Conclusion

In this paper, we present our experience with a continuously running prototype CDN on PlanetLab. We describe our reliability mechanisms that assess node health and prevent failing nodes from disrupting the operation of the overall system. We also discuss our security mechanisms that protect nodes from being exploited and from being implicated in malicious activities. The intentional dual use of CoDeeN both as a CDN and as an open proxy network and the resource competition on PlanetLab nodes make it a very valuable testbed. We believe that future services, especially peer-to-peer systems, will require similar mechanisms as more services are deployed on non-dedicated distributed systems, and as their interaction with existing protocols and systems increases.

Our distributed monitoring facilities prove to be effective at detecting and thus avoiding failing or problematic nodes. The net benefit is robustness against component disruptions and improved response latency. Although some of the aspects of these facilities seem application-specific, they are not confined to CDN services. Other latency-sensitive services running in a non-dedicated distributed environment can potentially benefit from them, since they also need to do extra reliability checks. Our experiences also reveal that reliability-induced problems occur almost two orders of magnitude more frequently than node joins/leaves, which makes active monitoring necessary and important for other systems such as peer-to-peer.

Our security measures consist of classification, rate limiting, and privilege separation. They provide a model for other Web-accessible services. For example, some of the security mechanisms we are developing are suitable for ISPs to deploy on their own networks to detect misbehaving customers before problems arise. Other systems that allow open access to Web resources may face similar situations, and may be able to adopt similar mechanisms.

Our experiences with CoDeeN and the data we have obtained on availability can serve as a starting point for designers of future systems. We demonstrate that effective monitoring is critical for system proper operation, and security measures are important for preventing the system from being abused.