Content Distribution Networks (CDN)

(1)

229

Content Distribution Networks (CDNs)

A content distribution network can be viewed as a global web server

replication.

main idea: each replica is located in a different geographic area, main idea: each replica is located in a different geographic area,

rather then in the same server farm.

A CDN usually consists of the following components:

A set of web servers and/or cache servers

A dedicated intelligent distribution mechanism to move data

between the various servers

A mechanism to intelligently match the requesting user with the

most efficient server.

Reuven Cohen Internet networking

main issues of a CDN:

to which replica should a user’s request be forwarded how to direct a request (“global redirection”)

how to ensure consistency among the various replicas:

•

how to synchronize changes such that the same request to two different replicas at the same time will get the same response

230

Content Distribution Networks (cont.)

Like web caching, a CDN helps in

reducing the response time to users’ requests saving expensive bandwidth

saving expensive bandwidth

However, whereas a web cache is usually operated by an ISP, a CDN

is operated by (of for) a content provider like CNN.com

the CDN saves the cost of an expensive access link from the

(2)

Request-routing using HTTP-redirect

The request is received by a single director

The director determines the IP address of the server closest to the user

It th d b HTTP di t (301)

It then responds by an HTTP redirect (301) message

The client browser transparently connects to the selected server.

client in Boston

director server 1 (NY) server 2 (LA)

Reuven Cohen Internet networking client in Boston

director

GET

server 1 (NY) server 2 (LA) Redirect (NY)

GET Response

Request routing using a DNS director when the CDN

is operated by a CDN provider

A DNS director is used in order to balance the access to mirror servers. The client searches for the IP address of www.com1.com

Th li t l l DNS d DNS f 1

232

The client local DNS server sends a DNS query for www.com1.com The com1.com DNS server refers the client’s DNS server to

dd.cdn.com

cdn.com is a CDN provider

The local DNS sends to dd.cdn.com a DNS query for www.com1.com Based on IP address of the calling DNS serve and on information about

the location of the relevant mirror servers, the distributor director

d t i th b t f th li t d t th IP dd f

(3)

Part 6 : Network Attacks and Security

Security vulnerabilities are

everywhere: In the IP protocol

There is no generic tool for

addressing all security vulnerabilities. 233 new slide p In TCP In HTTP In routing protocols In DNS, in ARP, and so on…

Where do the problem come

from?

Protocol-level vulnerabilities

•

I li it t t ti

However, two common tools are

very often used: firewalls cryptography

•

Implicit trust assumptions in design

Implementation vulnerabilities

•

Both on routers and end-hosts

Incomplete specifications

Often left to the imagination of programmers

234

IP spoofing

The attacker alters the source IP address of its packets, so that they

appear to have come from another source

since the attacker does not get the response packets, this is also since the attacker does not get the response packets, this is also

considered as a “blind spoofing”

with “blind spoofing” it is difficult for the attacker to complete the

setup of a TCP connection because of the random initial sequence number selected by the server

Main motivation for IP address spoofing:

to gain access to protected resources, from servers that honor

requests only from specific addresses

(4)

SYN attack

This attack takes advantage of vulnerability of IP and of TCP. The idea: an attacker sends thousands of SYN packets to a given

source, usually from multiple spoofed addresses. source, usually from multiple spoofed addresses.

The response of the server is not received by the attacker, but in any

case the attacked machine tries to open a TCP connection.

It waits for a long time (naïve implementations wait up to 9 minutes)

for the ACK of the initiator, and then drops the connection.

The number of pending connections, which wait for an ACK, is

upper bounded, and when this maximum is reached, any new SYN is dropped.

This attack is popular because:

It is very difficult to locate an attacker who uses a spoofed IP

addresses.

It is very difficult to block this attack, especially if the attacker uses

multiple spoofed IP addresses.

236

Prevention of source address spoofing

RFC-2827 proposes to block packets with spoofed IP addresses using

the concept of “ingress filtering”.

main idea: don’t allow a packet to be received over an interface

which does not lead to the source.

E.g., if R2 receives from Net-5 an IP packet whose source IP address

belongs to Net-1, the packet is dropped

•

Because the shortest path to Net-1 is through interface Net-2

Net-1 R 1 Net-2 R 2

Net 5 Net-7

But this approach does not work for Inter-AS routing

R 3 Net-4 R 4

Net-3 Net-5

(5)

237

More attack examples

An attack on a router:

the attacker floods an ISP’s router with IP packets carrying

uncommon destination IP addresses

These packets blows the router’s router cache, and therefore

reduces the router speed substantially.

ICMP flooding:

send an “ICMP Echo Request” message whose destination

address is directed broadcast and source address is a forged IP address

all the hosts in the destination network will send an “ICMP Echo

Reply” to the forged address

DNS cache poison:

works if the victim server support recursive queries the attacker sends a request to the attacked DNS server the server forwards this request to another server

the attacker sends a reply, pretending to be the contacted server

•

this requires the attacker to predict the sequence number used by the victim server

238

More attack examples (cont.)

Web server “man in the middle” attack

attacker uses DNS cache poisoning to associate the IP of its server

with the name www.abc.com of a real server. with the name www.abc.com of a real server.

when a client accesses the attacker server, this server acts as a

proxy

•

it forwards the client request to the real server and the server’s response to the client

(6)

What’s a firewall

A security mechanism usually used to protect data and computers on a

private network from the uncontrolled activities of untrusted users.

Security: enables to selectively permit or deny access to the

network, on the basis of protocol used, source/destination hosts, time-of-day etc.

Policy: may enforce restrictions on outbound traffic. Auditing: may gather usage statistics.

The main issue in the firewall design: at what layer should it operate.

higher layer security has more intelligence but lower layer security is more efficient

Reuven Cohen Internet networking firewall _{A Private}

network The Internet

240

Three types of firewalls

TCP/UDP TCP

Application

TCP Application internal host a packet filtering firewall external host

IP TCP IP TCP IP TCP Application IP TCP

internal host a transport layer firewall external host Application IP IP IP IP TCP Application IP TCP App. IP TCP Application IP TCP App.

(7)

241

A packet filtering firewall

Works on a per-packet basis.

Looks at the various fields in the IP and UDP/TCP headers.

Determines whether or not to pass a packet based on the source and Determines whether or not to pass a packet based on the source and

destination IP addresses and port numbers.

E.g. a firewall administrator may not allow any incoming packets,

except those destined for the local web server.

E.g. a firewall administrator may allow local users to contact remote

web servers by allowing outgoing packets whose destination port is 80 and incoming packets whose source port is 80

But this does not work if the remote web sever is set up on port

Reuven Cohen Internet networking But this does not work if the remote web sever is set up on port

8080 or any other port.

242

Examples for a packet filtering firewall

Using the following rules, only traffic for the local web server can pass

through the firewall

Action Source IP address Source port No. Dest. IP address Dest.

port No. Protocol

(8)

A problem with a packet filtering firewall: SYN

attack

In “SYN attack”, the attacker initiates many TCP connections, by

sending SYN segments, but does not send the ACK segment in order to avoid the completion of these connections.

Therefore, the queue of pending connections (connections that have

not been fetched by the application) is filled up

consequently, SYN for legal connection are ignored.

This attack can be avoided if the host TCP is modified such that

queue backlog increases

if an ACK is not received within a reasonable time, RST is sent and

the connection is dropped.

However, this will require to change the software at every computer.

Reuven Cohen Internet networking However, this will require to change the software at every computer.

Another approach is to employ a transport layer firewall

244

Socket-layer splicing for SYN attack protection

The firewall accepts every incoming TCP connection.

If an ACK is not received within a reasonable time (e.g. 10s), RST is

sent and the connection is dropped. sent and the connection is dropped.

If an ACK is received, data is copied in the kernel space:

Namely, after a packet is received on connection A, it is processed

by TCP and then is added to the send_buffer of connection B.

By not moving the data to the user space, like an Application Layer

firewall would do, many CPU cycles are saved.

(9)

245

Another possible solution

internal server firewall external client SYN internal server firewall external client SYN SYN+ACK ACK ACK data SYN+ACK ACK is not received ACK RST FIN time out success

Main advantage: after connection is established, the gateway does not

need to be involved in data transfer (it functions as a router only).

Therefore, the TCP processing overhead is avoided.

success _failure

246

Firewall architectures: (1) a packet filtering firewall

The simplest architecture

inexpensive but also insecure

Internet

(10)

Firewall architectures: (2) a dual-homed application

gateway

All traffic must go through the application layer firewall

no other internal server is accessible secure but has performance limitations secure, but has performance limitations

Internet

private

network router

Reuven Cohen Internet networking network

application gateway

248

Firewall architectures: (3) a screened host firewall

For some protocols: only specific servers are accessible

E.g., incoming HTTP traffic is accepted only for the public web

server server

Traffic of other specific protocols is accepted only if the destination

is the Application gateway.

Outbound traffic is accepted from every host.

(11)

249

Firewall architectures: (4) a screened subnet firewall

DMZ is a “neutral zone” between the private and the public networks.

the outer router only advertises the DMZ to the external network.

•

this helps in avoiding “IP address spoofing”

•

this helps in avoiding IP address spoofing

The inner systems are completely isolated from the outer world. The DMZ servers are not allowed to initiate connections towards

the private network hosts.

Internet packet

filtering router mail

server

application gateway public web server packet filtering router server

services open for public access