A Large Scale Simulation Study: Impact of Unresponsive Malicious Flows

Similar documents
Packet Filtering for Congestion Control under DoS Attacks

A Framework For Managing Emergent Transmissions In IP Networks

Impact of bandwidth-delay product and non-responsive flows on the performance of queue management schemes

Research Letter A Simple Mechanism for Throttling High-Bandwidth Flows

Active Queue Management for Self-Similar Network Traffic

Tuning RED for Web Traffic

RED behavior with different packet sizes

Random Early Detection (RED) gateways. Sally Floyd CS 268: Computer Networks

CHOKe - A simple approach for providing Quality of Service through stateless approximation of fair queueing. Technical Report No.

Implementation of Start-Time Fair Queuing Algorithm in OPNET

Low pass filter/over drop avoidance (LPF/ODA): an algorithm to improve the response time of RED gateways

Performance Evaluation of Controlling High Bandwidth Flows by RED-PD

Stateless Proportional Bandwidth Allocation

Design and Evaluation of a Partial state router

Promoting the Use of End-to-End Congestion Control in the Internet

Performance Consequences of Partial RED Deployment

On Standardized Network Topologies For Network Research Λ

Router s Queue Management

Hierarchically Aggregated Fair Queueing (HAFQ) for Per-flow Fair Bandwidth Allocation in High Speed Networks

On the Deployment of AQM Algorithms in the Internet

The War Between Mice and Elephants

CHOKe A stateless mechanism for providing Quality of Service in the Internet

The War Between Mice and Elephants

The Comparative Analysis of RED, GF-RED and MGF-RED for Congestion Avoidance in MANETs

Enhancing TCP Throughput over Lossy Links Using ECN-capable RED Gateways

Simulation-Based Performance Comparison of Queueing Disciplines for Differentiated Services Using OPNET

A Probabilistic Approach for Achieving Fair Bandwidth Allocations in CSFQ

PERFORMANCE ANALYSIS OF AF IN CONSIDERING LINK UTILISATION BY SIMULATION WITH DROP-TAIL

Three-section Random Early Detection (TRED)

ON STANDARDIZED NETWORK TOPOLOGIES FOR NETWORK RESEARCH. George F. Riley

Rate Based Pacing with Various TCP Variants

Integrated and Differentiated Services. Christos Papadopoulos. CSU CS557, Fall 2017

PERFORMANCE ANALYSIS OF AF IN CONSIDERING LINK

RECHOKe: A Scheme for Detection, Control and Punishment of Malicious Flows in IP Networks

Rainbow Fair Queueing: Fair Bandwidth Sharing Without Per-Flow State

Steady State Analysis of the RED Gateway: Stability, Transient Behavior, and Parameter Setting

Visualization of Internet Traffic Features

Computer Networking. Queue Management and Quality of Service (QOS)

Core-Stateless Fair Queueing: Achieving Approximately Fair Bandwidth Allocations in High Speed Networks. Congestion Control in Today s Internet

A Flow Table-Based Design to Approximate Fairness

TCP based Receiver Assistant Congestion Control

Traffic Management using Multilevel Explicit Congestion Notification

Congestion Propagation among Routers in the Internet

Congestion Control for High Bandwidth-delay Product Networks. Dina Katabi, Mark Handley, Charlie Rohrs

Stabilizing RED using a Fuzzy Controller

Effects of Applying High-Speed Congestion Control Algorithms in Satellite Network

Computer Networks Spring 2017 Homework 2 Due by 3/2/2017, 10:30am

A Better-Than-Best Effort Forwarding Service For UDP

Provision of Quality of Service with Router Support

Congestion control in TCP

Analysis of Dynamic Behaviors of Many TCP Connections Sharing Tail Drop/RED Routers

Cross-layer TCP Performance Analysis in IEEE Vehicular Environments

Congestion Avoidance

Multicast Transport Protocol Analysis: Self-Similar Sources *

15-744: Computer Networking. Overview. Queuing Disciplines. TCP & Routers. L-6 TCP & Routers

Denial of Service Attacks in Networks with Tiny Buffers

Congestion Control Mechanism using Network Border Protocol

Promoting the Use of End-to-End Congestion Control in the Internet

On the Transition to a Low Latency TCP/IP Internet

Lecture 14: Congestion Control"

Priority Traffic CSCD 433/533. Advanced Networks Spring Lecture 21 Congestion Control and Queuing Strategies

Improving TCP Performance over Wireless Networks using Loss Predictors

Protection from Unresponsive Flows with Geometric CHOKe

TCP Performance under Aggregate Fair Queueing

Flow Control Packet Marking Scheme: to identify the sources of Distributed Denial of Service Attacks

Journal of Electronics and Communication Engineering & Technology (JECET)

Implementation and Performance Analysis of Active Queue Management Mechanisms

CS 268: Computer Networking

An Adaptive Neuron AQM for a Stable Internet

Impact of End-to-end QoS Connectivity on the Performance of Remote Wireless Local Networks

A NEW CONGESTION MANAGEMENT MECHANISM FOR NEXT GENERATION ROUTERS

Effective Utilization of Router Buffer by Threshold Parameter Setting Approach in RED

Simulation with NS-2 and CPN tools. Ying-Dar Lin Department of Computer Science, National Chiao Tung University

Basics (cont.) Characteristics of data communication technologies OSI-Model

A Third Drop Level For TCP-RED Congestion Control Strategy

Episode 5. Scheduling and Traffic Management

Analysis. Group 5 Mohammad Ahmad Ryadh Almuaili

Enhancing TCP Throughput over Lossy Links Using ECN-Capable Capable RED Gateways

On the Effect of Router Buffer Sizes on Low-Rate Denial of Service Attacks

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

Buffer Requirements for Zero Loss Flow Control with Explicit Congestion Notification. Chunlei Liu Raj Jain

Adaptive-Weighted Packet Scheduling for Premium Service

Estimating Arrival Rates from the RED Packet Drop History

A Control-Theoretical Approach for Fair Share Computation in Core-Stateless Networks

The Present and Future of Congestion Control. Mark Handley

Improving QOS in IP Networks. Principles for QOS Guarantees

Fuzzy RED: Congestion Control for TCP/IP Diff-Serv

Real-Time Protocol (RTP)

THE TCP specification that specifies the first original

Congestion Control. Queuing Discipline Reacting to Congestion Avoiding Congestion. Issues

Analysis of the interoperation of the Integrated Services and Differentiated Services Architectures

II. Principles of Computer Communications Network and Transport Layer

Buffer Management for Self-Similar Network Traffic

Congestion Control and Resource Allocation

A Note on the Stability Requirements of Adaptive Virtual Queue

Random Early Marking: Improving TCP Performance in DiffServ Assured Forwarding

A Modification to RED AQM for CIOQ Switches

A Fuzzy System for Adaptive Network Routing

Internet Security: Firewall

Overview. TCP & router queuing Computer Networking. TCP details. Workloads. TCP Performance. TCP Performance. Lecture 10 TCP & Routers

Transcription:

A Large Scale Simulation Study: Impact of Unresponsive Malicious Flows Yen-Hung Hu, Debra Tang, Hyeong-Ah Choi 3 Abstract Researches have unveiled that about % of current Internet traffic is contributed by TCP flows, and the network stability mostly depends on end-to-end TCP congestion control. This paper studies the performance of various queue management algorithms implemented in current Internet routers when unresponsive high-rate malicious flows coexist in the network. Our analysis is based on large scale simulations using the NS- simulator and a set of simulated traffic generated based on IP traces reported in Oregon Gigapop. Our simulation results show that normal traffic benefits more from the RED than DropTail, and TCP flows of smaller size survive better than larger ones when the network is under the attack by malicious flows. If the network is in normal condition, the RED does not provide any clear advantage over the DropTail. I. INTRODUCTION The stability of current IP network is typically controlled at each router through queue management and packet scheduling policy. In this policy, the network is entirely dependent on the end host to react congestion, and it is expected that flows will reduce their rates after packets are dropped (these are called responsive flows). The problem with this expectation is that misbehaving flows that do not cut down their sending rates after their packets are dropped will hog the buffer space at routers and deprive all other flows of their fair share of bandwidth (these are called unresponsive flows). The first-in-first-out (FIFO) queueing with drop tail (DropTail) policy is the simplest queue management policy applied in most routers in present Internet in which as long as the memory space is available, incoming packets are stored. The Random Early Detection (RED) is the most popular active queue management scheme in which drop policy is dynamically changed in response to network traffic condition. These schemes work well when the flows are from properly implemented TCP. Several alternatives have been proposed to improve the situation with the objective of allocating fair share of bandwidth to each flow [], [], []. As it will be shown in the next section, the existing queue management schemes reveal significant shortcomings in protecting packets from normal flows when misbehaving malicious flows exist. In this paper, we present a large scale simulation using a well-designed traffic pattern whose characteristics are derived from the real Internet traffic []. The traffic pattern we considered only consists of two protocols, TCP and UDP, because they contribute more than % in bytes [] of the real Internet traffic. The rest of this paper is organized as follows. In Section II, we discuss the characteristics of IP traces used in developing our simulated traffic and details of simulation setup. In Section III, we show various simulation results and provide insightful discussions on the impact of malicious flows. Concluding remarks are given in Section IV. A. Simulated Traffic II. SIMULATION SETUP We have developed simulated traffic based on a report on Oregon Gigapop Traffic [], in which the composition of Internet traffic in terms of application protocols is discussed in deatil. The Oregon Gigapop has two POS OC3 Department of Computer Science, Hampton University, Hampton, VA 3, yenhung.hu@hamptonu.edu. US ARMY CECOM Software Engineering Center - Belvoir Fort Belvoir, VA, debra.tang@us.army.mil. 3 Department of Computer Science, George Washington University, Washington DC, hchoi@gwu.edu

from Abilene: one to Denver, and one to Sunnyvale. The inbound traffic collected during monitoring period has 3,3 flows and. bytes, and the outbound traffic has, flows and. bytes. The overall monitoring time is minutes combining from four monitoring segments: 3 minutes, 3 minutes, minutes, and minutes. There are protocols consist of Gigapop traffic, and TCP and UDP contribute.% in flow numbers and.% in bytes. For each protocol, there are several applications. For example, TCP includes NNTP, FTP, Gnutella, Napster, HTTP, Kazaa, LDM, Hotline, QTRTSPREAL, SSH, SMTP, Shoutcast, AIM, ICQ, and DNS. UDP includes Mutlicase, Real, Half Life, ICQ, DNS, and others. The traffic model shown in Figure is generated using the NS- simulator on two network topologies: NSF T and NSF T3. In this table, the traffic composition in terms of flow number and bytes for each protocol and flow type is very close to the information in []. Flows in different classes have different flow lives, and the average link utilization is close to.%, same number reported in []. The distribution of start time of each flow is carefully designed to reduce the unbalanced load of each link during the entire simulation period. Each flow, except multicast flows, sends out a block of data at its start time and stops when it is finished. Therefore, the flow stop time is dependant on the network condition. Multicast flows are treated as long-live flows that have packets to send out in every interval during the entire simulation period. The average hop length of flows in T and T3 networks are. and 3., respectively. NSF T NSF T3 UDP TCP UDP TCP flows # flows % interval(ms) pkt/flow total packets total bytes bytes % multicast 3. 3 3 3. real. 3. half life.. icq.. dns 3 3. 3 3. others.. nntp 3. 3 3 3. ftp.3. gnutella 33 3. 3. napster.. http 33.3. kazaa. 3 3 3. others. 3 3. multicast.3 3 3 33 33 3. real. 3 3. half life. 3 3. icq 3.. dns 3.. others 3. 333 333. nntp 3. 3. ftp. 33 33. gnutella 3. 3. napster.. http. 3 3. kazaa. 3 3 3. others.. Fig.. Traffic Pattern for NSF T and NSF T3. B. Simulation Details The bandwidth of each link in NSF T topology is. Mbps and is Mbps in NSF T3 topology. Propagation delay of all links in both topologies is fixed to be ms, and the maximum buffer size for all routers is packets. Two queue management algorithms are implemented: Droptail and RED. Four parameters used in our simulation associated with RED are minimum threshold=,, maximum threshold=, maximum drop probability=., and weight factor=.. Malicious flows when presented are assumed to be active during the entire simulation period. The rate of malicious flows injected into NSF T topology and NSF T3 topology are Mbps and Mbps respectively. All simulations

3 3 3 3 3 3 3 3 3 3 3 33 3 3 3 3 3 3 3 3 3 3 33 3 3 3 3 3 3 3 3 3 3 3 3 3 3 Fig.. NSF T Topology (left) and NSF T3 Topology (right). run from seconds to 3. seconds, and the traffic stops at 3 seconds. The throughput for each flow is calculated by counting the total number of packets sent out of each flow, and the goodput of each flow is done by counting packets successfully reaching their destinations. III. PERFORMANCE ANALYSIS Note that the traffic model shown in Figure has link utilization.%. In order to create congested network environment, we introduce a term load factor defined as to be new flow size original flow size. For example, load factor =, the size of each flow is doubled as compared with the original flow (where average link utilization is. %). A. Network without Malicious Flows When there is no malicious flow, the bandwidth is shared among multiple flows and bandwidth allocation is based on several factors including queue management algorithms, transport layer protocols, flow sizes, and application layer flow patterns. The advantage of RED over DropTail is reported in [3], [], []: () both TCP and UDP flows have decreased end-to-end delays, () the loss of a large number of consecutive packets is prevented as it reserves some buffer spaces, (3) the higher packet loss against bursty traffic is reduced. When a large scale simulation is performed as in our model, we find that some variations exist in some of the above observations. When the goodput of a flow using RED is same as using DropTail, RED is supposed to provide smaller end-to-end dealy as in observation (). Our results in Figure 3 however show that when TCP flows are concerned, in some cases, DropTail provides better goodputs as well as smaller end-to-end delays. (See NNTP and FTP flows in this figure.) When the traffic load is increased (i.e. load factor is increased), the traffic becomes burstier and the loss of consecutive packets is increased. Contrary to the observations () and (3), our simulation results (Figure ) show that in most cases, the DropTail provides higher average utilization and lower packets loss than the RED. As shown in Figure, the TCP flows with smaller traffic load has higher goodputs since the packet loss from short-life flows is smaller than long-life flows. But as shown in Figure, when UDP flows are concerned, whether packets are accepted or discarded at routers is not dependent on the flows sending rates. That is, it is hard to predict which UDP flows will take more bandwidth than others but such a prediction is possible for TCP flows. B. Network With Malicious Flows We have injected high-rate UDP flows in the network to model malicious flows. Intuitively, normal UDP flows survive better than normal TCP flows since TCP flows will reduce their sending rates in response to the congestion caused by malicious flows while normal flows continue to keep the same sending rates.

Average Life (sec) 3 Average Life (sec) 3 Fig. 3. NSF T topology, average life over TCP flows under DropTail (left) and RED (right). Average Drop (bytes).e+.e+ DropTail.E+ RED.E+.E+.E+.E+ Average Utilization.. DropTail. RED....3.. Fig.. NSF T, average drop rate (left) and link utilization (right). ) One Attack Model: In this case, only one malicious flow exists in the network with an arbitrary sourcedestination pairs and variable hop-lengths. The average utilization of links affected by the malicious flow is decreased when the load factor of the normal traffic increases, i.e., the rate of the malicious flow is relatively decreased, when using both RED and DropTail. One interesting observation is that the survivability of normal flows that do not travel through links affected by the malicious flow is in fact increased. Our simulation results confirm that the RED performs better than DropTail since incoming packets start to drop before the buffer overflows. See Figure for detailed results. ) Multiple Attack Models: We now consider multiple attack models. Two attacking models are defined: economic attack model: in which approximately minimum number ( malicious flows for NSF T, and malicious for NSF T3) of malicious flows are injected into the networks and each link is traversed by a malicious flow once; and extreme attack model: in which each malicious flow only affects one hop, and the number of malicious flows is the same as the number of links in the network. As shown in Figures,,, and, when under extreme attack, RED provides better protection for normal traffic than DropTail. When RED is implemented, normal UDP can reserve 3% to % of goodput and almost keep constant when load factor increased (i.e., congestion increased), but such reservation will be at most % for most T CP traffic (except HTTP) and is getting worse when load factor increased. However, the simulations results for DropTail are worse than RED, in which only at most 3% UDP flows and % TCP flows (included HTTP) will be protected.

Avg. Goodput / Avg. Goodput when = Avg. Goodput / Avg. Goodput when = Fig.. NSF T topology, TCP traffic, average goodput / average goodput when load factor = under DropTail (left) and RED (right). Avg. Goodput / Avg. Goodput when = Multicast-D Real-D Half Life-D ICQ-D DNS-D Avg. Goodput / Avg. Goodput when = Multicast-R Real-R Half Life-R ICQ-R DNS-R Fig.. NSF T topology, UDP traffic, average goodput / average goodput when load factor = under DropTail (left) and RED (right) algorithms. We would like to point out one more interesting observation that the survivability of normal UDP flows does not directly related with the flow size. However, the survivability of TCP flows is directly related with the flow size such that the goodput is better for smaller size flows (e.g., HTTP) in both RED and DropTail. IV. CONCLUSION In this paper, we studied the performance of normal and malicious flows under various network environment through large scale simulations. Our simulation study showed that the RED can benefit more to normal traffic than the DropTail and TCP flows of smaller size survive better than larger ones when hey are under malicious attacks. If the network is in normal condition, no malicious flow exists, the RED does not have any clear advantage over the DropTail. Our main contribution of this paper is that the performance of different queue management algorithms were studied under networks with/without malicious flows using () large-scale simulation, () simulated traffic whose characteristics closely reflecting those from real Internet traffic, and (3) detailed application layer flows. The presented results are believed to be useful in developing control mechanisms counteracting network congestion caused by flooding-based malicious flows. REFERENCES [] Joe St Sauver, Oregon Gigapop Traffic Characterization, Internet/NLANR Joint Techs, May th,, Lincoln NE.

Attacker's Average Utilization..... HOP-D-L HOP-D-L HOP-D-L Attacker's Average Utilization..... HOP-R-L HOP-R-L HOP-R-L.. Fig.. NSF T topology, average utilization of malicious flow on the affected link. The notation X Hop-R-LY means that this is a average utilization of a link which is the Y th hops in the path traversed by the malicious flow which will traverse X hops in the network. DropTail (left) and RED (right) algorithms are implemented...... Multicast-D Half Life-D DNS-D Real-D ICQ-D..... Fig.. NSF T topology, Economic attacks under DropTail algorithm, average flow goodput / average flow goodput without attacks [] Sean McCreary, Kc Claffy, Trends in Wide Area IP Traffic Patterns, a View from Ames Internet Exchange, in ITC Specialist Seminar, Monterey, CA, th th, Sep,. [3] S. Floyd, V. Jacobson, Random Early Detection Gateways for Congestion Avoidance, ACM Transactions on Networking, pp.3-3, Aug. 3. [] S. Floyd, and K. Fall, Promoting the Use of End-to-End Congestion Control in the Internet, IEEE/ACM Transactions on Networking, August. [] B. Braden et al, RFC 3 - Recommendations on Queue Management and Congestion Avoidance in the Internet [] M. May, Th. Bonald, and J. Bolot, Analytic Evaluation of RED Performance, in Proceedings of IEEE INFOCOM, Mar., pp. -. [] M. Christiansen, K. Jeffay, D. Ot, and F. Smith, Tuning RED for Web Traffic, in Proceeding of ACM SIGCOM,, pp. 3-. [] http://www.isi.edu/nsnam/ns/ [] NLANR PMA, Aiblence-I data set, ttp://pma.nlanr.net/traces/long/ipls.html [] A. Demers, S. Keshav, and S. Shenkar, Analysis and simulation of a fair queueing algorithm, J. Internetw. Res. Experience, pp. 3-, Oct.. [] A. K. Parekh and R. G. Gallager, A generalized processor sharing approach to flow control in integrated services network: The single-node case, IEEE/ACM Trans. on Networking, vol., No. 3, June, 3. [] D. Lin and R. Morris, Dynamics of random early detection, Proc. ACM SIGCOMM, Cannes, France, Oct., pp. -3.

Avg. Goodput / Avg. Goodput Withoug Attack..... Multicast-R Half Life-R DNS-R Real-R ICQ-R Avg. Goodput / Avg. Goodput Withoug Attack..... Fig.. NSF T topology, Economic attacks under RED algorithm, average flow goodput / average flow goodput without attacks...... Multicast-D Half Life-D DNS-D Real-D ICQ-D.... Fig.. NSF T topology, Extreme attacks under DropTail algorithm, average flow goodput / average flow goodput without attacks...... Multicast-R Half Life-R DNS-R Real-R ICQ-R.... Fig.. NSF T topology, Extreme attacks under RED algorithm, average flow goodput / average flow goodput without attacks

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback