Server Load Balancer Performance in the Face of Malicious Traffic
by Phil TrainorLast week my colleague Chuck started a discussion around the impact of malformed traffic on network device performance. I thought of this post the other day when I actually had a bit of time on my hands to sit down and have a sandwich at lunch and, of course, jump online. After I had iwconfig‚d ath0 with my SSID and WPA2 Key, associated with my access point, and sent my DHCP request to the broadcast address of my Linksys router, I bothered Comcast's DNS server with a CNAME query to get a handful of viable IP Addresses that are, for all intents and purposes, mirrors of Yahoo.
Seamlessly to me, I sent my first TCP SYN packet in the direction of one of the IP Addresses supplied to me by Comcast. The packet hits my router, and then te-7-4-ur02.sfgeary.ca.sfba.comcast.net, and then te-0-3-0-5-ar01.oakland.ca.sfba.comcast.net, (no more „and then‚s‰ I promise). Finally, after about six more hops, my packet lands at ir1.fp.vip.sk1.yahoo.com.
The important piece to look at in the final destination is the part of the domain that references VIP. This is not a reference to how much Yahoo values my network traffic; this domain is most likely the Virtual IP Address of a server load balancer. Sitting behind a firewall, the server load balancer will distribute connections over a large number of web servers that are ready to host my search requests. What did you think–Yahoo uses a single Hewlett Packard Superdome or a Cray Machine? But it also poses many questions about server load balancers and performance. So many questions that it would take up an entire category on Jeopardy.
"Server load balancers for $500 Alex":
- How fast can a client make a socket connection to the VIP?
- How fast can the server load balancer choose an internal web server and make a socket connection with it?
- What is the transaction rate and response time of the application layer data between the web server, the server load balancer and the client?
- What is the maximum number of clients that can be maintained?
- How many new clients can join every second?
- How well can the server load balancer perform its duties when under attack!?!?!
Lets just say even the great Mr. Trebek would need a BreakingPoint Storm CTM™ to fully answer that question.
Luckily, I had spent several hours the previous week benchmarking these metrics on different server load balancers at Yahoo and answering the questions above. The ability to provide those answers relates directly to my confidence that I could spend the entire twenty minutes of my lunch viewing content and not waiting for the results of my search.
To answer these questions at Yahoo, we ran a multitude of measurements targeting real server farms on the other end of the server load balancer, as well as servers hosted by the BreakingPoint Storm CTM. Also, throughout the day, we ran Stack Scrambler, our TCP fuzzer, and our security attacking component through Yahoo's staging network because, unfortunately, all of the network traffic destined for Yahoo will not be clean and well-formatted requests. A lot of the time the traffic will be intentionally malicious.
But back to my lunch break. Through the concert of routers, firewalls, server load balancers, and web servers talking to databases, I can put on my headphones and watch the streaming flash video that I had been anticipating: highlights from the latest Red Sox game.
For more information on how to measure the performance of a server load balancer, download our step-by-step guide, The BreakingPoint Server Load Balancer Resiliency Methodology.
