A Large Scale Simulation Study: Impact of Unresponsive Malicious Flows

Transcription

1 A Large Scale Simulation Study: Impact of Unresponsive Malicious Flows Yen-Hung Hu, Debra Tang, Hyeong-Ah Choi 3 Abstract Researches have unveiled that about % of current Internet traffic is contributed by TCP flows, and the network stability mostly depends on end-to-end TCP congestion control. This paper studies the performance of various queue management algorithms implemented in current Internet routers when unresponsive high-rate malicious flows coexist in the network. Our analysis is based on large scale simulations using the NS- simulator and a set of simulated traffic generated based on IP traces reported in Oregon Gigapop. Our simulation results show that normal traffic benefits more from the RED than DropTail, and TCP flows of smaller size survive better than larger ones when the network is under the attack by malicious flows. If the network is in normal condition, the RED does not provide any clear advantage over the DropTail. I. INTRODUCTION The stability of current IP network is typically controlled at each router through queue management and packet scheduling policy. In this policy, the network is entirely dependent on the end host to react congestion, and it is expected that flows will reduce their rates after packets are dropped (these are called responsive flows). The problem with this expectation is that misbehaving flows that do not cut down their sending rates after their packets are dropped will hog the buffer space at routers and deprive all other flows of their fair share of bandwidth (these are called unresponsive flows). The first-in-first-out (FIFO) queueing with drop tail (DropTail) policy is the simplest queue management policy applied in most routers in present Internet in which as long as the memory space is available, incoming packets are stored. The Random Early Detection (RED) is the most popular active queue management scheme in which drop policy is dynamically changed in response to network traffic condition. These schemes work well when the flows are from properly implemented TCP. Several alternatives have been proposed to improve the situation with the objective of allocating fair share of bandwidth to each flow [], [], []. As it will be shown in the next section, the existing queue management schemes reveal significant shortcomings in protecting packets from normal flows when misbehaving malicious flows exist. In this paper, we present a large scale simulation using a well-designed traffic pattern whose characteristics are derived from the real Internet traffic []. The traffic pattern we considered only consists of two protocols, TCP and UDP, because they contribute more than % in bytes [] of the real Internet traffic. The rest of this paper is organized as follows. In Section II, we discuss the characteristics of IP traces used in developing our simulated traffic and details of simulation setup. In Section III, we show various simulation results and provide insightful discussions on the impact of malicious flows. Concluding remarks are given in Section IV. A. Simulated Traffic II. SIMULATION SETUP We have developed simulated traffic based on a report on Oregon Gigapop Traffic [], in which the composition of Internet traffic in terms of application protocols is discussed in deatil. The Oregon Gigapop has two POS OC3 Department of Computer Science, Hampton University, Hampton, VA 3, yenhung.hu@hamptonu.edu. US ARMY CECOM Software Engineering Center - Belvoir Fort Belvoir, VA, debra.tang@us.army.mil. 3 Department of Computer Science, George Washington University, Washington DC, hchoi@gwu.edu

2 from Abilene: one to Denver, and one to Sunnyvale. The inbound traffic collected during monitoring period has 3,3 flows and. bytes, and the outbound traffic has, flows and. bytes. The overall monitoring time is minutes combining from four monitoring segments: 3 minutes, 3 minutes, minutes, and minutes. There are protocols consist of Gigapop traffic, and TCP and UDP contribute.% in flow numbers and.% in bytes. For each protocol, there are several applications. For example, TCP includes NNTP, FTP, Gnutella, Napster, HTTP, Kazaa, LDM, Hotline, QTRTSPREAL, SSH, SMTP, Shoutcast, AIM, ICQ, and DNS. UDP includes Mutlicase, Real, Half Life, ICQ, DNS, and others. The traffic model shown in Figure is generated using the NS- simulator on two network topologies: NSF T and NSF T3. In this table, the traffic composition in terms of flow number and bytes for each protocol and flow type is very close to the information in []. Flows in different classes have different flow lives, and the average link utilization is close to.%, same number reported in []. The distribution of start time of each flow is carefully designed to reduce the unbalanced load of each link during the entire simulation period. Each flow, except multicast flows, sends out a block of data at its start time and stops when it is finished. Therefore, the flow stop time is dependant on the network condition. Multicast flows are treated as long-live flows that have packets to send out in every interval during the entire simulation period. The average hop length of flows in T and T3 networks are. and 3., respectively. NSF T NSF T3 UDP TCP UDP TCP flows # flows % interval(ms) pkt/flow total packets total bytes bytes % multicast real. 3. half life.. icq.. dns others.. nntp ftp.3. gnutella napster.. http kazaa others multicast real half life icq 3.. dns 3.. others nntp ftp gnutella napster.. http kazaa others.. Fig.. Traffic Pattern for NSF T and NSF T3. B. Simulation Details The bandwidth of each link in NSF T topology is. Mbps and is Mbps in NSF T3 topology. Propagation delay of all links in both topologies is fixed to be ms, and the maximum buffer size for all routers is packets. Two queue management algorithms are implemented: Droptail and RED. Four parameters used in our simulation associated with RED are minimum threshold=,, maximum threshold=, maximum drop probability=., and weight factor=.. Malicious flows when presented are assumed to be active during the entire simulation period. The rate of malicious flows injected into NSF T topology and NSF T3 topology are Mbps and Mbps respectively. All simulations

3 Fig.. NSF T Topology (left) and NSF T3 Topology (right). run from seconds to 3. seconds, and the traffic stops at 3 seconds. The throughput for each flow is calculated by counting the total number of packets sent out of each flow, and the goodput of each flow is done by counting packets successfully reaching their destinations. III. PERFORMANCE ANALYSIS Note that the traffic model shown in Figure has link utilization.%. In order to create congested network environment, we introduce a term load factor defined as to be new flow size original flow size. For example, load factor =, the size of each flow is doubled as compared with the original flow (where average link utilization is. %). A. Network without Malicious Flows When there is no malicious flow, the bandwidth is shared among multiple flows and bandwidth allocation is based on several factors including queue management algorithms, transport layer protocols, flow sizes, and application layer flow patterns. The advantage of RED over DropTail is reported in [3], [], []: () both TCP and UDP flows have decreased end-to-end delays, () the loss of a large number of consecutive packets is prevented as it reserves some buffer spaces, (3) the higher packet loss against bursty traffic is reduced. When a large scale simulation is performed as in our model, we find that some variations exist in some of the above observations. When the goodput of a flow using RED is same as using DropTail, RED is supposed to provide smaller end-to-end dealy as in observation (). Our results in Figure 3 however show that when TCP flows are concerned, in some cases, DropTail provides better goodputs as well as smaller end-to-end delays. (See NNTP and FTP flows in this figure.) When the traffic load is increased (i.e. load factor is increased), the traffic becomes burstier and the loss of consecutive packets is increased. Contrary to the observations () and (3), our simulation results (Figure ) show that in most cases, the DropTail provides higher average utilization and lower packets loss than the RED. As shown in Figure, the TCP flows with smaller traffic load has higher goodputs since the packet loss from short-life flows is smaller than long-life flows. But as shown in Figure, when UDP flows are concerned, whether packets are accepted or discarded at routers is not dependent on the flows sending rates. That is, it is hard to predict which UDP flows will take more bandwidth than others but such a prediction is possible for TCP flows. B. Network With Malicious Flows We have injected high-rate UDP flows in the network to model malicious flows. Intuitively, normal UDP flows survive better than normal TCP flows since TCP flows will reduce their sending rates in response to the congestion caused by malicious flows while normal flows continue to keep the same sending rates.

4 Average Life (sec) 3 Average Life (sec) 3 Fig. 3. NSF T topology, average life over TCP flows under DropTail (left) and RED (right). Average Drop (bytes).e+.e+ DropTail.E+ RED.E+.E+.E+.E+ Average Utilization.. DropTail. RED Fig.. NSF T, average drop rate (left) and link utilization (right). ) One Attack Model: In this case, only one malicious flow exists in the network with an arbitrary sourcedestination pairs and variable hop-lengths. The average utilization of links affected by the malicious flow is decreased when the load factor of the normal traffic increases, i.e., the rate of the malicious flow is relatively decreased, when using both RED and DropTail. One interesting observation is that the survivability of normal flows that do not travel through links affected by the malicious flow is in fact increased. Our simulation results confirm that the RED performs better than DropTail since incoming packets start to drop before the buffer overflows. See Figure for detailed results. ) Multiple Attack Models: We now consider multiple attack models. Two attacking models are defined: economic attack model: in which approximately minimum number ( malicious flows for NSF T, and malicious for NSF T3) of malicious flows are injected into the networks and each link is traversed by a malicious flow once; and extreme attack model: in which each malicious flow only affects one hop, and the number of malicious flows is the same as the number of links in the network. As shown in Figures,,, and, when under extreme attack, RED provides better protection for normal traffic than DropTail. When RED is implemented, normal UDP can reserve 3% to % of goodput and almost keep constant when load factor increased (i.e., congestion increased), but such reservation will be at most % for most T CP traffic (except HTTP) and is getting worse when load factor increased. However, the simulations results for DropTail are worse than RED, in which only at most 3% UDP flows and % TCP flows (included HTTP) will be protected.

5 Avg. Goodput / Avg. Goodput when = Avg. Goodput / Avg. Goodput when = Fig.. NSF T topology, TCP traffic, average goodput / average goodput when load factor = under DropTail (left) and RED (right). Avg. Goodput / Avg. Goodput when = Multicast-D Real-D Half Life-D ICQ-D DNS-D Avg. Goodput / Avg. Goodput when = Multicast-R Real-R Half Life-R ICQ-R DNS-R Fig.. NSF T topology, UDP traffic, average goodput / average goodput when load factor = under DropTail (left) and RED (right) algorithms. We would like to point out one more interesting observation that the survivability of normal UDP flows does not directly related with the flow size. However, the survivability of TCP flows is directly related with the flow size such that the goodput is better for smaller size flows (e.g., HTTP) in both RED and DropTail. IV. CONCLUSION In this paper, we studied the performance of normal and malicious flows under various network environment through large scale simulations. Our simulation study showed that the RED can benefit more to normal traffic than the DropTail and TCP flows of smaller size survive better than larger ones when hey are under malicious attacks. If the network is in normal condition, no malicious flow exists, the RED does not have any clear advantage over the DropTail. Our main contribution of this paper is that the performance of different queue management algorithms were studied under networks with/without malicious flows using () large-scale simulation, () simulated traffic whose characteristics closely reflecting those from real Internet traffic, and (3) detailed application layer flows. The presented results are believed to be useful in developing control mechanisms counteracting network congestion caused by flooding-based malicious flows. REFERENCES [] Joe St Sauver, Oregon Gigapop Traffic Characterization, Internet/NLANR Joint Techs, May th,, Lincoln NE.

6 Attacker's Average Utilization..... HOP-D-L HOP-D-L HOP-D-L Attacker's Average Utilization..... HOP-R-L HOP-R-L HOP-R-L.. Fig.. NSF T topology, average utilization of malicious flow on the affected link. The notation X Hop-R-LY means that this is a average utilization of a link which is the Y th hops in the path traversed by the malicious flow which will traverse X hops in the network. DropTail (left) and RED (right) algorithms are implemented Multicast-D Half Life-D DNS-D Real-D ICQ-D..... Fig.. NSF T topology, Economic attacks under DropTail algorithm, average flow goodput / average flow goodput without attacks [] Sean McCreary, Kc Claffy, Trends in Wide Area IP Traffic Patterns, a View from Ames Internet Exchange, in ITC Specialist Seminar, Monterey, CA, th th, Sep,. [3] S. Floyd, V. Jacobson, Random Early Detection Gateways for Congestion Avoidance, ACM Transactions on Networking, pp.3-3, Aug. 3. [] S. Floyd, and K. Fall, Promoting the Use of End-to-End Congestion Control in the Internet, IEEE/ACM Transactions on Networking, August. [] B. Braden et al, RFC 3 - Recommendations on Queue Management and Congestion Avoidance in the Internet [] M. May, Th. Bonald, and J. Bolot, Analytic Evaluation of RED Performance, in Proceedings of IEEE INFOCOM, Mar., pp. -. [] M. Christiansen, K. Jeffay, D. Ot, and F. Smith, Tuning RED for Web Traffic, in Proceeding of ACM SIGCOM,, pp. 3-. [] [] NLANR PMA, Aiblence-I data set, ttp://pma.nlanr.net/traces/long/ipls.html [] A. Demers, S. Keshav, and S. Shenkar, Analysis and simulation of a fair queueing algorithm, J. Internetw. Res. Experience, pp. 3-, Oct.. [] A. K. Parekh and R. G. Gallager, A generalized processor sharing approach to flow control in integrated services network: The single-node case, IEEE/ACM Trans. on Networking, vol., No. 3, June, 3. [] D. Lin and R. Morris, Dynamics of random early detection, Proc. ACM SIGCOMM, Cannes, France, Oct., pp. -3.

7 Avg. Goodput / Avg. Goodput Withoug Attack..... Multicast-R Half Life-R DNS-R Real-R ICQ-R Avg. Goodput / Avg. Goodput Withoug Attack..... Fig.. NSF T topology, Economic attacks under RED algorithm, average flow goodput / average flow goodput without attacks Multicast-D Half Life-D DNS-D Real-D ICQ-D.... Fig.. NSF T topology, Extreme attacks under DropTail algorithm, average flow goodput / average flow goodput without attacks Multicast-R Half Life-R DNS-R Real-R ICQ-R.... Fig.. NSF T topology, Extreme attacks under RED algorithm, average flow goodput / average flow goodput without attacks