A Passive Approach to Detection of Traffic Shaping
Total Page:16
File Type:pdf, Size:1020Kb
A Passive Approach to Detection of Traffic Shaping Mark Norman and John Leis Electrical, Electronic and Computer Engineering, University of Southern Queensland, Australia, E-mail: [email protected] Abstract—Internet service providers often alter the profile of Shapers delay some or all of the packets in data traffic, a practice referred to as “shaping”. This may be a traffic stream in order to bring the stream into done in order to comply with a service contract, or for the compliance with a traffic profile. A shaper usually provisioning of services with real-time delivery constraints. This means that the effective throughput to the customer is reduced has a finite-size buffer, and packets may be discarded in some way, either for all traffic, or for one or more individual if there is not sufficient buffer space to hold the flows. The presence of traffic shaping may be controversial in delayed packets. some circumstances, particularly when certain classes of traffic are shaped (thus altering the traffic profile). The detection of Shaping is usually implemented in practice via a buffer- the existence of traffic shaping on a particular connection or ing algorithm – the so-called “leaky bucket” or the “token flow is desirable, but technically it is a nontrivial problem. This bucket”, depending on the requirements. Both algorithms are is especially so if the end-user has limited or no knowledge well-known. In this work, we do not assume any particular of the outside network conditions. In this paper, we propose a “blind” traffic shaping detection algorithm, and investigate its algorithmic implementation of the shaping itself. effectiveness. The proposed approach is based on order statistics, with limited per-packet computational complexity. This paper describes our novel approach to the detection of traffic shaping, II. PROBLEM STATEMENT provides several experimental results in different scenarios, and compares the effectiveness of several metrics. Finally, avenues for further developing the algorithm are suggested. Outwardly, it may seem that it is merely necessary to measure the bandwidth of a particular interface in order to I. BACKGROUND determine whether it is subject to any upstream packet shaping Traffic or bandwidth shaping is the term used to describe or throttling. However, simply measuring the throughput of the reduction in throughput of various types of network traffic the receive channel is not a reliable indicator of bandwidth at a router or interface. This is generally done to enhance shaping, since the particular flow characteristics are unknown. the performance of particular traffic classes, or to enforce a The type of flow (short and bursty, or longer bulk transfers) network access contract. Traffic shaping may manifest itself is dependent on the usage pattern at any given time. The as reduced throughput for one or more connections, protocols, particular flow(s) requested will emanate from an upstream and/or hosts, and may not be inherently obvious to the end- connection, which is subject to the vagaries of server load user. and the intervening connection path. Deliberate shaping may well be for legitimate purposes, An active approach, in which an interface is set up to such as to selectively allow greater bandwidth for short, real- receive a continuous stream of packets from an external time flows, or particular types of traffic or protocols. For source, is common for one-off testing of downstream interface example, selectively allowing shorter packets for interactive speeds. However, this has two disadvantages. First, it requires applications at the expense of larger packets may well be a co-operating host elsewhere, with known service capacity. desirable. Secondly, it is not a desirable option for continual monitoring However, when used to enforce compliance with a traffic of bandwidth, since the bandwidth of a users’ premises may be profile, the use of shaping becomes somewhat controver- subject to metering. The act of downloading a large quantity sial [1], [2]. The key issue is whether the end-user is aware that of data merely for the purposes of measuring bandwidth is such shaping is occurring, and to what degree (which impacts somewhat self-defeating, since consumes the users’ quota. on the perceived throughput). Various approaches have been suggested towards solving the Packet manipulation, in the broadest sense, implies either problem of determining when shaping is present [2], [4], [5]. delaying or dropping selected packets, and possibly modifying These usually rely on injection of packets into the network; the contents of packets. We do not consider the issue of such “active” detectors invariably also require a separate, co- modification of packet contents, but rather the presence or operating host in a different domain. absence of shaping as effected by either dropping packets, or Thus, we are presented with the problem of passively delaying their transit. determining if an interface is subject to upstream throttling. RFC2475 defines shaping in Section 2.3.3.3 as follows [3]: This paper introduces a passive approach, based on observation of existing flows and their statistical classification. 773 Proceedings of the Second APSIPA Annual Summit and Conference, pages 773–776, Biopolis, Singapore, 14-17 December 2010. 10-0107730776©2010 APSIPA. All rights reserved. III. POSSIBLE APPROACHES acknowledgement. Invariably, some ACKs will arrive early, In using protocols with acknowledgement such as TCP, it is and some late, due to packet fragmentation at the TCP layer, or likely that such selective packet dropping or delay actions will various processing delays in between (for example, the delay impact on the senders’ transmission rate. In the case of TCP, a that may occur when a packet traverses a NAT). delayed packet will manifest itself as a larger round-trip time V. PROPOSED ALGORITHM (RTT) estimate, and hence throttle the rate at which new data To determine whether such a low-overhead coarse measure- segments are introduced into the network [6], [7]. ment derived from packet arrivals is of use in determining the Without specific and time-synchronized knowledge of the presence of shaping, we first examine the statistical profile launch and receipt time of an individual packet, it is not of such data. It is expected that the skewness of such a possible to precisely determine whether an individual packet distribution will be affected by the presence or absence of has been delayed. Thus, fully “blind” detection based on the shaping. In the normal course of network flow, some skew received data stream is not possible at the level of individual will invariably be present. However, we need to find when such packets. Furthermore, the dynamic window adjustment of deviation from essentially single-mode distribution reaches a protocols such as TCP may appear to indicate the presence of critical level, at which point we infer that packet shaping is packet shaping along the path. However, it is not necessary to taking place. determine the existence of packet shaping to the granularity In order to do estimate the deviation from normal, we of an individual packet — for many purposes, it is merely need a measure of skewness. Many such measures of skew sufficient to indicate a broader trend across a flow. Given that have been proposed in the literature, and the computation of network conditions are approximately constant over a suitably some measures requires a substantial amount of data and/or long time window, a sufficiently large-scale estimation should significant computational resources. be enough to estimate whether shaping is occurring. We investigate Pearson’s first skewness coefficient, which IV. PROPOSED APPROACH for a distribution of random variable X is defined as It may be tempting to consider a model-based approach, so mean(x) − mode(x) s1 = (1) that a receiver could calculate the expected throughput from σx a particular source. However, this ignores the vagaries of the Pearson’s second skewness coefficient defined as internet path itself [8]. Furthermore, some knowledge of the 3 (mean(x) − median(x)) underlying protocol would need to be built into the model. s = (2) 2 σ The large number of TCP protocol variants currently in use x render this approach infeasible [9]. Finally, the literature also defines the higher-order skewness Unlike previous designs [2], [5], we adopt a passive ap- measures proach. This approach is based on longer-term statistical P(x − x¯)3 s = (3) characterization of packet flows — unlike active approaches, 3 Nσ3 which use concepts employed in network measurement tools. P(x − x¯)4 s = − 3 (4) In order passively determine a traffic profile, and hence 4 Nσ4 estimate the deviation from the mean flow rate at any give where N is the number of samples. time, it is necessary to either estimate or embed a statistical Several sampling and computational issues present them- model of “normal” traffic. Since any type of modelling is selves. The number of samples to collect, and the period invariably subject to assumptions, we utilize ongoing sampled over which samples are averaged, are obviously of primary measurements of the current network conditions. The present concern. In typical traffic flows, the initial samples may be work focuses on TCP, but this could be extended to other somewhat skewed, due to the TCP slow-start and congestion- protocols. Using the concept of TCP flows – that is, using avoidance algorithms. The computation of mode and median the socket pair which uniquely defines a flow from source in (1) and (2) may be difficult for large observation sequences. IP:Port to destination IP:Port – it is possible to estimate the After presentation of experimental results in the following instantaneous throughput and packet delay. However, keeping section, we return to the issue of efficiently computing these track of flows is somewhat problematic. To begin with, a parameters. potentially very large number of flows requires a fast lookup for per-packet processing.