TCP session analysis and modeling of hybrid satellite-terrestrial Internet traffic

Similar documents
Mining Network Traffic Data

Mining Network Traffic Data

Mining Network Traffic Data

Measurement and Analysis of Traffic in a Hybrid Satellite-Terrestrial Network

OPNET M-TCP model. Modupe Omueti

Mining Network Traffic Data

Improving TCP Performance over Wireless Links with Periodic Disconnection CMPT 885-3: SPECIAL TOPICS: HIGH-PERFORMANCE NETWORKS

Measurement and Analysis of Traffic in a Hybrid Satellite-Terrestrial Network

TCP Congestion Control in Wired and Wireless Networks

TCP Congestion Control in Wired and Wireless networks

Measurement and Analysis of Traffic in a Hybrid Satellite-Terrestrial Network

Performance Evaluation of TCP over WLAN with the Snoop Performance Enhancing Proxy

Analytic End-to-End Estimation for the One-Way Delay and Its Variation

SIMULATING CDPD NETWORKS USING OPNET

Satellite Network Performance Measurements Using

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

TCP PERFORMANCE USING SPLITTING OVER THE SATELLITE LINK

A Study on Intrusion Detection Techniques in a TCP/IP Environment

Chao Li Thomas Su Cheng Lu

CCNA Exploration Network Fundamentals. Chapter 04 OSI Transport Layer

TCP PERFORMANCE FOR FUTURE IP-BASED WIRELESS NETWORKS

Random Early Drop with In & Out (RIO) for Asymmetrical Geostationary Satellite Links

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Selective-TCP for Wired/Wireless Networks

Rate Based Pacing with Various TCP Variants

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Buffer Control Strategies for the Transmission of TCP Flows over Geostationary Satellite Links Using Proxy Based Architectures

End-to-End Disruption-Tolerant Transport Protocol Issues and Design for Airborne Telemetry Networks

Performance of TCP Protocol Running over Wireless LAN Network using the Snoop Protocol

Simulation of TCP Layer

(a) Figure 1: Inter-packet gaps between data packets. (b)

Visualization of Internet Traffic Features

PEPsal: A TCP Performance Enhancing Proxy for Satellite Links

Information Network 1 TCP 1/2. Youki Kadobayashi NAIST

Introduction to computer networking

ECE 650 Systems Programming & Engineering. Spring 2018

SIMULATION OF PACKET DATA NETWORKS USING OPNET

Improving TCP End to End Performance in Wireless LANs with Snoop Protocol

Module 2 Overview of Computer Networks

Module 2 Overview of. Computer Networks

Collection and Characterization of BCNET BGP Traffic

EE 610 Part 2: Encapsulation and network utilities

A Report on Some Recent Developments in TCP Congestion Control

TCP over Wireless Networks:

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

THE TCP specification that specifies the first original

Delay Performance of the New Explicit Loss Notification TCP Technique for Wireless Networks

Classification of BGP Anomalies Using Decision Trees and Fuzzy Rough Sets

sequence number trillian:1166_==>_marvin:3999 (time sequence graph)

Application. Transport. Network. Link. Physical

User Datagram Protocol (UDP):

Enhancements and Performance Evaluation of Wireless Local Area Networks

SRM UNIVERSITY FACULTY OF ENGINEERING AND TECHNOLOGY SCHOOL OF COMPUTING DEPARTMENT OF CSE COURSE PLAN

OSI Transport Layer. objectives

A PERFORMANCE EVALUATION OF TRANSPORT MECHANISMS IN HYBRID NETWORKS. N. Schult, R Wade, G. Comparetto, M. Mirhakkak The MITRE Corporation McLean, VA

CMSC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. October 30, 2018

SCTP: An innovative transport layer protocol for the web

Transport Layer Review

Tuning RED for Web Traffic

End-to-End Architectures for the Internet Host Mobility: An Overview

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

SIMULATION OF PACKET DATA NETWORKS USING OPNET

Transport Layer. <protocol, local-addr,local-port,foreign-addr,foreign-port> ϒ Client uses ephemeral ports /10 Joseph Cordina 2005

FXT - Foundations of Telematic Networks


CCNA R&S: Introduction to Networks. Chapter 7: The Transport Layer

Computer Networks. Transmission Control Protocol. Jianping Pan Spring /3/17 CSC361 1

Enhancement of HSWA-TCP Congestion Avoidance Scheme for High Speed Satellite Communication Network Riddhi P. Pandya 1 Ayesha S.

Chapter 8 roadmap. Network Security

TCP: Transmission Control Protocol RFC 793,1122,1223. Prof. Lin Weiguo Copyleft 2009~2017, School of Computing, CUC

Hands-On Ethical Hacking and Network Defense

Performance Enhancement Of TCP For Wireless Network

BGP Route Flap Damping Algorithms

CMSC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. October 25, 2018

Configuring Flood Protection

Computer Networks and the Internet. CMPS 4750/6750: Computer Networks

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

ECE 435 Network Engineering Lecture 15

Analysis of TCP Latency over Wireless Links Supporting FEC/ARQ-SR for Error Recovery

Analyzing the effect of timer timeout and packet length on the performance of error control protocols

Part 1: Introduction. Goal: Review of how the Internet works Overview

Measurement and Analysis of Traffic in a Hybrid Satellite- Terrestrial Network Qing (Kenny) Shao

Hans Kruse, PhD. Senior Partner Hanseatic Consulting

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

TCP/IP Performance ITL

Linux Networking: tcp. TCP context and interfaces

EEC-682/782 Computer Networks I

Collection and Characterization of BCNET BGP Traffic

Configuring attack detection and prevention 1

Analysis. Group 5 Mohammad Ahmad Ryadh Almuaili

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

QoS Routing For Mobile Ad Hoc Networks

EVALUATING THE DIVERSE ALGORITHMS OF TRANSMISSION CONTROL PROTOCOL UNDER THE ENVIRONMENT OF NS-2

TCP /IP Fundamentals Mr. Cantu

Improving TCP Performance over Wireless Networks using Loss Predictors

User Datagram Protocol UDP

Experimental Analysis of TCP Behaviors against Bursty Packet Losses Caused by Transmission Interruption

Information Network 1 TCP 1/2

TCP Behavior in Networks with Dynamic Propagation Delay

Transcription:

TCP session analysis and modeling of hybrid satellite-terrestrial Internet traffic Savio Lau saviol@cs.sfu.ca Communication Networks Laboratory http://www.ensc.sfu.ca/cnl School of Engineering Science Simon Fraser University

Roadmap Introduction: satellite links ChinaSat Network Analysis of user behavior from: billing data tcpdump Current work: analysis of TCP connections Conclusions References April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 2

Characteristics of satellite links Satellite links: large coverage area long link propagation delay (~250 ms) high bandwidth-delay product high bit error rates (~10-6 without error correction) Wired links: bit error rates (~10-9 ) short link propagation delay (< 1 ms) Wireless links: bit error rates (~10-5 ) variable link propagation delay April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 3

ChinaSat hybrid satellite network Employs geosynchrous satellites deployed by Hughes Network Systems Provides data and television services: DirecTV: satellite television service DirecPC (Classic): unidirectional satellite data service DirecWay (Hughnet): new bi-directional satellite data service that replaces DirecPC Collected ChinaSat DirecPC data: continuous billing data from October 31, 2002 to January 10, 2003 35 GBytes of data from tcpdump traces from December 14, 2002 to January 10, 2003 April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 4

DirecPC system diagram Satellite Internet IP tunelling Server User: Internet cafes Modem PPP connection Dial-up ISP Network operations center TCP-splitting and IP spoofing NOC: Network Operations Center PPP: Point-to-point protocol April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 5

DirecPC system diagram Satellite Internet IP tunelling Server User: Internet cafes Modem PPP connection Dial-up ISP Network operations center TCP-splitting and IP spoofing NOC: Network Operations Center PPP: Point-to-point protocol April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 6

TCP splitting and IP spoofing Client SYN NOC Server SYN SYN/ SYN/ REQ DATA DATA FIN FIN/ REQ DATA + DATA FIN FIN TCP splitting IP spoofing ignored s April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 7

Previous work Performance enhancing proxies (J. Border et al., RFC 3135): TCP-splitting and IP spoofing increasing initial TCP congestion window Analysis of HTTP over satellite (H. Kruse and M. Allman) Prediction and analysis (long-range dependence) of ChinaSat traffic data (Q. Shao and Lj. Trajkovic) J. Border, M. Kojo, J. Griner, G. Montenegro, and Z. Shelby, Performance Enhancing Proxies Intended to Mitigate Link-Related Degradations, RFC 3135, June 2001. H. Kruse and M. Allman, Experimentation and modeling of HTTP over satellite channels, International Journal of Satellite Communications, vol. 19, no. 1, pp. 51 68, Feb. 2001. Q. Shao and Lj. Trajković, Measurement and analysis of traffic in a hybrid satelliteterrestrial network, Proc. SPECTS 2004, San Jose, CA, July 2004, pp. 329 336. April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 8

Preliminary billing data results Daily (diurnal) traffic pattern: averaged over recorded period (October 31, 2002 to January 10, 2003) traffic pattern similar to previous research results (Thompson, Miller, and Wilder) Weekly traffic pattern: averaged over recorded period lower traffic volume on Saturdays and Sundays K. Thompson, G. J. Miller, and R. Wilder, Wide-area Internet traffic pattern and characteristics, IEEE Network, vol. 11, no. 6, pp. 10 23, Nov. 1997. April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 9

Daily (diurnal) traffic pattern: average downloaded bytes daily maxima at 11 am, 3 pm, and 7 pm daily minimum at 7 am April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 10

Weekly traffic pattern: average downloaded bytes April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 11

Preliminary tcpdump results Majority of traffic (> 90%) is TCP TCP traffic mostly uses the HTTP protocol Considerable volume of traffic is illegitimate: TCP packets with invalid TCP flag combinations port scans originating from the ChinaSat network users port scans directed to the ChinaSat network users Port scans are generated packets designed to search for open ports (and exploit vulnerabilities) on a network host April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 12

TCP SYN/RST/FIN/PSH analysis TCP flag SYN only RST only FIN only SYN+FIN RST+FIN (no PSH) RST+PSH (no FIN) RST+FIN+PSH Total number of packets with illegitimate TCP flag combinations Total packet count Count 19,050,849 7,440,418 12,679,619 408 85,571 18,111 8,329 112,419 39,283,305 % of Total 48.5% 18.9% 32.3% 0.001% 0.2% 0.05% 0.02% 0.3% April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 13

Port scans originating from the ChinaSat network users 192.168.2.30:137-195.x.x.98:1025 192.168.2.30:137-202.x.x.153:1027 192.168.2.30:137-210.x.x.23:1035 192.168.2.30:137-195.x.x.42:1026 192.168.2.30:137-202.y.y.226:1026 192.168.2.30:137-218.x.x.238:1025 192.168.2.30:137-202.y.y.226:1025 192.168.2.30:137-202.y.y.226:1027 192.168.2.30:137-202.y.y.226:1028 192.168.2.30:137-202.y.y.226:1029 192.168.2.30:137-202.y.y.242:1026 192.168.2.30:137-61.x.x.5:1028 192.168.2.30:137-219.x.x.226:1025 192.168.2.30:137-213.x.x.189:1028 192.168.2.30:137-61.x.x.193:1025 192.168.2.30:137-202.y.y.207:1028 192.168.2.30:137-202.y.y.207:1025 192.168.2.30:137-202.y.y.207:1026 192.168.2.30:137-202.y.y.207:1027 192.168.2.30:137-64.x.x.148:1027 Client (192.168.2.30) using source port (137) scans external network addresses with UDP packets at destination ports (1025-1040): > 100 are recorded within a three hour period scanned IP addresses are variable multiple ports are scanned per IP corresponds to Bugbear (Sept. 2002), OpaSoft (Sept. 2002), or other worms April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 14

Port scans directed to the ChinaSat network users 210.x.x.23:1035-192.168.1.121:137 210.x.x.23:1035-192.168.1.63:137 210.x.x.23:1035-192.168.2.11:137 210.x.x.23:1035-192.168.1.250:137 210.x.x.23:1035-192.168.1.25:137 210.x.x.23:1035-192.168.2.79:137 210.x.x.23:1035-192.168.1.52:137 210.x.x.23:1035-192.168.6.191:137 210.x.x.23:1035-192.168.1.241:137 210.x.x.23:1035-192.168.2.91:137 210.x.x.23:1035-192.168.1.5:137 210.x.x.23:1035-192.168.1.210:137 210.x.x.23:1035-192.168.6.127:137 210.x.x.23:1035-192.168.1.201:137 210.x.x.23:1035-192.168.6.179:137 210.x.x.23:1035-192.168.2.82:137 210.x.x.23:1035-192.168.1.239:137 210.x.x.23:1035-192.168.1.87:137 210.x.x.23:1035-192.168.1.90:137 210.x.x.23:1035-192.168.1.177:137 210.x.x.23:1035-192.168.1.39:137 External address (210.x.x.23) employs UDP packets to scans port (137) for NETBIOS response within the ChinaSat network from source port (1035): > 200 are recorded within a 3 hour period scanned IP addresses are not sequential corresponds to Bugbear (Sept. 2002), OpaSoft (Sept. 2002), or other worms April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 15

Current work Compare the volume of illegitimate and total traffic Use tcptrace to identify and analyze individual connections Use analysis results to model the TCP traffic (connection inter-arrival times, connection duration, number of bytes) Examine effects of: HTTP pipelining clients can send multiple HTTP requests at a time servers can send multiple HTTP replies per connection concurrent HTTP connections HTTP 1.0 vs. HTTP 1.1 April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 16

Conclusions Satellite data traffic have: daily (diurnal) traffic patterns weekly periodic traffic patterns similar to wide-area Internet traffic patterns Illegitimate data traffic is found in the trace: packets with invalid TCP flags port scans originating from the ChinaSat network users port scans directed to the ChinaSat network users April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 17

References [1] Q. Shao and Lj. Trajkovic, Measurement and analysis of traffic in a hybrid satellite-terrestrial network, Proc. SPECTS 2004, San Jose, CA, July 2004, pp. 329 336. [2] T. R. Henderson and R. Katz, Transport protocols for Internet-compatible satellite networks, IEEE J. Select. Areas Commun., vol. 17, no. 2, pp. 326 344, Feb. 1999. [3] H. Kruse and M. Allman, Experimentation and modeling of HTTP over satellite channels, International Journal of Satellite Communications, vol. 19, no. 1, pp. 51 68, Feb. 2001. [4] K. Thompson, G. J. Miller, and R. Wilder, Wide-area Internet traffic pattern and characteristics, IEEE Network, vol. 11, no. 6, pp. 10 23, Nov. 1997. [5] M. Arlitt and C. Williamson, An analysis of TCP reset behaviour on the Internet, Computer Communications Review, vol. 35, no. 1, pp.37 44, Jan. 2005. [6] W. R. Stevens, TCP/IP Illustrated, Vol. 1: The Protocols, Reading, MA: Addison Wesley, 1994. [7] D. E. Comer, Internetworking with TCP/IP: Principles, Protocols and Architectures, 4th ed. Upper Saddle River, NJ: Prentice Hall, 2000, pp. 209 254. April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 18

References: RFCs [8] Information Sciences Institute, Transmission control protocol, RFC 793, Sept. 1981. [9] Information Sciences Institute, TCP and IP bake off, RFC 1025, Sept. 1987. [10] M. Allman, D. Glover, and L. Sanchez, Enhancing TCP over satellite channels using Standard Mechanisms, RFC 2488, Jan. 1999. [11] M. Allman, S. Dawkins, D. Glover, J. Griner, D. Tran, T. Henderson, J. Heidemann, J. Touch, H. Kruse, S. Ostermann, K. Scott, and J. Semke, Ongoing TCP research related to satellites, RFC 2760, Feb. 2000. [12] J. Border, M. Kojo, J. Griner, G. Montenegro, and Z. Shelby, Performance enhancing proxies intended to mitigate link-related degradations, RFC 3135, June 2001. [13] S. Floyd, Inappropriate TCP resets considered harmful, RFC 3360, Aug. 2002. April 25, 2006 BCNET Advanced Networks Conference: Hybrid satellite-terrestrial Internet traffic 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback