A Passive Approach to Detection of Traffic Shaping

A Passive Approach to Detection of Trafﬁc Shaping

Mark Norman and John Leis Electrical, Electronic and Computer Engineering, University of Southern Queensland, Australia, E-mail: [email protected]

Abstract—Internet service providers often alter the profile of Shapers delay some or all of the packets in data traffic, a practice referred to as “shaping”. This may be a traffic stream in order to bring the stream into done in order to comply with a service contract, or for the compliance with a traffic profile. A shaper usually provisioning of services with real-time delivery constraints. This means that the effective throughput to the customer is reduced has a finite-size buffer, and packets may be discarded in some way, either for all traffic, or for one or more individual if there is not sufficient buffer space to hold the flows. The presence of traffic shaping may be controversial in delayed packets. some circumstances, particularly when certain classes of traffic are shaped (thus altering the traffic profile). The detection of Shaping is usually implemented in practice via a buffer- the existence of traffic shaping on a particular connection or ing algorithm – the so-called “leaky bucket” or the “token flow is desirable, but technically it is a nontrivial problem. This bucket”, depending on the requirements. Both algorithms are is especially so if the end-user has limited or no knowledge well-known. In this work, we do not assume any particular of the outside network conditions. In this paper, we propose a “blind” traffic shaping detection algorithm, and investigate its algorithmic implementation of the shaping itself. effectiveness. The proposed approach is based on order statistics, with limited per-packet computational complexity. This paper describes our novel approach to the detection of traffic shaping, II.PROBLEM STATEMENT provides several experimental results in different scenarios, and compares the effectiveness of several metrics. Finally, avenues for further developing the algorithm are suggested. Outwardly, it may seem that it is merely necessary to measure the bandwidth of a particular interface in order to I.BACKGROUND determine whether it is subject to any upstream packet shaping Traffic or bandwidth shaping is the term used to describe or throttling. However, simply measuring the throughput of the reduction in throughput of various types of network traffic the receive channel is not a reliable indicator of bandwidth at a router or interface. This is generally done to enhance shaping, since the particular flow characteristics are unknown. the performance of particular traffic classes, or to enforce a The type of flow (short and bursty, or longer bulk transfers) network access contract. Traffic shaping may manifest itself is dependent on the usage pattern at any given time. The as reduced throughput for one or more connections, protocols, particular flow(s) requested will emanate from an upstream and/or hosts, and may not be inherently obvious to the end- connection, which is subject to the vagaries of server load user. and the intervening connection path. Deliberate shaping may well be for legitimate purposes, An active approach, in which an interface is set up to such as to selectively allow greater bandwidth for short, real- receive a continuous stream of packets from an external time flows, or particular types of traffic or protocols. For source, is common for one-off testing of downstream interface example, selectively allowing shorter packets for interactive speeds. However, this has two disadvantages. First, it requires applications at the expense of larger packets may well be a co-operating host elsewhere, with known service capacity. desirable. Secondly, it is not a desirable option for continual monitoring However, when used to enforce compliance with a traffic of bandwidth, since the bandwidth of a users’ premises may be profile, the use of shaping becomes somewhat controver- subject to metering. The act of downloading a large quantity sial [1], [2]. The key issue is whether the end-user is aware that of data merely for the purposes of measuring bandwidth is such shaping is occurring, and to what degree (which impacts somewhat self-defeating, since consumes the users’ quota. on the perceived throughput). Various approaches have been suggested towards solving the Packet manipulation, in the broadest sense, implies either problem of determining when shaping is present [2], [4], [5]. delaying or dropping selected packets, and possibly modifying These usually rely on injection of packets into the network; the contents of packets. We do not consider the issue of such “active” detectors invariably also require a separate, co- modification of packet contents, but rather the presence or operating host in a different domain. absence of shaping as effected by either dropping packets, or Thus, we are presented with the problem of passively delaying their transit. determining if an interface is subject to upstream throttling. RFC2475 defines shaping in Section 2.3.3.3 as follows [3]: This paper introduces a passive approach, based on observation of existing flows and their statistical classification.

773

Proceedings of the Second APSIPA Annual Summit and Conference, pages 773–776, Biopolis, Singapore, 14-17 December 2010.

10-0107730776©2010 APSIPA. All rights reserved. III.POSSIBLE APPROACHES acknowledgement. Invariably, some ACKs will arrive early, In using protocols with acknowledgement such as TCP, it is and some late, due to packet fragmentation at the TCP layer, or likely that such selective packet dropping or delay actions will various processing delays in between (for example, the delay impact on the senders’ transmission rate. In the case of TCP, a that may occur when a packet traverses a NAT). delayed packet will manifest itself as a larger round-trip time V. PROPOSED ALGORITHM (RTT) estimate, and hence throttle the rate at which new data To determine whether such a low-overhead coarse measure- segments are introduced into the network [6], [7]. ment derived from packet arrivals is of use in determining the Without specific and time-synchronized knowledge of the presence of shaping, we first examine the statistical profile launch and receipt time of an individual packet, it is not of such data. It is expected that the skewness of such a possible to precisely determine whether an individual packet distribution will be affected by the presence or absence of has been delayed. Thus, fully “blind” detection based on the shaping. In the normal course of network flow, some skew received data stream is not possible at the level of individual will invariably be present. However, we need to find when such packets. Furthermore, the dynamic window adjustment of deviation from essentially single-mode distribution reaches a protocols such as TCP may appear to indicate the presence of critical level, at which point we infer that packet shaping is packet shaping along the path. However, it is not necessary to taking place. determine the existence of packet shaping to the granularity In order to do estimate the deviation from normal, we of an individual packet — for many purposes, it is merely need a measure of skewness. Many such measures of skew sufficient to indicate a broader trend across a flow. Given that have been proposed in the literature, and the computation of network conditions are approximately constant over a suitably some measures requires a substantial amount of data and/or long time window, a sufficiently large-scale estimation should significant computational resources. be enough to estimate whether shaping is occurring. We investigate Pearson’s first skewness coefficient, which IV. PROPOSED APPROACH for a distribution of random variable X is defined as It may be tempting to consider a model-based approach, so mean(x) − mode(x) s1 = (1) that a receiver could calculate the expected throughput from σx a particular source. However, this ignores the vagaries of the Pearson’s second skewness coefficient defined as internet path itself [8]. Furthermore, some knowledge of the 3 (mean(x) − median(x)) underlying protocol would need to be built into the model. s = (2) 2 σ The large number of TCP protocol variants currently in use x render this approach infeasible [9]. Finally, the literature also defines the higher-order skewness Unlike previous designs [2], [5], we adopt a passive ap- measures proach. This approach is based on longer-term statistical P(x − x¯)3 s = (3) characterization of packet flows — unlike active approaches, 3 Nσ3 which use concepts employed in network measurement tools. P(x − x¯)4 s = − 3 (4) In order passively determine a traffic profile, and hence 4 Nσ4 estimate the deviation from the mean flow rate at any give where N is the number of samples. time, it is necessary to either estimate or embed a statistical Several sampling and computational issues present them- model of “normal” traffic. Since any type of modelling is selves. The number of samples to collect, and the period invariably subject to assumptions, we utilize ongoing sampled over which samples are averaged, are obviously of primary measurements of the current network conditions. The present concern. In typical traffic flows, the initial samples may be work focuses on TCP, but this could be extended to other somewhat skewed, due to the TCP slow-start and congestion- protocols. Using the concept of TCP flows – that is, using avoidance algorithms. The computation of mode and median the socket pair which uniquely defines a flow from source in (1) and (2) may be difficult for large observation sequences. IP:Port to destination IP:Port – it is possible to estimate the After presentation of experimental results in the following instantaneous throughput and packet delay. However, keeping section, we return to the issue of efficiently computing these track of flows is somewhat problematic. To begin with, a parameters. potentially very large number of flows requires a fast lookup for per-packet processing. Secondly, precise matching of sent VI.RESULTS packets with acknowledgements received requires, in effect, a In order to evaluation the effectiveness of the proposed parallel TCP stack, or modifications to the existing stack. Both approach, we investigate shaping metrics obtained using com- of these are undesirable (for performance and deployment mercial off-the-shelf traffic shaping products [11], [12]. reasons). Thus, we propose to dispense with the notion of In these experiments, a traffic source/sink combination was precisely tracking packets and bytes, and instead use the created by using a standard HTTP GET request. Care was coarser measurement of time between acknowledgements. taken to ensure that local caches were cleared before each Thus, the per-packet processing is somewhat reduced, and run of the experiment. The resulting traffic stream was cap- amounts to incrementing a statistical sample of time since last tured at the receiver. The traffic streams were captured using

774 Analyzer [10] and saved in PDM format. The trafﬁc traces Net Limiter TM 40kbps were then parsed using a MATLAB script. In keeping with 1 the simplicity of implementation assumption, no attempt was 0.5 made to match packets — only the time between successive 0 50 100 150 200 250 300 350 400 450 acknowledgements (the “inter-ACK time”) was extracted for 400kbps 0.02 analysis. 0.01 It was initially expected that the results for trafﬁc streams 0 50 100 150 200 250 300 350 400 450 shaped by each of the three commercial products would be 816kbps 0.1 similar, however this was not the case. 0.05

Figure 1 shows the inter-arrival times for the Bandwidth 0 50 100 150 200 250 300 350 400 450 Full−1500kbps Manager throttling the trafﬁc, and Figure 2 shows the inter- 0.02 arrival times for Net Limiter in a similar setup. 0.01

Tables I and II show the measured skewness coefficients 0 using equations (1)-(4) for each bandwidth limiting product. 50 100 150 200 250 300 350 400 450 It is evident that equations (1) and (2) yield a reasonable Fig. 2. Inter-acknowledgement arrival times for Net Limiter. Throttling at discrimination between shaped and non-shaped flows. 40kbps, 400kbps, 816kbps and 1500kbps rates are shown. Comparison of the skew coefficient columns in Tables I and II show that the mode and median calculation approaches TABLE II TRAFFIC SHAPING RESULTS –NETLIMITER. (Pearson’s first and second skewness coefficients, respectively) are able to give some indication of the presence of traf- Limit kbps Skew-1 Skew-2 Skew-3 Skew-4 fic shaping (throttling). Further data is needed to determine 40 0.61 1.75 1.2 -0.22 400 0.51 1.28 0.53 1.3 whether the amount of shaping introduced is able to be 816 0.52 1.25 2.6 5.3 determined from knowledge of the skew coefficient alone. 1500 0.18 0.44 0.42 5.6 Pearson’s second skewness coefficient appears to give better differentiation of the presence of traffic shaping, which is the VII.DISCUSSION primary objective of this investigation. The proposed approach using passive observation of acknowledgement times is relatively straightforward, and in- Bandwidth Manager volves updating of the mean, variance, median and/or mode 40kbps of the inter-ack arrival times. 1 The results presented demonstrate that the technique has 0.5 potential to discriminate flows subject to shaping and those 0 50 100 150 200 250 300 350 400 450 400kbps not subject to shaping. Further work is required to establish 2 precise thresholds for this, and the size of the flow required 1 to yield reliable discrimination.

0 50 100 150 200 250 300 350 400 450 If equation (1) is used, the mode of the data set must 816kbps 0.4 be determined. Since this requires determination of the most

0.2 likely value in a data set, it in turn depends on timer granularity

0 when timestamping the received acknowledgements. 50 100 150 200 250 300 350 400 450 Full−1500kbps 0.4 The skew coefficient defined by 2 requires calculation of the median, and this requires a sorted list for a straightforward 0.2 implementation. However, various fast median calculation 0 50 100 150 200 250 300 350 400 450 methods have been proposed in the literature, principally in connection with removal of impulsive noise from images [13], Fig. 1. Inter-acknowledgement arrival times for Bandwidth Manager. Throttling at 40kbps, 400kbps, 816kbps and 1500kbps rates are shown. [14], [15]. Since these two methods appear to be the most promising, the computational complexity of each requires further investigation. TABLE I TRAFFIC SHAPING RESULTS –BANDWIDTH MANAGER. VIII.CONCLUSIONS &FURTHER WORK This work has presented a novel approach to determining Limit kbps Skew-1 Skew-2 Skew-3 Skew-4 40 0.25 0.75 4.4 18 whether traffic shaping is present in a downstream link. It 400 0.25 0.75 5.2 30 requires only passive observation of received data flows. 816 0.21 0.63 5.5 28 The results presented are based on TCP traffic. Since this 1500 0.22 0.61 9.1 93 is the dominant protocol for reliable communications, it is

775 clearly important that the algorithm operate with that traffic [19] Augustin Soule, Kave´ Salamatia, Nina Taft, Richard Emilion, and type. However, it is also important to extend this in future Konstantina Papagiannaki, “Flow Classification by Histograms: or How to go on Safari in the Internet”, in SIGMETRICS ’04/Performance ’04: work to non-TCP protocols. Proceedings of the joint international conference on Measurement and The processing time required to determine presence of shap- modeling of computer systems. ACM, 2004. ing is also clearly a necessary avenue for further work. The [20] David Olshefski andJason Nieh, “Understanding the Management of Client Perceived Response Time”, in SIGMETRICS ’06/Performance results presented here have been based on fixed-sized traffic ’06: Proceedings of the joint international conference on Measurement flows, and confidence intervals will need to be established for and modeling of computer systems. ACM, 2006. smaller and larger flows. [21] Daniele Croce, Marco Mellia, and Emilio Leonardi, “The Quest for Bandwidth Estimation Techniques for Large-Scale Distributed Systems”, in SIGMETRICS Performance Evaluation Review. ACM, 2010, vol. 37. REFERENCES

[1] Daniel A. Begun, Google To Develop ISP Throttling Detector, Hot Hard- ware, current February 2009, http://hothardware.com/News/Google To Develop ISP Throttling Detector/. [2] Krishna P. Gummadi et al, Glasnost: Test if your ISP is manipulating BitTorrent traffic, Max Planck Institute for Software Systems, current February 2009, http://broadband.mpi-sws.org/transparency/bttest.php. [3] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss, Eds., An Architecture for Differentiated Services, http://www.rfc-editor. org/rfc/rfc2475.txt, December 1998. [4] Electronic Frontier Foundation, Switzerland Network Testing Tool, Electronic Frontier Foundation, current February 2009, http://www.eff. org/testyourisp/switzerland. [5] Peter Eckersley, Switzerland Design, Electronic Frontier Foundation, May 2008, http://switzerland.svn.sourceforge.net/viewvc/switzerland/ trunk/doc/design.pdf. [6] Phil Karn and Craig Partridge, “Improving Round-Trip Time Estimates in Reliable Transport Protocols”, ACM SIGCOMM Computer Commu- nication Review, vol. 31, no. 1, pp. 67–74, Jan. 1995. [7] Dmitri Loguinov and Hayder Radha, “Retransmission Schemes for Streaming Internet Multimedia: Evaluation Model and Performance Analysis”, ACM SIGCOMM Computer Communication Review, vol. 32, no. 2, pp. 70–83, Apr. 2002. [8] Vern Paxson and Sally Floyd, Why W Don’t Know How to Simulate the Internet, http://www.icir.org/floyd/papers.html, 1997. [9] Bogdan Moraru, Flavius Copaciu, Gabriel Lazar, and Virgil Do- brota, “Practical Analysis of TCP Implementations: Tahoe, Reno, New Reno”, in RoEduNet International Conference on Networking in Education and Research, Iasi, Romania. June 2003, pp. 305–317, avail- able http://conference.iasi.roedu.net/site/conference/papers/MORARU B-Practical Analysis of TCP Implementations Tahoe R..pdf. [10] Analyzer, Politecnico di Torino, current May 2009, http://analyzer.polito. it/. [11] Analyzer, SoftPerfect Bandwidth Manager, current May 2009, http: //www.softperfect.com/products/bandwidth/. [12] Analyzer, Netlimiter Traffic Shaper, current May 2009, http://www. netlimiter.com/. [13] Thomas S. Huang, George J. Yang, and Gregory Y. Tang, “A Fast Two-Dimensional Median Filtering Algorithm”, IEEE Transactions on Acoustics, Speech and Signal Processing, vol. ASSP-27, no. 1, pp. 13– 18, Feb. 1979. [14] William K. Pratt, Digital Image Processing, John Wiley & Sons Inc., 3rd edition, 2001. [15] A. R. Rostampour and A. R. Reeves, “2D Median Filtering and Pseudo Median Filtering”, in Proceedings of the Twentieth Southeastern Symposium on System Theory, Charlotte, NC, USA, 1988, IEEE, pp. 554–557. [16] Zhenxiang Chen, Bo Yang, Yuehui Chen, Ajith Abraham, Crina Grosan, and Lizhi Peng, “Online Hybrid Traffic Classifier for Peer-to-Peer Systems Based on Network Processors”, Applied Soft Computing (Elsevier), vol. 9, no. 2, pp. 685–694, Mar. 2008. [17] Baek-Young Choi, Jaesung Park, and Zhi-Li Zhang, “Adaptive Random Sampling for Load Change Detection”, in Proceedings of the 2002 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, Marina Del Rey, California, 2002, ACM, pp. 272– 273. [18] Marcel Dischinger, Alan Mislove, Andreas Haeberlen, and Krishna P. Gummadi, “Detecting BitTorrent Blocking”, in Proceedings of the 8th ACM SIGCOMM conference on Internet measurement. ACM, 2008.

776