akamai korea - tech day (2015/03/11) dns
TRANSCRIPT
Akamai Tech Day - DNS 손연호, Solutions Architect
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Internet
A Critical Service for Web Infrastructure
Application Web or productivity
Users Customers or employees
Internet
DNS Connecting users with applications
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Common DNS Challenges
Availability • Many organizations rely on just two or three DNS servers • Any DNS outage will result in site downtime
Performance • Closest DNS server may be physically far away • High latency leads to longer page load times
Security • DNS infrastructure exposed to the
Internet • Popular DDoS attack vector • Forgery or manipulation of DNS data
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Every Page Load Begins with DNS
DNS lookup Time to first byte
Initial connection Content download
www.akamai.com 70 ms 60 ms 60 ms 140 ms
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Web Page Test
http://www.webpagetest.org/
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Web Page Test
©2015 AKAMAI | FASTER FORWARDTM
DNS Prefetch
https://developers.google.com/speed/pagespeed/service/PreResolveDns
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Response Times Over Time
©2015 AKAMAI | FASTER FORWARDTM
Case Study: DDoS Attack against Media Company
0
20
40
60
80
100
120
• Q2 14 attack targeted a politically-active newspaper in APJ
Phase 1 • Bandwidth: 88 Gbps • Requests: 56 Mpps • Duration: 18 hours
Phase 2 • Bandwidth: 93 Gbps • Packets: 53 Mpps • Duration: 30 hours
Phase 3 • Bandwidth: 111 Gbps • Packets: 53 Mpps • Duration: 3 hours
W Th F S S M T W Th F S S
©2015 AKAMAI | FASTER FORWARDTM
DNS Hijacking
https://community.akamai.com/community/cloud-security/blog/2014/12/01/x-post-fresh-wave-of-dns-record-hijacking-attacks-reported
©2015 AKAMAI | FASTER FORWARDTM
DNS Hijacking
©2015 AKAMAI | FASTER FORWARDTM
DNSSEC
http://krnic.or.kr/jsp/resources/dns/dnssecInfo/dnssecInfo.jsp http://datatracker.ietf.org/wg/dnsext/documents/
©2015 AKAMAI | FASTER FORWARDTM
Protecting against DDoS
Over-provision DNS Servers Build-in High Availability Set Rate Limit by Source IP Address Set Rate Limit by Destination IP Address Close your ‘Open’ DNS Recursive Server Use Cloud-Based Anycast Servers
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
FastDNS - Guaranteed Availability
% Availability
0
10
20
30
40
50
60
70
80
90
100
• DNS infrastructure architected with massive scale and IP Anycast technology
• Name servers distributed across multiple networks and geographies for additional redundancy
• 100% uptime service level agreement (SLA)
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
FastDNS - Improving User Experience with Zone Apex Mapping
Response (ms)
0
20
40
60
80
100
120
140
160
180
200
220 Akamai Vendor 1 Vendor 2
• Incorporates Akamai mapping data into name resolution
• Resolves DNS requests directly to the optimal edge server
• Dramatic improvement to overall user experience
©2015 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Transfer • Migrate DNS
resolution to a cloud-based service
• Transfer DDoS risk and responsibility to Akamai
Absorb • Normal traffic less than
1 percent of total capacity
• No additional fees for DDoS-related traffic
Block • Restrict responses to
known good DNS servers
• Rate limit DNS traffic from malicious IP addresses
FastDNS - Improved Protection from DDoS Attacks
©2015 AKAMAI | FASTER FORWARDTM
FastDNS - DNSSEC with Secure Option (add-on module)
Protects against DNS forgery and manipulation Reduces overhead required to maintain DNSSEC compliance
Serve Customer provides ZSK and KSK and is responsible for key rotation
Sign and Serve Akamai provides ZSK and KSK and leverages Akamai KMI for key rotation
End user