Learn about the most common network issues in China, as well as best practices for monitoring DNS, benchmarking performance and sanitizing content for the Great Firewall.
See the full webinar at https://www.thousandeyes.com/resources/network-performance-in-china-webinar
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Monitoring Network Performance in China
1.
2. 2
About ThousandEyes
ThousandEyes delivers visibility into every network your organization relies on.
Founded by network
experts; strong
investor backing
Relied on for "
critical operations by
leading enterprises
Recognized as "
an innovative "
new approach
31 Fortune 500
5 top 5 SaaS Companies
4 top 6 US Banks
3. 3
• High latency and packet loss are common
• 10 backbone access points (i.e., “choke points”)
• 2 dominant, government-controlled ISPs: China Unicom
(North), China Telecom (South)
– Underdeveloped and congested
– Few peering points in between
• Highly sophisticated censorship system
– Great Firewall
– Great Cannon
A Different Internet in China
4. 4
• IP blocking
– Routers drop all
packets going
to blacklisted IP
addresses
– Lightweight
• DNS tampering
– Cache
poisoning
– Keyword-based
hijacking
The Great Firewall
5. 5
• Deep packet inspection and
keyword filtering
– Resource-intensive
The Great Firewall
Read more: https://blog.thousandeyes.com/deconstructing-great-firewall-china/
6. 6
• Set up Network tests to benchmark performance metrics
like latency and packet loss
• Expect:
– Higher latency and loss
• Especially for traffic crossing into or out of China
– Changing conditions due to censorship and diurnal patterns
Baseline Network Performance
Read more: https://blog.thousandeyes.com/benchmarking-network-performance-china/
8. 8
Compare HK with geographically
close locations in China: Foshan,
Zhuhai, Guangzhou
Performance differences can
then be attributed to crossing the
Great Firewall
Use Hong Kong for Comparison
9. 9
• DNS packets often go missing
– Frequently congested, unreliable networks
– DNS poisoning and hijacking
• Cloud Agents in China use local ISP caches
• Use DNS Server and Trace tests and alerts to check if
records:
– Are always available
– Have the correct mappings
– Are served up quickly
DNS Issues
Read more: https://blog.thousandeyes.com/monitoring-application-delivery-china/
10. 10
DNS lookup of “dns-
plx.ewr1.nytimes.com”
returns incorrect
mappings to blocked
IPs of services
including Facebook,
Dropbox
Tests to these blocked
IPs are then blocked in
China Telecom and
China Unicom
DNS Server Test: NYTimes.com A record
11. 11
DNS lookup of
“ns1.p24.dynect.net”
returns correct
mapping, suggesting
DNS tampering on
NYTimes
nameserver’s A
record
Test traffic from China
makes it through to the
Dyn nameserver
Evidence of DNS Tampering
12. 12
Lookup of
NYTimes.com A record
returns incorrect
mappings to blocked IPs
Impossibly low
resolution times
suggest DNS
cache poisoning
Evidence of DNS Cache Poisoning
13. 13
• Page objects with blocked keywords or domains may fail
to load and slow down page load times
• Watch out for:
– Google: fonts, APIs, ads, Google Analytics
– Facebook
– Adobe Typekit
– Marketo
• Use the waterfall in Page Load and Transaction tests to
monitor for objects that fail to load
Blocked Page Components
Read more: https://blog.thousandeyes.com/monitoring-application-delivery-china/
14. 14
Objects from blocked
sites Facebook and
Google have long wait
times and fail to load
Page Load Test: Starbucks US from China
16. 16
• Scope alerts to
China agents and
recalibrate
thresholds
• Consider ISP-
specific Path
Trace alerts
Alerting
Read more: https://blog.thousandeyes.com/monitoring-application-delivery-china/
17. 17
q Adjust your expectations and
alerts based on Network test
data
q Use Reports to analyze data by
country
q Also benchmark:
q CDN providers
q Data center/colocation providers
q Continuously monitor important
services in China’s volatile
environment
Best Practices for Monitoring in China
q Understand the difficulties unique
to the Chinese Internet and adjust
your monitoring strategy
accordingly
q 2 ISPs with few peering points
q Underdeveloped and congested
q Only 10 access points
q Stringent censorship
q DNS poisoning and hijacking
q Blocked page objects
18. 18
See what you’re missing.
Watch the webinar:
https://www.thousandeyes.com/resources/network-performance-in-china-webinar