Advanced applications of Network-side Scripting

In this series of articles, I’ve discussed what network-side scripting is, and I’ve described how it can be deployed on three leading traffic management systems to solve two simple problems[1][2]. This final article will cover some advanced applications of network-side scripting. To learn more, read more of the articles on the Zeus Knowledgehub, and download either the Zeus Desktop Edition or a Zeus Developer License.

Review: Why Network-Side Scripting?

The network is one of the many internal interfaces in a typical web-based application. You can control the entire application, both server-side and client-side, if you can inspect and manipulate the traffic on the network. For certain types of problems, the network is an ideal interface to inject a little code to control and modify how the application behaves.

Client-side, Network-side and Server-side scripting (programming)

Network-side scripting is implemented by advanced Traffic Management devices such as Zeus Traffic Manager. These are typically software proxies for application traffic, although some vendors only provide the technology through proprietary hardware appliances.

"Network Side Scripting" is a little bit of a misnomer for this technique. Traffic Managers that perform this are not typical network appliances, and the technique can do a lot more than just change how network traffic is presented to the application.

Content Modification

A web application may generate content in many different ways – static content, content served up through a CMS, and content generated dynamically. Changing all of the content in the application is a lengthy process that requires careful auditing to ensure that no content is left out.

The solution

Use your traffic manager to inspect and modify all outgoing content. Any HTML content can be rewritten to make the desired change (and see below for examples of modifying non-HTML content).

  • Copyright 2006? inspects all outgoing content for the string "Copyright 2006" in the page footer and changes it to the correct date.

  • Adding meta-tags to a website describes how to automatically add SEO-friendly meta tags to a document, based on parameters such as the URL and the title.

  • If you want to quickly add support for one of the hundreds of web analytics and user tracking services, Using Google Analytics on your web site describes how to insert web bugs, tracking images and javascript onto every page and keep it up-to-date without modifying any of your content.

  • If you want to create a mash-up, Embedding RSS data shows you how to retrieve an RSS feed, convert it to HTML (using an XSLT) and then insert it into the ‘latest news’ section of every page as it is delivered to your end users.

Rate Shaping

Server-side applications will degrade in performance as the number of transactions per second increases (the rate at which the transaction queue is serviced decreases with the queue size). The degradation may be very slight to begin with, but as the transaction rate increases, a catastrophe point is reached where the server is overwhelmed and the service time grows dramatically and without limit until transactions are timed out before being serviced. Transaction retries only add to the incoming transaction volume.

The Solution

Use your traffic manager to control and throttle the rate at which transactions are presented to the server. Explicitly handle transactions that exceed the acceptable rate by queuing, rerouting or discarding surplus transactions.

  • Zeus Spider Catcher applies individual rate shapes to each user, so that no user can submit too high a rate of requests. This is an effective technique against spiders and bots that send an unusually large number of requests and degrade performance for all users.

  • Dynamic Rate Shaping uses Service Level Monitoring to detect when performance is beginning to degrade, then applies a rate limit to reduce the amount of traffic to the application. Requests which exceed this rate are not sent to the server; a 503 Too Busy status message is returned instead.

  • Detecting and Managing Abusive Referrers discusses the problem of high-traffic referral sites such as Slashdot or Digg. It describes how to de-prioritize these users on your site (on the grounds that they are less likely to purchase or make a valuable transaction) so that other users are not penalized.

Fixing application problems

Every application has a bad day. The CMS goes on the blink and moves content. A Java class leaks memory and the app server repeatedly unloads it. Caches are less up-to-date than you might hope. The net result is unexpected error messages - 'Not Found', 'Too Busy'.

The solution

Catch the error messages before they are delivered to the customer and do something about it. Use your traffic manager to inspect HTTP responses and return a redirect to a ‘sorry page’, or retry the request against another server, or try a different request.

  • No more 404 Not Found grabs the ubiquitous 404 error message and tries to access the parent document instead. Rinse and repeat until it finds a document that works, or it hits the home page (and if that fails, you really do have problems!)

  • Hiding Application Errors intercepts server errors (such as 503 Too Busy) and retries the request against a few other servers in your cluster.

  • If all else fails, Sending Custom Error Pages shows you how to host content on the traffic manager itself, and Using Zeus Traffic Manager as a Webserver describes a Java Extension that converts your traffic manager into a standalone webserver – the ultimate, last-ditch fallback solution.

Security problems

There are a multitude of possible security problems that may affect your applicaiton, from DDoS attacks that overwhelm your servers to malformed input, injection or application specific attacks that cause it to behave in an abnormal manner.

The solution

If you can stop the 'bad' traffic from getting to your servers, you have very quickly and demonstrably sidestepped the problem. Use the scripting capabilities of your traffic manager to identify and drop this traffic.

  • Secure against recent Bind exploits or IIS attacks by inspecting and dropping attempts to exploit the vulnerabilities.

  • Mitigating DDoS attacks with Zeus Traffic Manager contains a collections of techniques, from user agent filtering to managing iptables configuration, that you can use to manage and control the effect of many distributed denial of service (DDoS) attacks.

  • Authenticating users with Active Directory is one example of how to authenticate and apply access control to all traffic, before it ever reaches your backend infrastructure. For complex web applications, it can be much easier to perform authentication on the traffic management front end than on each of the different types of server or service at the back end.

  • Application components like email forms can be used to generate a denial of service attack. The "Contact Us" attack against mail servers article describes how rate shaping is a key protection against such attacks.

  • How to stop 'login abuse' shows you how to track the usage of usernames and passwords on your site, and ban a username if it is being used form too many different locations at the same time.

  • Dynamic Defence Against Network Attacks shows you how to ban a user from your services completely if they issue a particular request (for example, abusing the HTTP CONNECT method.

Controlling the Traffic Manager

Traffic Managers provide a huge range of capabilities to manage traffic, but out-of-the-box, the capabilities may not fit your unique requirements. That’s why it is essential to be able to use languages like TrafficScript to tune the behavior of your traffic manager.

  • Cache your website - for just a second? shows how you can use the caching capabilities to improve the performance of your site, even if it contains so much dynamic content that you might think it uncacheable.

  • Selective bandwidth management describes how to apply bandwidth management techniques to minimize the effect of large file downloads, but let the remainder of traffic continue unimpeded.

  • Controlling session persistence shows you how to apply session persistence intelligently, letting the traffic manager load balance requests that don’t need to be persisted (such as images and other static content) to maximize the performance of your service.

  • Spoofing IP addresses when using web proxies takes IP Spoofing to the next level, showing you how to spoof any traffic from any IP address, for example, from the first address in the proxy chain’s X-Forwarded-For header.

Things you might never have thought possible?

Finally, powerful languages such as TrafficScript and Java Extensions allow you to solve problems and create solutions you might have thought impossible. Many of these examples are ‘just for fun’, but they illustrate the full potential of a powerful traffic management solution like Zeus Traffic Manager.

  • When considering what sort of output a traffic manager might generate, one of our engineers came up with a surprising possibility. Who would have thought that you could Generate a Mandelbrot Set using TrafficScript?

  • Content Security and Copy Prevention is critical to many industries, from paid-for analyst reports to images of people with not enough clothes on. Discourage redistribution by using your traffic manager to dynamically watermark images or pdf documents each and every time they are downloaded from your website, using information available in the request (time of day, IP address, authentication credentials).

  • Launching a website at 5am in a controlled and tested manner becomes possible when you get your traffic manager to perform the switchover for you.

  • Monitoring application performance and switching from a high-bandwidth to a lower-bandwidth version when traffic exceeds a limit can be done with ease, as illustrated by the article Using low-bandwidth content during extreme load.

  • Traffic Management isn’t just about HTTP traffic. POP3 Stress Relief shows you how to manage over-eager users who check their inboxes every 5 seconds, by spoofing 'no more messages' responses and only forwarding their requests to the real POP3 servers once every 5 minutes.

  • Virtual Hosting FTP services tells you how to mange FTP traffic, routing connections depending on the user who is logging in (an easy way to separate your anonymous traffic from your authenticated traffic).

  • Finally, suoısuǝʇxƎ ɐʌɐſ ɥʇıʍ uʍop ǝpısdn qǝʍ ǝɥʇ ƃuıuɹn⊥ – who would have thought that using a traffic manager to turn all the text on a website upside down was a good idea?

Articles

Owen Garrett [Zeus Dev Team] 07 October 2009 Bookmark with del.icio.us Post this article to Digg Post this article to reddit Post this article to Facebook Tweet this article  
Leave a comment ...
Your email address will not be displayed.
Your URL will be displayed.
This public messageboard is not a forum for technical support. To report technical support problems, please contact our dedicated Support team using the instructions at the bottom of this page.
Options:
 
(Line breaks become <br />)
(Set cookies for name, email & url)

Recently...

Other Resources