One of Akamai’s most important customers more than tripled Akamai EdgeWorkers traffic practically overnight when they launched common access tokens (CATs), sending traffic numbers from 1 trillion to more than 3 trillion invocations.
How did we get there?
Background: The scale of streaming piracy
Akamai has been working with a streaming video customer for years to address media piracy, which costs the industry between US$29 and US$75 billion per year (Figure 1).
Fig. 1: Estimates of lost revenue/economic impact attributed to piracy, not directly measured or audited revenue losses (e.g., legal purchases displaced, advertising revenue diverted to piracy sites, etc.)
Research suggests that unauthorized video streams account for more than 80% of online piracy today, but measuring revenue impact is difficult because of a lack of visibility into digital assets. Because of the sheer scale of the issue, however, measuring that revenue impact should be a priority.
Early approach: Watermarking (and its limitations)
Akamai and the customer team first experimented with a watermarking approach; that is, “fingerprinting” content with a unique digital identifier linked to an authorized user. Streams that weren’t correlated to specific accounts were identified and reported to authorities.
This approach, however, led to a number of challenges:
Performance impact: Each asset required individual processing, increasing compute demands.
Reactive detection: Piracy could only be identified after it occurred.
Limited visibility: There was no real-time insight into unauthorized streaming activity.
These limitations led the team to explore a more scalable, proactive solution.
A better way: Common access tokens
The team shifted to CATs: short-lived, cryptographically signed tokens that bind a content request to specific conditions such as time, IP address, URL, or device. This approach — which ensures that only valid, compliant clients can retrieve streaming and live video assets — was designed on EdgeWorkers and Akamai Functions.
The team ran into several performance blockers during the initial phases, especially with video segments that would require CAT validation at scale. Ultimately, the team discovered and deployed a SubRequest caching mechanism — a Least Recently Used (LRU) JavaScript library that enabled caching of SubRequest results at high volumes.
Deployment strategy: Gradual and controlled
Once the performance issues were addressed, the team laid out a detailed plan to slowly and methodically migrate traffic to the EdgeWorkers CAT application, starting at 5% of traffic then increasing in 5% increments over a period of days (Figure 2). During the initial launch, the code was toggled to “warn” mode to monitor traffic before taking action and reject anything that didn’t pass authentication.
Fig. 2: Slow daily ramp-up of EdgeWorkers traffic
During the deployment, error rates for EdgeWorkers remained extremely low at 0.0001%, which gave the team the confidence to scale to 100% of the traffic in just three days. The average offload rate was 95%.
The next phase: Extending the CAT solution to live traffic
The next phase is extending the CAT solution to live traffic. Once the team has sufficiently monitored the “warn” mode results, they’ll toggle to “deny” mode within the EdgeWorkers code to actively block unauthorized access. Although there is no effective way to monitor streaming piracy, the team hopes this will provide clearer visibility into piracy patterns and enforcement effectiveness.
A deeper dive into SubRequest caching
How SubRequests work
The EdgeWorkers JavaScript runtime engine runs as a sidecar process alongside the reverse proxy server (Ghost), which processes incoming requests. In Akamai’s architecture, processing a SubRequest to a web service is similar to a client request, meaning it tends to reduce capacity — even if it’s cached in the CDN object store.
This is expensive for both Akamai and our customers and it also impacts the ability of EdgeWorkers to support applications at scale. However, caching the SubRequest in the JavaScript engine heap means the proxy server doesn’t need to make a SubRequest to the web service for every incoming client request.
Implementing LRU-based SubRequest caching
The approach is predicated on implementing a caching mechanism in the customer’s EdgeWorkers code, which can be easily acquired. Altogether, it’s a package that supports a number of relevant use cases, such as:
Total memory allocation
Maximum number of entries in the cache
Time to live for each cache entry before going stale
APIs for set/get/delete cache entries
Revalidation via an async fetch method before serving a stale cache entry
Custom fetch handler to invoke the EdgeWorkers SubRequest capability
Figure 3 shows the relevant EdgeWorkers code in main.js.
Fig. 3: EdgeWorkers handler onClientRequest with LRU
Note: In Figure 3, the custom fetch implementation is set in the “fetchMethod” property of the “LRUCache” object, and the corresponding use of “LRU.fetch” in the onClientRequest event handler.
Conclusion
By leveraging CAT technology within EdgeWorkers and Akamai Functions, customers can safeguard against video streaming piracy. Akamai’s edge compute platform scales to trillions of invocations to allow validation of tokens at extreme volumes.
Learn more
To find out more about Akamai EdgeWorkers, check out:
Tags
