14 December 2016
(Updated 16th December 2016)
For the past weeks, we have carefully been monitoring the artificial network congestion in Azerbaijan against a few selected media sites.Two of the websites that are suffering congestion are hosted by Akamai: Azadliq Radio and Voice of America.
Akamai’s proprietary load balancing system uses DNS to serve different IP addresses to each region. Unfortunately, this load balancing mechanism does not seem to carefully monitor congestion or packet loss introduced by the upstream providers.
During our research, we discovered that the blocking is “only talking place against the IP addresses that Akamai uses to server traffic inside Azerbaijan”. By forcing the browser to reach any other address of Akamai CDN network, it is possible to bypass the filtering.
How do you find the new IP address?
Use a service like https://www.whatsmydns.net to obtain one IP address of the Akamai network that serves the content of the blocked site.
For example, we can see that www.azadliq.org can be reached in the USA in the IP address 23.219.88.20
How to force the browser to reach any other address of Akamai CDN network, to bypass the filtering.
Now you need to force your browser to use that IP to reach the site instead of the IP obtained from the DNS service. In Windows 7, this can be achieved by editing the file C:\Windows\System32\drivers\etc\hosts and adding a line for each of the sites that is currently blocked.
It is our understanding that the current load balancing algorithm implemented by Akamai could be improved by monitoring traffic congestion towards the sites it serves and try to ensure that traffic is properly delivered without network interference.
Why Akamai Load Balancing Algorithm fails to deliver quality of service in Azerbaijan?
The traffic congestion is implemented in the downstream direction of the communication. When a browser makes a request to the website, the requests get logged but the response is not properly delivered to the reader.
For a support person monitoring the websites inside Akamai, all might look normal by just looking at the “Web logs”. It just looks like less requests are arriving to the site.
The DNS service of Akamai resolves the hosted domains of the websites using a CNAME response. For example a request to www.azadliq.org will return CNAME www.azadliq.org.edgesuite.net. What does this mean? That Akamai network has the ability to use the domain www.azadliq.org.edgesuite.net to provide different IP addresses for a given site, balancing the load, speeding the delivery etc.
Unfortunately in the presence of congestion, we do not see that the Akamai DNS service is trying to heal and provide new IP addresses to readers inside Azerbaijan.
Standard logs are not enough to detect traffic shaping or congestion, and other non common parameters need to be monitored as: duration of the sessions, packet retransmissions, or number of duplicate ACK packets arriving to the server (forcing TCP quick retransmissions)
Update 15th December 2016
Akamai DNS is finally resolving the sites to Akamai addresses outside Azerbaijan for users inside Delta Telecom. Congestion filters in Azerbaijan were placed towards the Akamai 62.212.253.x network inside Delta Telecom.