Content-distribution networks Str trat ategie egies Divide and - - PowerPoint PPT Presentation

content distribution networks str trat ategie egies
SMART_READER_LITE
LIVE PREVIEW

Content-distribution networks Str trat ategie egies Divide and - - PowerPoint PPT Presentation

Mar 05, 2024 133 likes •435 views

Content-distribution networks Str trat ategie egies Divide and conquer Partition Replicate Distribute Load balance Portland State University CS 430P/530 Internet, Web & Cloud Systems Ou Outl tline ine 1. Server

slide-1
SLIDE 1

Content-distribution networks

slide-2
SLIDE 2

Str trat ategie egies

 Divide and conquer

 Partition  Replicate  Distribute  Load balance

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-3
SLIDE 3

Ou Outl tline ine

  • 1. Server partitioning
  • 2. DNS load balancing
  • 3. Virtual servers
  • 4. Case studies

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-4
SLIDE 4

1.

  • 1. Ser

erver er pa partitioning titioning (st static tic)

 Run a new server per resource/service

 e.g. www.blah.com, mail.blah.com,

images.blah.com, shopping.blah.com

 Advantages

 Disk utilization (no need to replicate all content)  Cache performance  Better suited for DevOps, CI/CD

 Distributed independent development/deployment etc. of "microservices"  Isolation of cookie policy, Content Security Policy amongst sub-properties

 Disadvantages

 Without cloud provider support, you get…

 Lower peak capacity if access to sites imbalanced  Coarse load balancing across sites, not adaptive to spikes

 Management costs of multiple sites

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-5
SLIDE 5

1.

  • 1. Ser

erver er pa partitioning titioning (dynamic) namic)

 Seamless, active, “forward deployment” of content to explicitly

named servers near client

 Redirect requests from origin servers via dynamic URL rewriting of

embedded content

 Application-level multicast based on geographic location of client

 Example: Akamai, AWS Cloud Front, GCP Cloud CDN

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-6
SLIDE 6

1.

  • 1. Ser

erver er pa partitioning titioning (dynamic) namic)

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Dynamically loaded content servers

pdx.edu espn.go.com

Local, high-speed ISP Internet

2 4 5 a12.g.akamaitech.net a668.g.akamaitech.net a1284.g.akamaitech.net a1896.g.akamaitech.net 3

Requested page with links to embedded content rewritten

1

slide-7
SLIDE 7

1.

  • 1. Ser

erver er pa partitioning titioning (dynamic) namic)

 Advantages

 Improved network utilization  Cost savings

 Assuming $ network bandwidth >> $ storage

 Better load distribution if replicas based on popularity

 Disadvantages

 Distributed management costs  Complexity and vendor lock-in with integration to a CDN provider

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-8
SLIDE 8
  • 2. DNS

DNS load ad balancing lancing

 Popularized by NCSA circa 1993  Fully replicated server farm  IP address per node  Adaptively resolve server name (round-robin, load-based, or

geographic-based)

 The reason why multiple DNS addresses are returned on some

responses

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-9
SLIDE 9
  • 2. DNS

DNS load ad balancing lancing

Portland State University CS 430P/530 Internet, Web & Cloud Systems

[a-m].root-servers.net *.ncsa.uiuc.edu is served by ns0.ncsa.uiuc.edu (141.142.2.2) ns1.ncsa.uiuc.edu(141.142.230.144) dns1.cso.uiuc..edu (128.174.5.103) ns.indiana.edu (129.79.1.1) ns0.ncsa.uiuc.edu www.nsca.uiuc.edu is 141.142.2.28 141.142.2.36 141.142.2.42 1 2 3 4 DNS cache Host: www.ncsa.uiuc.edu ttl=15min DNS ns0.ncsa.uiuc.edu ttl=3days 5 pdx.edu 141.142.2.42 141.142.2.36 141.142.2.28 ncsa.uiuc.edu 6 7

slide-10
SLIDE 10
  • 2. DNS

DNS load ad balancing lancing

 Advantages

 Simple to implement  Uses existing DNS infrastructure

 Disadvantages

 Coarse load balancing over time  DNS caching at local name servers affects performance  Requires full server replication versus partitioning

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-11
SLIDE 11
  • 3. Virtual

tual se server ers

 Large server farm appearing as a single virtual server

 Single front-end for connection routing

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-12
SLIDE 12

Ol Olympi pic c web eb se server er (1996) 96)

Portland State University CS 430P/530 Internet, Web & Cloud Systems

pdx.edu

Internet

Token Ring

4 x T3

1 4 3 IP=X IP=X IP=X IP=X IP=X Load info 2 SYN routing ACK forwarding

slide-13
SLIDE 13

Ol Olympi pic c web eb se server er (1996) 96)

 Front-end implements a "reverse NAT"  Front-end node

 TCP SYN

 Route to particular server based on policy  Store decision (connID, realServer)

 TCP ACK

 Rewrite packets and forward based on stored decision

 TCP FIN or a pre-defined timeout

 Remove entry

 Servers

 IP address of outgoing interface = IP address of front-end’s incoming

interface

 Treats front-end, token-ring, and cluster as one virtual server

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-14
SLIDE 14

Ol Olympi pic c web eb se server er (1996) 96)

 Advantages

 Minimal packet rewriting (e.g. Only ACK packets rewritten)  More reactive to load than DNS

 Disadvantages

 Potential non-stickiness between requests

 SSL sessions for a single client  Cache performance versus partitioned servers

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-15
SLIDE 15

Virtual tual se server er variations iations (L2-L4) L4)

 Evolved into hardware switch implementations for performance  Load balancing algorithms  Anything contained within TCP/IP header

 "5-tuple" <sourceIP

, sourcePort, destIP , destPort, protocol>

 hash(source, dest, protocol)

 Server characteristics

 Least number of connections  Fastest response time  Server idle time

 Other

 Weighted round-robin based on server capabilities  Random

Portland State University CS 430P/530 Internet, Web & Cloud Systems

10.0.0.10 10.0.0.11 10.0.0.12 10.0.0.13 10.0.0.14 131.252.220.66

slide-16
SLIDE 16

Virtual tual se server ers s wi with th L5

 Can also load balance based on content (i.e. URL)  Requires one to proxy server connection until URL sent, before

routing to backend servers

 Front-end implements a "reverse proxy" (versus a reverse NAT)

 Examples: nginx, Google's front-end (GFE), CloudFlare, many

hardware switches

 Switch/proxy

 Terminates TCP handshake  Rewrites sequence numbers going in both directions

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-17
SLIDE 17

L5 sw switches tches

Portland State University CS 430P/530 Internet, Web & Cloud Systems

SYN SN=A SYN SN=B ACK=A ACK=B HTTP request SYN SN=A SYN SN=C ACK=A HTTP request ACK=C L5 switch VirtualIP=X Real server RealIP=Y HTTP response Rewrite Y to X C to B ACK Rewrite X to Y B to C Client Route request Reverse proxy

slide-18
SLIDE 18

L5 sw switchi tching ng

 Advantages

 Increases effective cache/storage sizes (partition by URL)  Allows for session persistence (SSL,cookies)  Support for user-level service differentiation

 Service levels based on cookies, user profile, User-Agent, URL  DDoS prevention based on request/user

 Disadvantages

 Hot-spots  Overhead (custom ASICs needed to process at line-speed)

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-19
SLIDE 19

Altern ernativ atives es to su supp pport t se sess ssion

  • n pe

persis sisten ence ce

 Have all web frontends share one big memory cache in the cloud

 Done via in-memory datastores (Redis, Memcached)

 Example: AWS ElastiCache applied to user session state on web tier

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-20
SLIDE 20

Put uttin ting g it t toget gether: er: Yahoo!

  • o!

Portland State University CS 430P/530 Internet, Web & Cloud Systems

[a-m].root-servers.net *.yahoo.com is served by ns1.yahoo.com (204.71.177.33) ns3.europe.yahoo.com (195.67.49.25) ns2.dca.yahoo.com (209.143.200.34) ns5.dcx.yahoo.com (216.32.74.10) ns1.yahoo.com www.yahoo.com is 204.71.200.68 204.71.200.67 204.71.200.75 204.71.202.160 204.71.200.74 204.71.200.68 204.71.200.67 1 2 3 4 DNS cache Host: www.yahoo.com NameServers: yahoo.com 5 pdx.edu yahoo.com 6 akamaitech.net 7 us.yimg.com 8 9

slide-21
SLIDE 21

Sup uppor port t in cloud ud pl platf atforms

  • rms

 GCP Cloud DNS, AWS Route 53

 Map DNS records to your instances

 GCP Cloud Load Balancer, AWS Elastic Load Balancer

 Spread HTTP requests across machines

 L4 connection load balancing  L5 content-based load balancing  Geographic and network latency based load balancing

 GCP Cloud CDN or AWS CloudFront

 Forward deploy content via compute engine instances in load balancer

to leverage edge caches in GCP

 See CDN lab

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-22
SLIDE 22

CDNs for DDoS protection

slide-23
SLIDE 23

DD DDoS S pr problem blem

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-24
SLIDE 24

CDN DNs s to th the e res escue? cue?

 Distributed denial-of-service mitigation

 CDN manages your DNS to point to forward-deployed nodes  Performs a reverse proxy operation on nodes as previously

 Terminates connections and examines request, before forwarding to content nodes

 Drops sources of unwanted requests

 Mirai traffic, GitHub attack traffic, Dyn DNS attack traffic (2016), etc.

 Can also drop malicious requests after analysis by web-application

firewall (WAF)

 Common XSS payloads, known exploits

 Examples: CloudFlare, Akamai, Google, Microsoft

 Google now protecting high-profile anti-hacking sites for free

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-25
SLIDE 25

Ge Gene neral ral archit chitecture ecture

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-26
SLIDE 26

Azure ure DD DDoS Protec ectio tion n (4/18/1 /18/18) 8)

 Reverse-proxy at edge  "L7" protection

 WAF (SQLi, XSS filter)  Rate-limit per IP addr  Protocol attacks (floods)

Portland State University CS 430P/530 Internet, Web & Cloud Systems

https://azure.microsoft.com/en-us/blog/azure-ddos-protection- for-virtual-networks-generally-available/

slide-27
SLIDE 27

Iss ssue ue: : HTTPS TPS pr proxying xying

 To proxy an https connection at edge, CDN must have

 Certificate of site it's protecting  Private key associated with certificate to decrypt key from client

 e.g. client encrypts random key with public key of site to establish symmetric

encryption

 Can only be decrypted by server's private key

 But, not all sites want to give up private key to CloudFlare (or other

CDNs)

 Breaks end-to-end security guarantees that TLS was intended to provide!

 Trade-off DDoS resilience for application security

Portland State University CS 430P/530 Internet, Web & Cloud Systems

slide-28
SLIDE 28

Key se server er archit chitecture ecture

 Site must either give up private key to CDN or co-locate key server to

the edge to implement part of TLS requiring private key

Portland State University CS 430P/530 Internet, Web & Cloud Systems