TCP STREAM PROCESSING AT GIGABIT LINE RATES David Vincent Schuehler Dissertation Defense Washington...

TCP STREAM PROCESSINGAT GIGABIT LINE RATES

David Vincent SchuehlerDissertation Defense

Washington University in St. LouisDepartment of Computer Science and Engineering

November 3, 2004

TCPProcessor

HARDWARE CIRCUIT

David V. SchuehlerTCPProcessor

HARDWARE CIRCUIT

2

Outline

• Motivation and Background

• Architecture and Related Work

• Live Internet Traffic Processing

• Conclusion and Future Work


HARDWARE CIRCUIT

3

Motivation

• Inspect data moving through networks• Enable application level data processing• Secure networks

– Safeguard confidential data

• Detect and prevent intrusions– Worms, viruses, spam, espionage

• Mitigate denial of service attacks• Characterize and analyze network traffic• Operate at multi-gigabit data rates


HARDWARE CIRCUIT

4

Transmission Control Protocol

Source Destination

Network Data Packets Moving Through Network

Data Payload IP HdrTCP Hdr

Layout of Single Packet

Payload Header

• 86% to 90% of all Internet traffic uses TCP– Web, email, file transfer, remote login, secure communications

• Provides virtual bit pipe between two end systems– Retransmission services– Data reordering services– Flow control services– Congestion avoidance services


HARDWARE CIRCUIT

5

Internet

Cell phone Cellular tower

Municipality

Hand heldcomputer

Satelliteuplink

Laptop

Computer

UNIVERSITY

Government Agency

Corporation

University

Computer

ComputerComputer

InternetServiceProvider

G

C

Gateway router

Core router

G

C

C

C

G

G

C

C

G

C

G

G

GG

C

C

C

C


HARDWARE CIRCUIT

6

Internet


Municipality

Hand heldcomputer

Satelliteuplink

Laptop

Computer

UNIVERSITY

Government Agency

Corporation

University

Computer

ComputerComputer

G

C

Gateway router

Core router

G

C

C

G

G

C

G

G

CC

SPAMVIRUSINTRUSION

C

C

G

G

G

C

C

C



HARDWARE CIRCUIT

7

Internet


Municipality

Hand heldcomputer

Satelliteuplink

Laptop

Computer

UNIVERSITY

Government Agency

Corporation

University

Computer

ComputerComputer

G

C

Gateway router

Core router

G

C

C

G

G

C

G

G

CC

SPAMVIRUSINTRUSION

C

C

G

G

G

C

C

C



HARDWARE CIRCUIT

8

Cost of Internet Attacks

YearEconomic Impact Worldwide (mi2g’04)

Representative Attacks (cost)

2003 $236 Billion Sobig.F ($2B)

Blaster ($1.3B)

Slammer ($1.2B)

2002 $118 Billion KLEZ ($9B)

Bugbear ($950M)

2001 $36 Billion Nimbda ($635M)

Code Red ($2.62B)

SirCam ($1.15B)

2000 $26 Billion Love Bug ($8.75B)

1999 $20 Billion Melissa ($1.10B)


HARDWARE CIRCUIT

9

Economic Damage Estimate


HARDWARE CIRCUIT

10

Design Requirements• Architecture that is fast

– Hardware-based system– High-performance (multi-gigabit networks)– Per-flow context storage & retrieval

• Architecture that is scalable– Performance improves with advances in technology

• In-line traffic processing model• Implementation using reasonable resources

– FPGA implementation can be done in research lab• Framework that is flexible

– Integrates with multiple applications– Multi-device coordination of TCP stream processing


HARDWARE CIRCUIT

11

Outline






HARDWARE CIRCUIT

12

TCP-Processor Architecture

TCPProcessing

Engine

InputBuffer

State Store Manager

PacketRouting

Egress

Data Processing Circuit

TCP Processing Architecture

Stats

Off-Chip Memory


HARDWARE CIRCUIT

13

TCP Processing Engine

Frame FIFO

State Store Manager

TCP Processing Engine

Inpu

t S

tate

Mac

hine

ChecksumEngine

Out

put

Sta

te M

achi

ne

TCP State Processing

Flow Hash Computation

Control&

StateFIFO


HARDWARE CIRCUIT

14

Challenges and Design Choices• Performance

– Operate at multi-gigabit data rates– Hardware-based design exploiting pipelining and parallelism

• Flow classification– Open addressing hash with limited bucket sizes

• Context storage and retrieval– Requires memory read and write for each packet– 64-byte per-flow context - use burst read/write operations

• Reassembly of out-of-order packets– Multiple processing modes (guaranteed and passive)

• TCP processing– Flow monitoring instead of flow termination


HARDWARE CIRCUIT

15

Link Speeds and Packet Rates

Link Type Data rate40 byte

pkts/sec64 byte

pkts/sec500 byte pkts/sec

1500 byte pkts/sec

OC-3 155 Mbps .48 M .3 M 38 K 12 K

OC-12 622 Mbps 1.9 M 1.2 M .16 M 52 K

GigE 1.0 Gbps 3.1 M 2.0 M .25 M 83 K

OC-48 2.5 Gbps 7.8 M 4.8 M .63 M .21 M

OC-192

10 GigE

10 Gbps 31 M 20 M 2.5 M .83 M

OC-768 40 Gbps 125 M 78 M 10 M 3.3 M


HARDWARE CIRCUIT

16

Systems with TCP Processors• Load balancing systems

– Content (cookie) based request routing– Delayed binding technique– Limited to scanning start of flow

• TCP offload engines– Move TCP protocol processing to NIC– Targeting Gigabit NIC market– Intel, NEC, Adaptec, Lucent, and others

• SSL Accelerators– Offload encryption/decryption– Protocol translation

• Intrusion Detection Systems– Traffic Rates < 1Gbps – Perform content scanning and some stream reassembly

LOAD

BALANCER

SYN

SYN ACK

ACK

Request

SYN

SYN ACK

ACK

Request

ResponseResponse

END

USER

WEB

SERVER

SSL

ACCELERATOR

SYN

SYN ACK

ACK

Request

SYN

SYN ACK

ACK

Request

Response

Response

END

USER

WEB

SERVER

Encrypted Not Encrypted


HARDWARE CIRCUIT

17

Related Work in TCP Processing• Software-based TCP processing

– Ethereal, tcpdump, etc – require post processing– Snort w/TCP option – larger virtual packets– Cluster-based online monitoring system (Mao: WIDM’01)– Bro – rule based processing (Paxson: Computer Networks’99)– STAT/STATL – state based processing (Vingna: DISCEX’00)– Intel – Xeon as packet processor (Regnier: HotI’03)

• Hardware-based TCP processing– Georgia Tech – 1 flow/circuit (Necker: FCCM’02)– University of Oslo – 1 flow/ circuit (Li: FPL’03)

– Indiana University and Imperial College – Netflow statistics– University of Tokyo – multi-flow stream scanning (Sugawara: FPL’04)– Intel TCP processor – 8k connections, 9Gbps (Xu: HotChips’03)

• Network processors– Intel IXP 1200, 2400, 2800, 2850– Motorola PowerQUICC


HARDWARE CIRCUIT

18

Taxonomy of Packet ProcessorsD

ata

Rat

eX

Con

text

Rec

ords

Hardware

Snort w/TCP option

TCP-Processor

BRO/STATL

IP LookupPacket Forwarding

Other FPGATCP Processors

TCPTermination

NetworkProcessors

PacketCapture

Load BalancerSSL Accelerator

Software based systems

Store little or no state

Intel projects

TCP-Processor

Software

ExperimentalTCP Processor


HARDWARE CIRCUIT

19

Multi-Device Coordination

• Encodes interface signals

• Regenerates waveforms on separate device

• Provides extensible format & self describing structure

TCPProcessing

Circuit

DataProcessing

Circuit1

Device 1 Device 2

DataProcessing

Circuit2

Device 3

Encode Decode Transport


HARDWARE CIRCUIT

20

Place & Route Results

• Including Protocol Wrappers & Encoder/Decoder • Target Xilinx Virtex XCV2000E-8• FPX Platform• Number of BLOCKRAMs

– 95 out of 160 (59%)

• Number of SLICEs– 7279 out of 19200 (37%)

• Maximum clock frequency: 85.565MHz• Maximum data throughput: 2.7 Gbps• Maximum packets per second: 2.9M packets/sec

– Min 29 clock cycles per packet (345 ns)– Throughput limited by memory latency


HARDWARE CIRCUIT

21

Content Scanning

PC100SDRAM

ZBTSRAM

addr

D[64]

addr

D[36]

Xilinx XCV2000E FPGA

TCPDecode

TCPEncode

Ctl CellProcessor

Cell Wrapper

Frame Wrapper

IPWrapper

CTLProc

Scan Circuit

StateStore

quer

yst

ate

upda

test

ate

PC100SDRAM

ZBTSRAM

addr

D[64]

addr

D[36]

Xilinx XCV2000E FPGA

Cell Wrapper

Frame Wrapper

IPWrapper

TCP-Processor

TCPEncode

TCPDecode

TCP circuit Scan circuit

Network TrafficControl Interface


HARDWARE CIRCUIT

22

Outline






HARDWARE CIRCUIT

23

Washington University Network

• 384 Mbps total Internet bandwidth– 300 Mbps Internet– 84 Mbps Internet2

• Approx 19,000 active end systems • Approx 10,000 students• Traffic analyzed for 5 week period

– Aug 20th to Sep 24th

– Over 1000 charts generated

• Selected highlights presented


HARDWARE CIRCUIT

24

Washington University Network

To TCP Processor

Internet /

Internet2


HARDWARE CIRCUIT

25

Live Internet Traffic Analysis

Empty

Unused

ScanCircuit

GigELine Card

Port 4Port 5

Port 6

Port 7

Port 3

Port 1Port 0

WUGS-20

WashUInternettraffic

Port 2

PortTrackerCircuit

TCPProcessor

GigELine Card

G-LinkSwitch Ctrl

External Stats

Monitor

WUGS-20Standalone

FPX-in-a-Box


HARDWARE CIRCUIT

26

Data Collection

StatsCollectorSNMPAgent

Multi-RouterTraffic Grapher

Statistics are sentto StatsCollectorapplication fromhardware circuits

StatsCollectorspools raw data to

disk files andretransmits stats

A SNMP agentpublishes thestatistics in a

standard format

MRTG queries theSNMP agent andgenerates traffic

charts

gnuplot

A Perl script readsraw data files and

calls gnuplot togenerate charts P

kts

Time

Pkt

s

Time

Real-time processing


HARDWARE CIRCUIT

27

Current Live Traffic


HARDWARE CIRCUIT

28

Collected Statistics

Configuration InformationSSM New ConnectionsSSM End ConnectionsSSM Reused ConnectionsSSM Active ConnectionsINB Input WordsINB Input PacketsINB Dropped PacketsINB Output PacketsENG TCP PacketsENG SYN PacketsENG FIN PacketsENG RST PacketsENG Zero Length PacketsENG Retransmitted PacketsENG Out-of-Sequence PktsENG Bad ChecksumsRTR TCP Data BytesRTR Client Packets

RTR Bypass PacketsEGR Client Packets InEGR Bypass Packets InEGR TCP Checksum UpdateEGR Packets Out

FTPSSHTelnetSMTPTIMNameservWhoisLoginDNSTFTPGopherFingerHTTPPOP

SFTPSQLNNTPNetBIOSSNMPBGPGACPIRCDLSLDAPHTTPSDHCPLowerUpper

TCP Statistics Port Statistics

Scan StatisticsString 1String 2

String 3String 4

Cells InCells DroppedCells BypassCells OutFrame Words InFrame Packets InIP Packets DroppedIP Packet FragmentsIP Packets InIP Words InIP Packets BypassIP Words BypassIP Bad Checksum

Protocol Statistics


HARDWARE CIRCUIT

29

Typical Daily Traffic Pattern

Lowest activity

Highest activity


HARDWARE CIRCUIT

30

IP and TCP Traffic Rates

>90% TCP packets


HARDWARE CIRCUIT

31

Zero Length TCP Packets

20-40% zero length pkts


HARDWARE CIRCUIT

32

Fragmented IP Packets

.25% Fragmented


HARDWARE CIRCUIT

33

Packet Sequencing

3x-4x more retransmitted


HARDWARE CIRCUIT

34

Packet Sequencing (cont)

3%-4% Retransmitted 1% Out of Seq


HARDWARE CIRCUIT

35

Worm/Virus Detection

• Search for digital signatures• MyDoom (appeared 1/26/04)

– Spread via email attachment– Opens back door via ports 3127-3198– Contains SMTP engine to replicate itself– Contains denial of service attack (25% operational)– At Peak, 1 in 12 emails contained virus

• Netsky (appeared 3/1/04)– Spread via email attachment– Scans drives C through Z looking for email addresses– Contains SMTP engine to replicate itself


HARDWARE CIRCUIT

36

MyDoom Virus Detection


HARDWARE CIRCUIT

37

Netsky Virus Detection


HARDWARE CIRCUIT

38

Denial of Service Attack

• TCP SYN Attack– 8 minutes in duration– 71,000 TCP pkts/sec avg (34,000 normal)

– 40,000 TCP SYN pkts/sec avg (2,000 normal)

• IP attack (non TCP traffic)– 3.5 minutes in duration– 91,000 IP pkts/sec peak (36,000 normal)

– 57,000 Non-TCP pkts/sec peak (2,000 normal)


HARDWARE CIRCUIT

39

Attack Difficult to Detect

TCP: 10:25 to 10:34am

IP: 10:37 to 10:41am


HARDWARE CIRCUIT

40

Both Attacks Visible

TCP attack

Non-TCP attack


HARDWARE CIRCUIT

41

TCP SYN Attack

20x increase in SYN packets


HARDWARE CIRCUIT

42

Attack Directed at SSH Port

counter saturated

True spike at 2.4 M pkts


HARDWARE CIRCUIT

43

Non-TCP Attack

29x increase in non-TCP packets


HARDWARE CIRCUIT

44

Flow Classification and Attacks

• State store contains 1 million records

• Record removed after TCP FIN or RST

• Stale records are not aged out

• 500,000 to 800,000 active records normal

• DoS attack can cause flow saturation

• Table quickly settles back to normal range


HARDWARE CIRCUIT

45

Active State Store Records

400,000 new flows


HARDWARE CIRCUIT

46

Outline






HARDWARE CIRCUIT

47

Insights

• 20%-40% zero length packets– Increase from 18% to 22% (Shalunov: Internet2‘01)

– Implies larger amount of 1-way traffic– Optimization skips processing of these packets

• 5% out of order packets– Agrees with results from (Jaiswal: Infocom‘03)

• Flow classification tables need to be larger– Flow table ½ to ¾ full during normal processing– 1M entry table saturated during attack

• Automated response systems required– Short lived attacks difficult to address manually


HARDWARE CIRCUIT

48

Contributions• Developed Architecture for TCP-Processor

– Hardware-based system– High-performance (multi-gigabit networks)– Per-flow context storage & retrieval

• Implemented TCP-Processor in Reprogrammable Hardware– Operates at 85Mhz on Xilinx Virtex 2000E FPGA– Maximum throughput of 2.7 Gbps– Maximum 2.9M packets/sec

• Created inter-device protocol TCP applications– Multi-device coordination of TCP stream processing– Interfaces with TCP-Processor– Self-describing/extensible transport protocol

• Analyzed live Internet traffic– Insight into Internet traffic profiles

• Supported academic and commercial endeavors


HARDWARE CIRCUIT

49

Future Work

• Packet defragmentation

• Flow classification

• Packet storage manager

• 10Gbps and 40Gbps data processing

• Histogram (packet size, packet type, etc)

• Event rate detection

• Traffic sampling and real-time analysis

• Application integration


HARDWARE CIRCUIT

50

Acknowledgments• Advisor & committee

– John Lockwood (advisor)– Chris Gill– Ron Loui– Ron Indeck– Dave Schimmel

• ARL faculty & staff– Jon Turner– Patrick Crowley– Fred Kuhns– John DeHart

• CSE faculty & staff• ARL & FPX students• NTS

– Steve Wiese• Global Velocity

– Matthew Kulig

• Reuters (formerly Bridge)– Scott Parsons– Deb Grossman– John Leighton

• Recommendations– Scott Parsons– Don Bertier– Andy Cox– Chris Gray

• Reviewers– Tanya Yatzeck– James Hartley

• Family– Jerry & Lois (parents)– Chris & Kreslyn– Nancy, Jeff & Nathan

• Friends


HARDWARE CIRCUIT

51

Questions

TCP STREAM PROCESSING AT GIGABIT LINE RATES David Vincent Schuehler Dissertation Defense Washington...

Documents

Transcript of TCP STREAM PROCESSING AT GIGABIT LINE RATES David Vincent Schuehler Dissertation Defense Washington...