04 (idnog01) handling massive numbers subscribers and attacks by takeki kumamura

©A10 Networks, Inc.

Handling massive number of subscribers and attacks

June, 2014

APJ Solution Engagement, Solution Architect!Takeki Kumamura

Introductions

‹#›©A10 Networks, Inc.

A10 Corporate Introduction

2010 2011 2012 2013

142000000

120344000

91493028

54,700,000

Q4' 11 Q4' 12 Today

3000

2008

1080

CUSTOMER GROWTH

COMPANY GROWTH

Headquarters in San Jose 650 Employees Offices in 23 countriesCustomers in 65 countries


3000+ Customers in 65 Countries

Web GiantsEnterprisesService Providers

3 of Top 4U.S. WIRELESS CARRIERS

7 of Top 10U.S. CABLE PROVIDERS

Top 3WIRELESS CARRIERS IN JAPAN


A10 Product Portfolio Overview

Dedicated Network

Managed Hosting

Cloud IaaS IT Delivery Models

Application Networking Platform▪ Performance ▪ Scalability ▪ Extensibility ▪ Flexibility

CGN TPS

ADC

ACOS Platform

Product Lines▪ ADC – Application Acceleration & Security ▪ CGN – IPv4 Extension / IPv6 Migration ▪ TPS – Network Perimeter DDoS Security

Carrier Grade Networking

Application Delivery Controller

Threat Protection System

Handling Massive Number of Subscribers


Exponential Rise in Devices, Users and TrafficDIG

ITAL

CONTENT

INTERNET

TRAFFIC

Extend IPv4

& Migrate to IPv6

IPv6 CONTENT

INTE

RNE

T OF

The Digital Universe: 50-fold Growth from the beginning of 2010 to the End of 2020

Source: IDC’s Digital Universe Study, sponsored by EMC, December 2012

IP Traffic by Year

Source: Cisco VNI, 2013

Akamai IPv6 Traffic Volume Total of Connected Devices, Billions of Units (Installed Bases)

Source: Gartner (November 2013)Source: Akamai


How about a real example?


1 China 330,600,960 (IPs) 1,365,160,000 (Pop.) 0.24 (IPs/Pop.)

2 Japan 201,530,368 127,090,000 1.58

3 Korea, Republic of 112,274,176 50,423,955 2.22

4 Australia 48,270,848 23,533,100 2.05

5 India 35,762,688 1,245,700,000 0.02

6 Taiwan, Province of China 35,430,656 23,386,883 1.51

7 Indonesia 17,588,480 247,424,598 0.07

8 Viet Nam 15,606,528 89,708,900 0.17

9 Hong Kong 11,807,232 7,219,700 1.63

10 Thailand 8,615,936 64,456,700 0.13

Delegated IPv4 Addresses (top 10) and Populations

http://www-public.it-sudparis.eu/~maigron/RIR_Stats/RIR_Delegations/APNIC/IPv4-ByNb.html http://en.wikipedia.org/wiki/List_of_countries_by_population


What is actual number of users?

▪“Versus” Population = 247,424,598 = 0.07 IP/person – But who will actually be using the device with IP addresses?

– ISP home network, and mobile devices.

17,580,480 IPs vs

17,580,480 IPs vs


2011 2012 2013 2014 2015 2016 2017

Smartphone users (Mil.)

11.7 26.3 41.6 61.2 74.8 89.8 103.6

--% of mobile phone users

9.0% 16.0% 24.0% 34.0% 40.0% 47.0% 53.0%

--% of population

4.8% 10.6% 16.6% 24.1% 29.2% 34.8% 39.8%

vs IPv4 addresses (17,580,480)

1.50 0.66 0.42 0.28 0.23 0.19 0.16

Increasing Smartphones in Indonesia

http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102

NAT “Compression rate” of private to global IP increases


I am already doing NAT


▪ Classic NAT does not allow outside originated traffic

▪ Legacy implementation lacks end-to-end transparency

▪ Causes peer-to-peer, voice, video, streaming applications to break

▪ Scale and Performance for Carrier Class applications

▪ Carrier Grade NAT or CGN supports transparent end-to-end connectivity

▪ Enables oversubscription of global IPv4 resources, helps scaling

▪ NAT44 or NAT444 options

Limitations with Classic NAT

Inside originated

NAT

Outside originated

Classic NAT

Inside originated

CGN

Outside originated

CGN


▪ Two clients Host A and Host B behind a common NAT device

▪ Host A to Host B communication using the external binding – Ex: Hosts using SIP for communication registered to an external server (Ex: SIP service)

CGN Use Case : Hairpinning

Inside Outside

Inside IP/port

Inside originated

Inside originated

Outside IP/port

Hairpinning Traffic Allows inside clients to connect to their outside IP/port

Source: B :1024 Dest: X:9001

Source: S:8080 Dest: X :9001

Internal External Filter

A:1024/B:8080 X:9001/B:8080 *:*/X:9001

Source: S:8080 Dest: X :9002

Host A

Host S

Source: B :1024 Dest: S :8080

Source: A :1024 Dest: X:9002

Source: A :1024 Dest: S :8080

Host B

CGN


Back to the story…


Typical NAT Use Cases

ConsumerNAT/Private IPv4 Address

Private/CGN Scoped IPv4 Address

CGN/CGNAT/LSN

IPv4 Internet

Enterprise NAT44

Service ProviderNAT444

Mobile Provider NAT44

Service Provider or Enterprise IPv4 Network

IPv4 Clients

IPv4 Clients

Public IPv4 Address

• Increase of NAT “compression rate” here leads to: • Smaller number of

TCP/UDP sessions • Logging issues • No scale in business • etc, etc.


2011 2012 2013 2014 2015 2016 2017

Smartphone users (Mil.)

11.7 26.3 41.6 61.2 74.8 89.8 103.6

vs IPv4 addresses (17,580,480)

1.50 0.66 0.42 0.28 0.23 0.19 0.16

User per IP (allocating 1 IP per user)

1 2 3 4 5 6 7

Userquota (=TCP/UDP sessions per user)

64000 32000 21300 16000 12800 10600 9100

Decreasing Userquota (= TCP/UDP sessions per user)

http://www.emarketer.com/Article/Smartphone-Penetration-Doubles-Indonesia/1010102

This may be a good case (using whole IP address pool of country at once)


IPv4 preservation cannot last forever.


Access Destination Migration

A10s IPv6 Migration Options

IPv6

IPv4

6rd

DS-Lite

Stateful

NAT64/DNS64

Stateless NAT46

A10 offers

One box solution!

Unique Service Provider featureLw-4o6

IPv4

IPv6

IPv4

IPv6

IPv6 Internet

IPv4 Internet

IPv6 Internet

IPv4 Internet CPE

CPE

CPE


NAT64 & DNS64 – DNS Flow

IPv6 IPv4

www.example.com 192.2.0.33

AAAA Query www.example.com

AAAA Response: 2001:DB8:122:344::192.2.0.33

IPv4 Internet

DNS

NAT64/DNS64

IPv6+IPv4IPv6 Clients

AAAA www.example.com = Error

A www.example.com = 192.2.0.33

NAT64/DNS64 device owns IPv6 Prefix 2001:DB8:122:344::/96

IPv6.example.com

IPv6 Internet


A10 IPv6 Migration: Use Cases

CGN | NAT64/DNS64

IPv4 Core

IPv6 Internet

IPv4 Clients

IPv4 Core

IPv6 Core

IPv6 Clients

CGN NAT64/ DNS64

New devices, and new services start with IPv6 for future expansions

NAT64/DNS64

IPv6 clients to IPv4

Enables IPv6 only clients to connect to IPv4 resources

Maintain current devices, and current services with IPv4

CGN IPv4 clients to

IPv4

Preserve IPv4 resources


A10 CGN Benefits for Service Provider & Enterprise

App Reliability

▪ Application Layer gateways

▪ Support for diverse applications

▪ HA ensures sessions maintained

Extend IPv4

▪ Protect IPv4 investments

▪ Preserve existing address allocation

▪ Save time and cost

IPv4 IPv6 Transition

▪ Ensures smooth conversion

▪ Supports multiple bridging methods

▪ Simultaneous support for IPv4 and IPv6

IPv6

Handling Massive Number of Attacks


DDoS Problems

Q3 2010 PayPal

Discloses cost of attack £3.5M(~$5.8 million)

Q1 2013 Credit Union Regulators

Recommend DDoS protection to all members

Q4 2012 Bank of the West

$900k stolen, DDoS as a distraction

Q1 2013 al Qassam Cyber Fighters

10-40 Gbps attacks target 9 major banks

Q1 2014 CloudFlare

400 Gbps NTP amplification attack

Q4 2013 60 Gbps attacks regularly seen,100 Gbps not uncommon

Q4 2013 26% YoY attack increase (17% L7, 28% L3-4)

Q4 2013 PPS reaches 35 million

Q4 2013 6.8 million mobile devices are potential attackers (LOIC and AnDOSid)

“High-bandwidth DDoS attacks are becoming the new norm and will continue wreaking havoc on unprepared enterprises”

Source: Gartner


▪Attacks intentions: Make resources unavailable – Resource exhaustion

▪ Overwhelm equipment (application)capacity

–Volumetric

▪ Flood network capacity

▪Two attack vectors

–Network attacks (L3-4) ▪ TCP, UDP, ICMP, more…

–Application attacks (L7) ▪ HTTP, DNS, NTP, more…

▪Emergence of multi-vector attacks

–Multiple attack vectors per incident are on the rise

Common DDoS Attack Types

NEW!


▪ Benefits: – Reduced CAPEX and OPEX

– Reduced data center footprint

– Easily integrated into their custom detection system

▪ Details: – Replaced market leader appliances

– 78 A10 devices, in 26 data centers

– $2.5 M+ savings per site,80%+ support savings

Thunder TPS for Top US Cloud Provider

Ra

ck

Un

its

Thunder TPS 6435

155 Gbps 200 MPPS, 1 U

Market leader 40G solution

160 Gbps 160 MPPS, 24 U

Sample comparison


▪ Asymmetric reactive deployment – Classic deployment model

– Scalable solution for DDoS mitigation

– Suitable for Service Providers with ▪ DDoS scrubbing center service (MSSP) ▪ Protecting own services (content provider) ▪ Large scale core network

▪ Profile – Traffic redirected to TPS for scrubbing as

needed ▪ Support BGP for route injection

– Valid traffic forwarded into network for services ▪ Support GRE & IP-in-IP tunneling

Asymmetric Reactive Deployment

Core Network

End Customeror Data Center

Services

DDoS Detection System

aXAPI /Manual Action

Traffic Redirection

Telemetry


▪ Asymmetric Proactive Deployment – For high performance DDoS detection and

mitigation

– DDoS detection and mitigation in one box

– Suitable for Large Enterprises and ISPs ▪ Protecting own services ▪ Protecting end customers ▪ Large-mid scale core network

▪ Profile – Inbound traffic always routed toward TPS

▪ Insight in peace-time and war-time

– DDoS detection and mitigation at sub-second scale

Asymmetric Proactive Deployment

Core Network

Services

End Customeror Data Center


Real-time Detection

Flood Thresholds

Protocol Anomalies

Behavioral Anomalies

Resource Starvation

L7 Scripts

Black Lists

HTTP DNSTCPUDP

▪ Symmetric Deployment – Inline DDoS detection and mitigation in

one box

– Inspect both inbound and outbound traffic

– Suitable for Enterprises ▪ Protecting own services

▪ Profile – Fully aware of and inspect L3 – L7 traffic for

both inbound and outbound traffic

– DDoS detection and mitigation at sub-second scale

Symmetric Deployment

Telemetry

DDoS Detection System

Collection Device

Real-time

Threshold Tuning

Services


Thunder Threat Protection System (TPS)

Next Generation DDoS Protection

Multi-vector protection !▪ Detect & mitigate

application & network attacks

▪ Flexible scripting & DPI for rapid response

High performance !▪ Mitigate 155 Gbps of attack

throughput, 200 M packets per second (PPS) in 1 rack unit

Broad Deployment and 3rd Party !▪ Symmetric, asymmetric, out-of-band

▪ Open SDK/RESTful API for 3rd party integration

Multi-vector Application &

Network Protection

High Performance Mitigation

Broad Deployment Options & 3rd Party

Integration


Summary

CGN TPS

ADC

ACOS Platform

Carrier Grade Networking

Application Delivery Controller

Threat Protection System

Handling Massive

Number of Attacks

Handling Massive

Number of Subscribers

▪For expanding market, and expanding networks

Thank [email protected]

04 (idnog01) handling massive numbers subscribers and attacks by takeki kumamura

Education