[email protected] Texas A & M University 1
Design, and Evaluation of a Partial State Router
Phani AchantaA. L. Narasimha Reddy
Dept. of Electrical EngineeringTexas A&M University
June 22 2004, ICC
[email protected] Texas A & M University 2
Motivation Increasing non-responsive traffic
Multimedia traffic reduced fairness
Increased DoS attacks Bandwidth denial attacks appear as non-
responsive traffic Need for mechanisms to control the
high bandwidth flows Identification of high bandwidth flows Control of High bandwidth flows
[email protected] Texas A & M University 3
Previous work Per-flow queuing mechanisms address
these issues Maintain per flow state FQ, LQD Scalability concerns
Scalable single queue mechanisms cannot provide ‘flow isolation’ Stateless schemes base decisions on overall
characteristics observable at the router Droptail, RED, Diffserv Fail to contain aggressive flows
[email protected] Texas A & M University 4
Previous work Denial of Service Attacks are
addressed on a per-attack basis Network ingress filtering
Need for scalable mechanisms Partial state mechanisms
[email protected] Texas A & M University 5
Observations Internet traffic is heavy tailed
Bulk of traffic is carried by a few flows (elephants) Bulk of the flows are short-lived (mice)
Dropping packets from short-term flows does not alleviate the network congestion
Class based congestion control does not take into account responsiveness of the traffic
Need a scheme for a quantitative policy-driven control of bandwidth Partial State schemes
[email protected] Texas A & M University 6
Partial State Routers Maintain a fixed amount of state State is managed by sampling or
caching techniques Challenge: How do you manage
state effectively to capture information about elephants?
[email protected] Texas A & M University 7
Scheme - Outline
Partial state can be used to identify non-responsive flows, bandwidth hogs or high bandwidth flows
Normal flows are handled in a stateless fashion
[email protected] Texas A & M University 8
LRU-FQ Partial state scheme Identification of high-bandwidth, non-
responsive flows Cache contains Least Recently Used (LRU) flows Probabilistically replaces the bottom entry of LRU List contains mostly non-responsive high
bandwidth flows Penalizing of non-responsive flows
Employ fair queuing mechanism between non-responsive (cached) and responsive classes
Ensures granular control of the proportion of non-responsive traffic that a router wants to handle
[email protected] Texas A & M University 9
LRU-FQ flow chart – enqueue event
Packet Arrival
Is Flow in Cache?
Yes
No Does Cache Have
space?
Yes
Admit flow with Probability ‘p’
No
Is Flow Admitted?
Record flow detailsInitialize ‘count’ to 0
Yes
Increment ‘count’Move flow to top of cache No
Is‘count’ >= ‘threshold’
No
Yes
Enqueue in Partial stateQueue
Enqueue in NormalQueue
[email protected] Texas A & M University 10
LRU-FQ flow chart – dequeue event
Dequeue event results in selection of a packet from either queues based on the Start Time Fair Queue algorithm
The weights assigned to the individual queues determine the service allotted to each class of flows
[email protected] Texas A & M University 11
LRU cache behavior LRU policy with probabilistic admission
ensures only high bandwidth flows remain over a period of time
Non-responsive high bandwidth flows percolate to the top of the LRU cache.
Web mice which might corrupt the cache are controlled by the ‘threshold’ parameter
[email protected] Texas A & M University 13
Linux IP packet forwarding
Packet Arrival Check & StorePacket
Enqueue pkt
Request SchedulerTo invoke bottom half
Device Prepares
packet Packet Departure
Error checkingVerify
Destination
Route to destinationUpdate Packet
Packet Enqueued
Scheduler invokesBottom half Scheduler runs
Device driver
Local packetDeliver to upper layers UPPER LAYERS
IP LAYER
LINK LAYER
Design space
[email protected] Texas A & M University 14
Linux Kernel Traffic control
Filters are used to distinguish between different classes of flows
Each class of flows can be further categorized into subclasses using filters
Queuing disciplines control how the packets are enqueued and dequeued
[email protected] Texas A & M University 15
LRU-FQ Implementation LRU-FQ is distributed among various
QoS components of Linux. LRU component of the scheme is
implemented as a filter. All parameters of LRU – threshold, probability, and cache size – are passed as parameters to the filter
LRU cache is maintained within the filter.
[email protected] Texas A & M University 16
LRU-FQ implementation Start Time Fair queuing is
implemented as a queuing discipline. Each queue is scheduled based on its
weight Existing Linux FQ queue disciplines
work only for flows within a queue. Modified packet structure skbuff to
carry STFQ start and finish tags.
[email protected] Texas A & M University 17
LRU-FQ ValidationTiming Analysis
95.6
95.62
95.64
95.66
95.68
95.7
95.72
0 5 10 15 20 25 30 35 40 45
Time Delay (usec)
Rec
eive
d T
put
(M
bp
s)
Normal Routing
Diffserv Routing
Start Time FQ & LRU
Timing Analysis
[email protected] Texas A & M University 21
Experiment 1 – Non-responsive flows
Containing non-responsive flows: cache size=12,
threshold=125, p=1/50 20 TCP long term flows varying number of UDP
flows to study cache efficacy on varying weights of the queues.
[email protected] Texas A & M University 23
Experiment 2 – Non-responsive flows
To study effectiveness of scheme with reduced non-responsive flow rates
threshold = 125, probability = 1/50
cache size=12 20 long term TCP flows
[email protected] Texas A & M University 25
Experiment 3 – Web mice vs Elephants
Web mice versus elephants effect of long term
loads on web mice long term load
contains both responsive an non-responsive loads
probability=1/50, threshold=125, cache=12
[email protected] Texas A & M University 28
Experiment 4 – Cache size Effect of varying cache size
to study impact of cache size on performance of the scheme
probability= 1/55, threshold = 125 number of TCP flows=20 equal weights for both queues.
[email protected] Texas A & M University 30
Experiment 5 - Workloads Performance under normal
workloads working of scheme when non-
responsive loads are absent or use their fair share of bandwidth
cache size = 9, threshold =125 probability = 1/55
[email protected] Texas A & M University 33
Conclusion Proposed, implemented and
evaluated an LRU based partial state scheme (LRU-FQ)
LRU-FQ shown to enable quantitative control of non-responsive traffic
LRU-FQ shown to provide better performance for web mice flows
[email protected] Texas A & M University 34
Future work Study of aggregate traffic instead of
flow-specific schemes source based aggregation can help
identifying DoS attacks from a single network
Identification of proportion of non-responsive traffic in order to automate tuning of the LRU-FQ scheme
[email protected] Texas A & M University 35
DropTail FIFO based - Easy to implement Full Queues and Lock-Out problems variants – Drop from front, Random
Drop RED
manages the average queue length by marking or dropping packets early
does not contain aggressive flows
Stateless AQM schemes
[email protected] Texas A & M University 36
Stateless AQM schemes BLUE
bases decisions on two events – packet losses due to Full queues and link idle times.
the two events control congestion signaling probability
does not contain aggressive flows. CHOKe
Incoming packets are matched with random packet in queue to arrive at a drop strategy.
does not contain aggressive flows.
[email protected] Texas A & M University 37
Stateful AQM schemes Longest Queue Drop (LQD)
per flow queue of packets packets from longest queue dropped
upon exhaustion of buffers Flow RED (FRED)
employs per flow RED and Fair Queuing alleviates some RED problems but
requires per-flow queue
[email protected] Texas A & M University 38
Packet State AQM schemes Diffserv
packets marked ‘in’ and ‘out’ based on QoS contract.
‘out’ packets dropped disproportionately thus securing QoS for ‘in’ packets.
Core-Stateless Fair Queuing packets carry the edge router’s estimate of
fair rate on the outgoing link the fair rate is used to arrive at the
forwarding probability.
[email protected] Texas A & M University 39
Partial State AQM schemes Stabilized RED: SRED
identification of misbehaving flows – ‘zombie’ list list is pruned by probabilistic replacement of a
random entry with the incoming packet SACRED
random sampling and holding to maintain a cache of ‘marked’ flows
Random flows observed when average queue length exceeds a sampling threshold.
At dropping threshold, packets are dropped from observed flows exceeding a limit share threshold
[email protected] Texas A & M University 40
Partial State AQM schemes Red-PD
makes use of the drop history observed at an RED router
arrives at a list of flows exceeding a target threshold
LRU-RED maintains an LRU to identify top ‘n’
flows. modifies RED to penalize them more
than normal flows.
[email protected] Texas A & M University 41
Active Queue Management schemes1. Stateless
decisions based on overall characteristics observable at the router queue like average queue length, aggregate arrival and departure rates etc.
DropTail, RED, BLUE, CHOKe
2. Stateful per-flow state maintained to administer the
scheme. Longest Queue Drop (LQD), FRED
[email protected] Texas A & M University 42
Active Queue Management schemes
3. Packet state state is maintained within packets routers base decisions on the state within
packets Diffserv, CSFQ
4. Partial state maintain a limited amount of state state is pruned using sampling and caching SRED, SACRED, RED-PD, LRU-RED
[email protected] Texas A & M University 43
Denial of Service Solutions Network ingress filtering
filter spoofed addresses Traceback algorithms
throttle the attacker at the source network MULTOPS
multi-level tree containing packet statistics proposed for bandwidth attack detection
[email protected] Texas A & M University 44
Observations Stateful schemes are effective but not
scalable Stateless schemes fail to protect normal
flows from aggressive flows Earlier partial state schemes rely on
RED mechanism for resource control Earlier work provides qualitative
improvement of performance for responsive flows and short term flows
[email protected] Texas A & M University 45
Possible Applications of Partial State schemes Control of non-responsive proportion of
traffic Identification of top bandwidth hogs to
alleviate certain DoS scenarios Better service for web mice
lower delay bounds and larger connection rates weights of the fair queuing control the delay
Control of Bandwidth allocation for normal traffic buffers assigned per queue control the
bandwidth
Top Related