Building a Resilient World Wide Web Michael Smith mismith@akamai.com Security Evangelist
Network Services: Simple? Customer Origin End User
The Akamai Platform Edge Delivery of Dynamic Web Sites, Web Applications, Secure Content, Streaming Media
Akamai What is it? The world s largest on-demand, distributed computing platform; it delivers all forms of Web content, video, and applications for over 4,000 customers and 50,000 domains on the Internet. Including: The top Media & Entertainment companies The top online retailers The top antivirus companies The top Internet portals All branches of US Military 15-30% of the world s web traffic Resulting in Daily Traffic of: 21+ million hits per second 6500+ Gbps 1,500,000+ concurrent streams 1+ trillion transactions 110,000+ Servers 1000+ Networks 78 Countries 5-7 NOCC Staff
Everyone Relies on Us to be Resilient Resilience for us means: Resilient Design Make stuff work, anticipating failure Resilient Transport Reliability when the Internet is suboptimum Attack Mitigation Preventing failures induced by attack
Akamai s Philosophy We assume that a significant number of component and system failures occur at all times in the network.
Consequences of the Philosophy Do Understand which rules to break Commodity hardware Third-party Datacenters Smaller regions Spread regions within ISPs Use the public Internet Have a small, dedicatedpurpose OS and application stack Don t Use established computing paradigms More reliable servers Own our own network Larger more reliable clusters Find most reliable datacenters Have dedicated links Use general-purpose COTS technology stack
Core Principles Principle #6: Notice and Quarantine Faults Principle #5: Zoning for Releases Principle #4: Fail-Stop & Restart Principle #3: Distributed Control Principle #2: Software for Message Reliability Principle #1: Ensure Significant Redundancy Philosophy: Assume numerous failures
Redundancy In Server/Buddy Clusters (Regions) Datacenters Cities Countries Continents
System Monitoring Leader Leader Aggregator Throughput (hits, bits) OS Load (CPU, RAM) POP2POP Latency Alert server Client Download Speed Link Availability BGP state NOCC NOCC Akamai Automated Alerts and Responses
DNS Abstraction is Key ;; QUESTION SECTION: ;www.akamai.com. IN A ;; ANSWER SECTION: www.akamai.com. 900 IN CNAME www-main.akamai.com.edgesuite.net. www-main.akamai.com.edgesuite.net. 764 IN CNAME a152.dscb.akamai.net. a152.dscb.akamai.net. 20 IN A 80.67.64.116 a152.dscb.akamai.net. 20 IN A 80.67.64.114
How It Works Secondary Site Akamai Server Origin HTTP/S DNS End User Akamai Net Storage 1. Dynamic DNS maps user to best edge server based on network topology and performance in real-time
How It Works Secondary Site Akamai Server Origin HTTP/S DNS End User Akamai Net Storage 2. A user s connection invokes metadata identifying explicit rulesets: where is the content, how should it be cached, should it be authenticated, performance features, failover options 3. Content is fetched from the origin site if needed
Metadata Capabilities Direct response (302, 404, 403) Deliver cached object IP rate limiting WAF rules Identification, authentication, and authorization Pull data from authoritative origin Failover to DR origin Failover to cloud storage User discrimination
Minimum Site Functionality Large flash crowds Datacenter failure Untrustworthy users Application attackers Scrapers Volumetric attacks
Thank you!