Content Distribution Networks (CDN)

Transcription

1 229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the same farm. A CDN usually consists of the following components: A set of web s and/or cache s A dedicated intelligent distribution mechanism to move data between the various s A mechanism to intelligently match the requesting user with the most efficient. main issues of a CDN: to which replica should a user s request be forwarded how to direct a request ( global redirection ) how to ensure consistency among the various replicas: how to synchronize changes such that the same request to two different replicas at the same time will get the same response Content Distribution Networks (cont.) 230 Like web caching, a CDN helps in reducing the response time to users requests saving expensive bandwidth However, whereas a web cache is usually operated by an ISP, a CDN is operated by (of for) a content provider like CNN.com the CDN saves the cost of an expensive access link from the content provider to its ISP. 115

2 231 Request-routing using HTTP-redirect The request is received by a single director The director determines the address of the closest to the user It then responds by an HTTP redirect (301) message The client browser transparently connects to the selected. director client in Boston 1 (NY) 2 (LA) GET Redirect (NY) GET Response Request routing using a DNS director when the CDN is operated by a CDN provider A DNS director is used in order to balance the access to mirror s. The client searches for the address of The client local l DNS sends a DNS query for The com1.com DNS refers the client s DNS to dd.cdn.com cdn.com is a CDN provider The local DNS sends to dd.cdn.com a DNS query for Based on address of the calling DNS serve and on information about the location of the relevant mirror s, the distributor director determines the best for the client and returns the address of that to the client

3 new slide Part 6 : Network Attacks and Security 233 Security vulnerabilities are everywhere: In the protocol In In HTTP In routing protocols In DNS, in ARP, and so on Where do the problem come from? Protocol-level vulnerabilities Implicit it trust t assumptions in design Implementation vulnerabilities Both on routers and endhosts Incomplete specifications Often left to the imagination of programmers There is no generic tool for addressing all security vulnerabilities. However, two common tools are very often used: firewalls cryptography 234 spoofing The attacker alters the source address of its packets, so that they appear to have come from another source since the attacker does not get the response packets, this is also considered as a blind spoofing with blind spoofing it is difficult for the attacker to complete the setup of a connection because of the random initial sequence number selected by the Main motivation for address spoofing: to gain access to protected resources, from s that honor requests only from specific addresses to hide the source in a Distributed Denial of Service (DDoS) attack. 117

4 235 SYN attack This attack takes advantage of vulnerability of and of. The idea: an attacker sends thousands of SYN packets to a given source, usually from multiple spoofed addresses. The response of the is not received by the attacker, but in any case the attacked machine tries to open a connection. It waits for a long time (naïve implementations wait up to 9 minutes) for the ACK of the initiator, and then drops the connection. The number of pending connections, which wait for an ACK, is upper bounded, and when this maximum is reached, any new SYN is dropped. This attack is popular because: It is very difficult to locate an attacker who uses a spoofed addresses. It is very difficult to block this attack, especially if the attacker uses multiple spoofed addresses. 236 Prevention of source address spoofing RFC-2827 proposes to block packets with spoofed addresses using the concept of ingress filtering. main idea: don t allow a packet to be received over an interface which does not lead to the source. E.g., if R2 receives from Net-5 an packet whose source address belongs to Net-1, the packet is dropped Because the shortest path to Net-1 is through interface Net-2 Net-1 R1 Net-2 R2 Net-7 Net-3 Net-5 R3 Net-4 R4 Net-6 But this approach does not work for Inter-AS routing 118

5 237 More attack examples An attack on a router: the attacker floods an ISP s router with packets carrying uncommon destination addresses These packets blows the router s router cache, and therefore reduces the router speed substantially. ICMP flooding: send an ICMP Echo Request message whose destination address is directed broadcast and source address is a forged address all the hosts in the destination network will send an ICMP Echo Reply to the forged address DNS cache poison: works if the victim support recursive queries the attacker sends a request to the attacked DNS the forwards this request to another the attacker sends a reply, pretending to be the contacted this requires the attacker to predict the sequence number used by the victim More attack examples (cont.) 238 Web man in the middle attack attacker uses DNS cache poisoning to associate the of its with the name of a real. when a client accesses the attacker, this acts as a proxy it forwards the client request to the real and the s response to the client consequently, the attacker is able to listen to the whole session between the real client and the real 119

6 239 What s a firewall A security mechanism usually used to protect data and computers on a private network from the uncontrolled activities of untrusted users. Security: enables to selectively permit or deny access to the network, on the basis of protocol used, source/destination hosts, time-of-day etc. Policy: may enforce restrictions on outbound traffic. Auditing: may gather usage statistics. The main issue in the firewall design: at what layer should it operate. higher layer security has more intelligence but lower layer security is more efficient The Internet firewall A Private network 240 Three types of firewalls internal host a packet filtering firewall external host /UDP internal host a transport layer firewall external host internal host an application layer firewall external host App. App. 120

7 241 A packet filtering firewall Works on a per-packet basis. Looks at the various fields in the and UDP/ headers. Determines whether or not to pass a packet based on the source and destination addresses and port numbers. E.g. a firewall administrator may not allow any incoming packets, except those destined for the local web. E.g. a firewall administrator may allow local users to contact remote web s by allowing outgoing packets whose destination port is 80 and incoming packets whose source port is 80 But this does not work if the remote web sever is set up on port 8080 or any other port. 242 Examples for a packet filtering firewall Using the following rules, only traffic for the local web can pass through the firewall Direction Action Source address Source port No. Dest. address Dest. port No. Protocol inbound allow * > 1023 our web 80 outbound allow our web 80 * >

8 A problem with a packet filtering firewall: SYN attack 243 In SYN attack, the attacker initiates many connections, by sending SYN segments, but does not send the ACK segment in order to avoid the completion of these connections. Therefore, the queue of pending connections (connections that have not been fetched by the application) is filled up consequently, SYN for legal connection are ignored. This attack can be avoided if the host is modified such that queue backlog increases if an ACK is not received within a reasonable time, RST is sent and the connection is dropped. However, this will require to change the software at every computer. Another approach is to employ a transport layer firewall 244 Socket-layer splicing for SYN attack protection client data The firewall accepts every incoming connection. If an ACK is not received within a reasonable time (e.g. 10s), RST is sent and the connection is dropped. If an ACK is received, data is copied in the kernel space: SYN SYN+ACK ACK Namely, after a packet is received on connection A, it is processed by and then is added to the send_buffer of connection B. By not moving the data to the user space, like an Layer firewall would do, many CPU cycles are saved. firewall data SYN SYN+ACK ACK internal Layer Socket Layer / Layer NIC driver NIC Layer Socket Layer / Layer NIC driver NIC 122

9 245 Another possible solution external client SYN SYN+ACK firewall internal external client SYN SYN+ACK firewall internal ACK data ACK ACK is not received RST time out ACK FIN success failure Main advantage: after connection is established, the gateway does not need to be involved in data transfer (it functions as a router only). Therefore, the processing overhead is avoided. 246 Firewall architectures: (1) a packet filtering firewall The simplest architecture inexpensive but also insecure Internet packet filtering router private network 123

10 Firewall architectures: (2) a dual-homed application gateway 247 All traffic must go through the application layer firewall no other internal is accessible secure, but has performance limitations Internet private network router application gateway 248 Firewall architectures: (3) a screened host firewall For some protocols: only specific s are accessible E.g., incoming HTTP traffic is accepted only for the public web Traffic of other specific protocols is accepted only if the destination is the gateway. Outbound traffic is accepted from every host. packet filtering router Internet private network application gateway public web 124

11 249 Firewall architectures: (4) a screened subnet firewall DMZ is a neutral zone between the private and the public networks. the outer router only advertises the DMZ to the external network. this helps in avoiding address spoofing The inner systems are completely isolated from the outer world. The DMZ s are not allowed to initiate connections towards the private network hosts. services open for public access mail public web packet filtering router application gateway packet filtering router Internet services not open for public access 125