Check out the new USENIX Web site. next up previous
Next: Evaluation Up: Continuous Monitoring Previous: CDNs and Data Centers

IP Address Changes


By monitoring over a period of 30 days, we can see how often name-to-IP mappings really change. While past history is no guarantee, if a mapping has been the same for an extended period of time, users may have more confidence in it. Conversely, a previous stable mapping that suddenly changes may be cause for concern - it may be as simple as a server being replaced or migrated, or it may be that an attacker trying to divert traffic.

Figure 4: CoDNS
\psfig {file=graphs/policyCoDNS.eps,width=2in,height=1.4in}
Figure 5: 3 sites from 10 peers
\psfig {file=graphs/policy3peer10max.eps,width=2in,height=1.4in}
Figure 6: 7 sites from 30 peers
\psfig {file=graphs/policy7peer30max.eps,width=2in,height=1.4in}

We calculate the rate of change of name-to-IP mappings during our test period by counting the number of times the returned IP differs from the previous day's value on each site. The change counts are shown in Figure 3(a). For each site, we group names by the number of changes observed, and represent these counts as a stacked bar. For example, node 0 sees no changes for 85% of names, one change for 7% of names, 2-3 changes for 3% of names, 4-14 changes for 3% of names, and 15 or more changes for the final 2% of names. At every site, more than 85% of names did not change at all in 30 days. The remaining bars group the number of changes and show that while some names change on virtually every lookup, others change much more slowly. We see that most names are stable for a month at a time, and more than half of the names that change are stable for two weeks. On average, only 2% of these names change IP addresses more than once per week.

Figure 3(b) examines names with a small number of regions, and indicates that even here, a large number of names have long periods of stability - decisions to send clients to nearby data centers are likely to be stable over time. Figure 3(c) shows the same statistics for those names that map to more than 10 regions, including most of the Akamai-served domains, some domains served by LimeLight Networks (another CDN), and others. The increase in the count of zero changes beginning near node 100 is largely a function of the size and deployment of Akamai clusters - these do not appear to use hardware load balancers, so the larger the cluster, the more IP addresses get exposed and rotated, causing high rates of IP address changes. In contrast, Google clusters, despite having thousands of nodes, advertise only a small number of IP addresses as entry points.



next up previous
Next: Evaluation Up: Continuous Monitoring Previous: CDNs and Data Centers
L. Poole
2006-09-08