The CoDeeN Content Distribution Network Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang,...

The CoDeeN Content Distribution Network

Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry PetersonPrinceton UniversityAugust 12, 2003

Aug 12, 2003 CoDeeN Overview - IRIS/PlanetLab 2

Content Distribution Networks

Replicates Web content broadlyRedirects clients to “best” copy

Load, locality, proximityOffloads work from origin serversMultiplexes load spikes

Reduces overprovisioningEx: Akamai, Mirror Image, Speedera


What Does It Do?An Academic Content Distribution Network

Redirects/caches HTTP requestsBased on our OSDI 2002 paper on CDN performance

An Open Proxy NetworkProbably the largest in existence


Who Is The Target Audience?Now

Users wanting better performancePeople seeking “anonymity”

NextContent providers seeking load sharing

LaterGeneral support for absorbing flash crowdsAvoid the “Slashdot Effect”


How Does It Work?Server surrogates (proxies) on most North American sites

Originally everywhere, but we cut backClients specify proxy to use

Cache hits served locallyCache misses forwarded to CoDeeN nodes• Maybe forwarded to origin servers


Request Forwarding


When Will It Be Ready?January – development started

Reliability & stability major concernsMarch – stable enough for daily useApril – security problems begin

Shut down for one monthJune – Restarted “beta”Expecting “production” soon


Decisions – Good & BadUse commercial proxy with API [USITS 2003]

Good – mostly layer 7 concernsBad – limits deployment size (donated licenses)

Deployment on PlanetLabGood – otherwise impossible“Bad” – vulnerable to other experiments

Allow open accessGood – generates real trafficBad – some traffic just plain mean


Lots of Malicious TrafficSpammers

SMTP tunnels, POST forms, IRC channelsBandwidth hogs

Google crawls, steganographers, X-PacificHackers & Spreaders

Yahoo dictionary attacks, IIS vuln testsContent thieves

E-journals/databases, local content

Restrict ports & HTTP methods

Multi-scale req & bw accounting

Signature database & Robot test

Determine location & privilege


Protecting Privilege


Attempted SMTP Tunnels/Day


By The Numbers…Restarted in late May

In continuous operationStats from first 8 weeks

Over 59,000 unique IPs as clientsOver 24 million requests servicedValid rates up to 15K reqs/hourRoughly 1 million reqs/day aggregate


More Production InfoAbout 2000 lines of code

About ¼ is actual decision logicUptimes limited by upgrades

Generally 1-2 times/weekDowntimes of 20 seconds/node

Currently on ~40 nodes


Daily Requests (Serviced)


Welcome


Avoiding

sorted by # avoiding


Load

sorted by # load average


Total

sorted by # total req rate


Users

sorted by # users


The Troubles We’ve CausedRoutinely trigger open proxy alerts

Educating sysadmins, othersResource checks generate noise

Got onto planetlab-supportReally good honeypots

6000 SMTP flows/minute at CMUSpammers do ~1M HTTP ops/day


What We’ve LearnedParallel ssh is a must

General commands/queriesBasis for parallel scpUsed to detect out-of-date files

Monitoring is a mustToo hard to see anomalies in 40+ nodesAlmost looks like a demo

Be careful accepting outside requests


What We Still NeedBetter layer 4 tools

Hard to tell why things dieBuilding complete heartbeats isn’t fun

Better isolation on most resourcesCPU/OS: Java, VServers, ???Others: FD exhaustion, disk space


What We Wouldn’t Mind…Customizable DNS mapping

Map project.planet-lab.org to some nodeProjects could provide feedback• Node availability, utility, etc

Most IP geolocation seems locked up

24CoDeeN Overview - IRIS/PlanetLabAug 12, 2003

More Infohttp://codeen.cs.princeton.edu

http://codeen.cs.princeton.edu/

The CoDeeN Content Distribution Network Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang,...

Documents

Transcript of The CoDeeN Content Distribution Network Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang,...