Several months ago, we announced our network expansion with a new Point of Presence (PoP) in Dubai. This gives us 15 total PoPs in our application security, bot management, and DDoS mitigation network with over 15Tb of network ingest capacity. This is in addition to the 47 total DNS PoPs we operate across UltraDNS and UltraDNS2.
We get a lot of requests from customers and partners to deploy a PoP in a huge number of different locations. The conversation is typically around deploying a PoP—with all its capacity and DDoS mitigation capabilities—immediately adjacent to (or even inside) their hosting datacenter in order to reduce the amount of latency going to their application and to address perceived data sovereignty requirements. While it would be impractical and cost prohibitive to deploy everywhere, we do have an in-depth process that helps us to determine how and where we deploy a new PoP. I’ll take you through some of that logic.
Distribution for Performance: Web performance is very critical to user adoption, conversion rate, and streaming video quality. We deploy PoPs to be close to where our customers’ users are situated in order to reduce last-mile latency; near datacenters to reduce latency when we return their clean traffic to them; in locations near Internet Exchanges where we can access multiple network providers simultaneously; and where attackers are so that we can isolate attack traffic inside of a region. That of course means that, like one of my favorite XKCD cartoons, our list of possible deployment sites looks very similar to a heatmap of global population density.
Attack Volume and Frequency: The size (in bits, packets, and request per second) of DDoS attacks is a function of the average bandwidth speed for endpoints on the Internet. As that speed increases, the size of DDoS attacks also increases. Our platform-wide goal is to be able to have enough bandwidth to support multiple large DDoS attacks simultaneously. We take the largest DDoS attack seen to date and multiply it by a factor of 4 to anticipate future attack volumes and what size our global capacity needs to be.
Always-On DDoS Mitigation: One of the more recent trends in DDoS was the advent of carpet-bombing attacks. These attacks move rapidly through targets—IP addresses, network blocks, public services—in order to evade analysis and to avoid mitigation by cycling through attacks faster than the target can enable mitigation. The best practice for customers that receive frequent attacks is to use UltraDDoS Protect in an always-on mode. For us as a provider, we need to add this always-on traffic into our calculation for global capacity.
Addressable Market: One of the advantages of being close to a PoP is that the latency from the PoP to your datacenter is minimized. As a service provider, this means that we look for PoP locations where either our current customers have datacenters or where there are many potential new customers that we can address after the PoP goes live.
Network Bandwidth Availability and Price: One of the biggest costs of mitigating DDoS traffic is the price of bandwidth. This is why our customers use us for mitigation: we have capacity that scales up for them when they are under attack. That way, they don’t have to buy the full amount of bandwidth and only use a tiny fraction of it during normal operation. However, this does mean that in order to support a PoP, we need a large amount of bandwidth split across multiple tier-one providers. In some countries, there isn’t the quantity of bandwidth available or it is cost-prohibitive, whereas in an adjacent country, it might be more apropos for our needs.
Data Sovereignty: Some countries/territories push policies requiring certain companies to keep all legitimate internet traffic sourced from that country/territory to stay within that country/territory. This is a major driver behind the desire for additional PoPs in certain places. This doesn’t take into account the fact that internet routing itself with all its BGP interconnections worldwide does not guarantee that all traffic within a country/territory would actually stay there. Internet traffic constantly adjusts to the best available paths between locations even if that path takes the traffic out of the immediate area. With this in mind, we’ve opted to deploy an adequate distribution of PoPs that assures that there is capacity available nearby where our customers operate, but with ample capacity per location, to actually handle the DDoS attacks we protect against. We chose not to have a larger number of smaller PoPs around the world because we’ve seen that this makes mitigation response coordination much more challenging and creates network bottlenecks that can be overwhelmed by DDoS and lead to a cascade failure.
Data Confidentiality: We support two traffic models that use TLS decryption inside of our PoP: DDoS mitigation proxy with DNS diversion and Web Application Firewall (WAF). The decryption takes place inside the proxies within our PoPs where analysis is performed and traffic is re-encrypted before being sent onto its destination. Some customers have limits on how and where TLS decryption may take place: typically inside of specific countries or jurisdictions. In these situations, we have the capability to use our backbone network to forward clean (after DDoS mitigation) network traffic to our proxies inside PoPs inside the countries where the customer allows TLS decryption. And for our BGP-routed solution, there is no TLS decryption.
And that brings us back to our Dubai PoP and what our plans are for future deployment. We plan to take the Dubai PoP operational in October to support our customers that have users and datacenters in the region. We will certainly keep adding to our global footprint as far as new PoPs and total bandwidth and we will announce improvements as we make them. In the meantime, if you have questions involving our Dubai PoP, our global capacity, or how we can help you keep your infrastructure, services, and applications secure, please contact us.
