

Action Source IP address Source port No. Dest. IP address Dest. port No. Protocol allow

  • ur

web server 80 * > 1023 TCP allow * > 1023

  • ur

web server 80 TCP Direction inbound

  • utbound

Reuven Cohen Internet networking

slide-8
SLIDE 8

122

243

A problem with a packet filtering firewall: SYN attack

  • In “SYN attack”, the attacker initiates many TCP connections, by

sending SYN segments, but does not send the ACK segment in order to avoid the completion of these connections.

  • Therefore, the queue of pending connections (connections that have

not been fetched by the application) is filled up

consequently, SYN for legal connection are ignored.

  • This attack can be avoided if the host TCP is modified such that

queue backlog increases if an ACK is not received within a reasonable time, RST is sent and

the connection is dropped.

  • However, this will require to change the software at every computer.

Reuven Cohen Internet networking

However, this will require to change the software at every computer.

  • Another approach is to employ a transport layer firewall

244

Socket-layer splicing for SYN attack protection

  • The firewall accepts every incoming TCP connection.
  • If an ACK is not received within a reasonable time (e.g. 10s), RST is

sent and the connection is dropped. sent and the connection is dropped.

  • If an ACK is received, data is copied in the kernel space:

Namely, after a packet is received on connection A, it is processed

by TCP and then is added to the send_buffer of connection B.

By not moving the data to the user space, like an Application Layer

firewall would do, many CPU cycles are saved.

internal server firewall client SYN

Reuven Cohen Internet networking

SYN SYN+ACK ACK SYN+ACK ACK SYN data data Application Layer Socket Layer TCP/IP Layer NIC driver NIC Application Layer Socket Layer TCP/IP Layer NIC driver NIC

slide-9
SLIDE 9

123

245

Another possible solution

internal server firewall external client SYN internal server firewall external client SYN SYN+ACK ACK ACK data SYN+ACK ACK is not received ACK RST FIN time out success

Reuven Cohen Internet networking

  • Main advantage: after connection is established, the gateway does not

need to be involved in data transfer (it functions as a router only).

  • Therefore, the TCP processing overhead is avoided.

success failure

246

Firewall architectures: (1) a packet filtering firewall

  • The simplest architecture

inexpensive but also insecure Internet packet filtering router

Reuven Cohen Internet networking

private network

slide-10
SLIDE 10

124

247

Firewall architectures: (2) a dual-homed application gateway

  • All traffic must go through the application layer firewall

no other internal server is accessible secure but has performance limitations secure, but has performance limitations Internet private network router

Reuven Cohen Internet networking

network application gateway 248

Firewall architectures: (3) a screened host firewall

  • For some protocols: only specific servers are accessible

E.g., incoming HTTP traffic is accepted only for the public web

server server

Traffic of other specific protocols is accepted only if the destination

is the Application gateway.

  • Outbound traffic is accepted from every host.

Internet packet filtering router

Reuven Cohen Internet networking

public web server private network application gateway

slide-11
SLIDE 11

125

249

Firewall architectures: (4) a screened subnet firewall

  • DMZ is a “neutral zone” between the private and the public networks.

the outer router only advertises the DMZ to the external network.

  • this helps in avoiding “IP address spoofing”
  • this helps in avoiding IP address spoofing

The inner systems are completely isolated from the outer world. The DMZ servers are not allowed to initiate connections towards

the private network hosts.

Internet packet filtering router mail server

Reuven Cohen Internet networking

application gateway public web server packet filtering router server

services open for public access services not open for public access