An active queue management scheme to contain high

Download Report

Transcript An active queue management scheme to contain high

Real-time Traffic monitoring and
containment
A. L. Narasimha Reddy
Dept. of Electrical Engineering
Texas A & M University
[email protected]
http://ee.tamu.edu/~reddy/
Acknowledgements
• Deying Tong, Smitha, Phani Achanta
• Seong Soo Kim
2
Narasimha Reddy
Texas A & M University
Outline
• Introduction & Motivation
• DOS attacks
– Partial state routers
• DDOS attacks, worms
– Aggregate Packet header data as signals
– Signal/image based anomaly/attack detectors
3
Narasimha Reddy
Texas A & M University
Introduction
• UDP-based multimedia traffic increasing
• UDP does not have congestion control
• Applications can be “selfish”
– If everyone is selfish, network can break down
• Controlling “selfish” flows desired
– Identify Resource hogs and control them
4
Narasimha Reddy
Texas A & M University
Impact of UDP -- Unfairness
• When UDP and TCP compete, UDP wins by
pushing TCP into congestion [Floyd&Fall
99]
5
Narasimha Reddy
Texas A & M University
Unfairness - FIFO
6
Narasimha Reddy
Texas A & M University
Unfairness - WRR
7
Narasimha Reddy
Texas A & M University
Loss of goodput -FIFO
• Packets dropped later in network
8
Narasimha Reddy
Texas A & M University
Loss of goodput -WRR
9
Narasimha Reddy
Texas A & M University
UDP -- Summary
• Individual flows need to respond to
congestion
• When end-hosts don’t respond to
congestion
– Need to identify and contain such flows
– Need network mechanisms for such control
10
Narasimha Reddy
Texas A & M University
Introduction (cont’d)
• Many Network attacks
• Exploit Application, Protocol, Network
architecture vulnerabilities
• Denial of Service attacks
– Consume all resources
– Leave no resources for legitimate users
11
Narasimha Reddy
Texas A & M University
TCP SYN Flooding (cont’d)
• The attack occurs by the attacker
initiating a TCP connection to the server
with a SYN. (using a legitimate or spoofed
source address)
• The server replies with a SYN-ACK
• The client then doesn’t send back a ACK,
causing the server to allocate memory for
the pending connection and wait.
(If the client spoofed the initial source address, it
will never receive the SYN-ACK)
12
Narasimha Reddy
Texas A & M University
TCP SYN Flooding: Results
• The half-open connections buffer on the victim
server will eventually fill
• The system will be unable to accept any new
incoming connections until the buffer is emptied
out.
• There is a timeout associated with a pending
connection, so the half-open connections will
eventually expire.
• The attacking system can continue sending
connection requesting new connections faster than
the victim system can expire the pending
connections.
13
Narasimha Reddy
Texas A & M University
TCP Three-Way Handshake
Client connecting to a TCP port
Client
initiates
request
SYN
Client wishes to establish connection
SYN-ACK
Connection
is now
half-open
Server agrees to connection request
Client
connection
Established
ACK
Client finishes handshake
Server
connection
Established
14
Narasimha Reddy
Texas A & M University
SYN Flood Illustrated
Client SYN Flood
Client
spoofs
request
S
S
S
S
S
S
half-open
half-open
half-open
Queue filled
Queue filled
Queue filled
I have ACKed
these connections,
but I have not
received an ACK
back!
15
Narasimha Reddy
Texas A & M University
1. Attacker sends ICMP
packet with spoofed
source IP
Smurf Example
192.168.1.0/24
Victim10.1.2.255
Victim
10.1.2.0/24
Cloud
2. Attacker sends ICMP
packet with spoofed
source IP
Victim192.168.1.255
Attacker
3. Victim is flooded with
ICMP echo responses
4. Victim hangs?
16
Narasimha Reddy
Texas A & M University
Distributed Denial of Service
Attacks (DDOS)
• Attacker logs into Master
and signals slaves to launch
an attack on a specific
target address (victim).
• Slaves then respond by
initiating TCP, UDP, ICMP
or Smurf attack on victim.
17
Narasimha Reddy
Texas A & M University
Network Attacks -- Summary
• Many vulnerabilities exist in Networks
• Malicious traffic increasing
– For fun and profit
• Need mechansims to identify and control
malicious traffic
• DOS and DDOS
• DOS, resource hog problem similar
• DDOS requires new approach
18
Narasimha Reddy
Texas A & M University
Real-time traffic monitoring
• Attacks motivate us to monitor network
traffic
– Potential anomaly/attack detectors
– Potentially contain/throttle them as they happen
• Line speeds are increasing
– Need simple, effective mechanisms
• Attacks constantly changing
– CodeRed yesterday, MyDoom today, what next
19
Narasimha Reddy
Texas A & M University
Motivation
• Most current monitoring/policing tools are
tailored to known attacks
– Look for packets with port number 1434
(CodeRed)
– Contain Kaaza traffic to 20% of the link
• Become ineffective when traffic patterns or
attacks change
– New threats are constantly emerging
20
Narasimha Reddy
Texas A & M University
Motivation
• Can we design generic (and generalized)
mechanisms for attack detection and
containment?
• Can we make them simple enough to
implement them at line speeds?
21
Narasimha Reddy
Texas A & M University
Introduction
• Why look for Kaaza packets
– They consume resources
– Consume resources more than we want
• Not much different from DOS flood
– Consumes resources to stage attacks
• Why not monitor resource usage?
– Do not want to rely on attack specific info
22
Narasimha Reddy
Texas A & M University
Attacks
• DOS attacks
– Few sources = resource hogs
• DDOS attacks, worms
– Many sources
– Individual flows look normal
– Look at the aggregate picture
23
Narasimha Reddy
Texas A & M University
DOS attacks & Network Flows
• Too many flows to monitor each flow
• Maintain a fixed amount of state/memory
– State not enough to monitor all flows (Partial state)
– Manage the state to monitor high-bandwidth flows
– How?
• Sample packets
– High-BW flows more likely to be selected
• Use a cache and employ LRU type policy
– Traffic driven
– Cache retains frequently arriving flows
24
Narasimha Reddy
Texas A & M University
Partial State Approach
• Similar to how caches are employed in
computer memory systems
– Exploit locality
• Employ an engineering solution in an
architecture-transparent fashion
25
Narasimha Reddy
Texas A & M University
Identifying resource hogs
• Lots of web flows
– Tend to corrupt the cache quickly
• Apply probabilistic admission into cache
– Flow has to arrive often to be included in cache
– Most web flows not admitted
• Works well in identifying high-BW flows
• Can apply resource management techniques
to contain cached/identified flows
26
Narasimha Reddy
Texas A & M University
LRU with probabilistic admission
• Employ a modified LRU
• On a miss, flow admitted with probability p
– When p is small, keeps smaller flows out
– High-BW flows more likely admitted
– Allows high-BW flows to be retained in cache
• Nonresponsive flows more likely to stay in
cache
27
Narasimha Reddy
Texas A & M University
Traffic Driven State Management
• Monitor top 100 flows at any time
– Don’t know the identity of these flows
– Don’t know how much BW these may consume
28
Narasimha Reddy
Texas A & M University
Policy Driven State Management
• An ISP could decide to monitor flows above
1Mbps
– Will need state >= link capacity/1 Mbps
• Could monitor flows consuming more than
1% of link capacity
– For security reasons
– At most 100 flows with 1% BW consumption
29
Narasimha Reddy
Texas A & M University
Partial State –Trace-driven evaluation
30
Narasimha Reddy
Texas A & M University
Partial State –Trace-driven Evaluation
31
Narasimha Reddy
Texas A & M University
Time in seconds
UDP Cache Occupancy
600
500
400
300
200
100
0
0.
1
0.
4
0.
6
1
2
1.
5
2.
1
2.
7
3
3.
5
4
Rate in Mb
32
Narasimha Reddy
Texas A & M University
Time in seconds
TCP Cache Occupancy
0.86
0.84
0.82
0.8
0.78
0.76
0.74
0.72
0.7
1
3
5
7
9
11
13
15
17
19
Flow Number
33
Narasimha Reddy
Texas A & M University
Resource Management
34
Narasimha Reddy
Texas A & M University
Preferential Dropping
1
drop prob
maxp
minth
maxth
Queue length
drop prob for high
drop prob for other flows
bandwidth flows
35
Narasimha Reddy
Texas A & M University
Multiple possibilities
• SACRED: Monitor flows above certain rate
(policy driven), differential RED, (iwqos99)
• LRU-RED: Traffic driven state management,
differential RED (Globecom01)
– Approximately fair BW distribution
• LRU-FQ: Traffic driven state management, fair
queuing (ICC 04)
– Contain DOS attacks
– Provide shorter delays for short-term flows
36
Narasimha Reddy
Texas A & M University
SACRED
• Sampling And Caching RED
• Maintain flow rate as state for cached flows
• If flow rate > threshold, drop at higher rate
– Drop rate keeps increasing if flow stays above
threshold
– Tends to punish nonresponsive flows, high-BW
flows
• If flow rate < threshold, remove from cache
– Make room for another flow
37
Narasimha Reddy
Texas A & M University
SACRED results -10% state
38
Narasimha Reddy
Texas A & M University
SACRED – cache associativity
39
Narasimha Reddy
Texas A & M University
SACRED --Additive
40
Narasimha Reddy
Texas A & M University
SACRED –TCP only
41
Narasimha Reddy
Texas A & M University
LRU-FQ Resource Management
42
Narasimha Reddy
Texas A & M University
LRU-FQ flow chart – enqueue event
Packet
Arrival
No
Is Flow in
Cache?
Yes
Does
Cache Have
space?
No
Admit flow with
Probability ‘p’
Yes
Record flow details
Initialize ‘count’ to 0
Increment ‘count’
Move flow to top of cache
Is
‘count’ >= ‘threshold’
Yes
Is Flow
Admitted?
No
No
Yes
Enqueue in Partial state
Queue
Narasimha Reddy
Texas A & M University
Enqueue in Normal
Queue
43
Linux IP Packet Forwarding
Local packet
Deliver to upper layers
UPPER LAYERS
Route to destination
Update Packet
Error checking
Verify
Destination
IP LAYER
Packet Enqueued
Scheduler invokes
Bottom half
Request
Scheduler
To invoke
bottom half
Packet Arrival
Design space
Scheduler runs
Device driver
LINK LAYER
Device
Prepares
packet
Packet
Departure
Check & Store
Packet
Enqueue pkt
44
Narasimha Reddy
Texas A & M University
Linux Kernel traffic control
• Filters are used to distinguish between different
classes of flows.
• Each class of flows can be further categorized
into sub-classes using filters.
• Queuing disciplines control how the packets are
enqueued and dequeued
45
Narasimha Reddy
Texas A & M University
LRU-FQ Implementation
• LRU component of the scheme is
implemented as a filter.
– All parameters: threshold, probability and cache
size are passed as parameters to the filter
• Fair Queuing employed as a queuing
discipline.
– Scheduling based on queue’s weight.
– Start-time Fair Queuing
46
Narasimha Reddy
Texas A & M University
Experimental Setup
47
Narasimha Reddy
Texas A & M University
Long-Term flow differentiation
Control of Non-responsive Proportion
1
0.9
TCP Throughput Fraction (20 TCP Flows)
0.8
0.7
Normal TCP fraction = 0.07
Ideal
0.6
UDP Flows = 2
UDP Flows = 3
0.5
UDP Flows = 4
UDP Flows = 5
0.4
Normal Router
0.3
0.2
0.1
0
9
8
7
6
5
4
3
2
1
LRU Weight (x/10)
Probability = 1/25
Cache size= 11
threshold= 125
48
Narasimha Reddy
Texas A & M University
Long-term flow differentiation
UDP Rate Based Experiments
0.95
0.9
TCP Throughput fraction
0.85
0.8
Ideal
UDP Rate = 100%
0.75
UDP Rate = 80%
UDP Rate = 60%
UDP Rate = 40%
0.7
0.65
0.6
0.55
1
2
3
4
LRU Weight Proportion (x/10)
Probability = 1/25
Cache size= 11
threshold= 125
49
Narasimha Reddy
Texas A & M University
Protecting Web Mice
Histogram of Web File Distribution
600
500
Frequency
400
300
200
100
0
Histogram of Web File Distribution
500
5k
350
500
50k
500k
5m
140
9
1
File Size
50
Narasimha Reddy
Texas A & M University
Protecting Web mice
Experimental Setup
Long Term TCP Flows
LongTerm UDP Flows
Web Clients
Probability
Threshold
LRU Cache Size
LRU : Normal Queue
20
2–4
20
1/50
125
11
1:1
51
Narasimha Reddy
Texas A & M University
Protecting Web Mice
Bandwidth Results
Normal Router
UDP UDP
# Web
TCP
TCP
Flows Tput
Requests Tput
Fraction
2
89.45
1313
5.88
0.062
3
89.80
1284
5.55
0.058
4
89.13
927
6.21
0.065
LRU-FQ Router
UDP UDP
# Web
TCP
TCP
Flows Tput
Requests Tput
Fraction
2
45.73
13915 44.92
0.49
3
45.73
13828 44.83
0.49
4
46.24
13632 44.51
0.49
52
Narasimha Reddy
Texas A & M University
Protecting Web Mice
Timing Results
Normal Router
UDP
AvgRsp DevRsp MinRsp MaxRsp AvgConn DevConn MinConn MaxConn
2 2.54 4.43 0.026 45.08 1.95 3.07 0.0118
45
3
2.7 4.92 0.026 93.02 1.94 3.11 0.0115 45.01
4 3.06 4.83 0.026 45.03 2.11 3.42 0.0122
45
LRU-FQ Router
UDP
AvgRsp DevRsp MinRsp MaxRsp AvgConn DevConn MinConn MaxConn
2 0.26 0.85 0.012 21.15 0.14 0.66 0.0014 21.01
3 0.26 0.85 0.013 22.27 0.13 0.59 0.0017 9.03
4 0.26 0.88 0.013 21.05 0.13 0.61 0.002 9.02
53
Narasimha Reddy
Texas A & M University
Summary of Partial-State
• Sampling and Caching allows simple
identification of resource hogs
• Provides a good control of DOS attacks
with limited number of flows
• Provides fairer distribution of link BW
• Partial state packet handling cost -not an
issue at 100Mbps/1Gbps.
– 1Gbps implemented on Intel Network processor
54
Narasimha Reddy
Texas A & M University
Applications of Partial State
• More intelligent control of network traffic
• Accounting and measurement of high
bandwidth flows
• Denial of Service (DOS) attack prevention
• Tracing of high bandwidth flows
• QOS routing
55
Narasimha Reddy
Texas A & M University
Aggregated packet analysis
56
Narasimha Reddy
Texas A & M University
Approach
Signal
Generation
Network & Data
Traffic
Filtering
(Address
correlation)
Statistical or
Signal
Analysis
(Wavelets or
DCT)
Anomaly
Detection
Detection
Signal
(Thresholding)
57
Narasimha Reddy
Texas A & M University
Signal Generation
• Traffic volume (bytes or packets)
– Analyzed before
– May not be a great signal when links are always
congested (typical campus access links)
• Lot more information in packet headers
–
–
–
–
Source address
Destination address
Protocol number
Port numbers
58
Narasimha Reddy
Texas A & M University
Signal Generation
• Per packet cost is important driver
• Update a counter for each packet header
field
– Too much memory to put in SRAM
• Break the field into multiple 8-bit fields
–
–
–
–
32-bit address into four 8-bit fields
1024 locations instead of 2^32 locations
In general, 256* (k/8) instead of 2^k
k/8 counter updates instead of 1
59
Narasimha Reddy
Texas A & M University
Signal Generation
• What kind of signals can we generate with
addresses, port numbers and protocol
numbers?
60
Narasimha Reddy
Texas A & M University
Addresses are correlated
• Most of us have habits
– Access same web sites
• Large web sites get significant part of traffic
– Google.com, hp.com, yahoo.com
• Large downloads correlate over time
– ftp, video
• On an aggregate, addresses are correlated
61
Narasimha Reddy
Texas A & M University
Address Correlation –attacks?
• Address correlation changes when traffic
patterns change abruptly
– Denial of service attacks
– Flash crowds
– Worms
• Results in differences in correlation
– High --single attack victim
– Low – lots of addresses --worm
62
Narasimha Reddy
Texas A & M University
Address correlation signals
• Address correlation:
 ( n) 
 m ( pmn  1  pn  1 ) * ( pmn  pn )
2
2
 m ( pmn  1  pn  1 )  m ( pmn  pn )
• Simplified Address correlation:
C (n)  m pmn1  pmn m pmn
63
Narasimha Reddy
Texas A & M University
Address Correlation Signals
64
Narasimha Reddy
Texas A & M University
Address Correlation Signals
65
Narasimha Reddy
Texas A & M University
Signal Analysis
• Capture information over a sampling period
– Of the order of a few seconds to minutes
• Analyze each sample to detect anomalies
– Compare with historical norms
• Post-mortem/Real-time analysis
– May use different amounts of data & analysis
• Detailed information of past few samples
• Less detailed information of older samples
66
Narasimha Reddy
Texas A & M University
Signal Analysis
• Address correlation as a time series signal
• Employ known techniques to analyze time
series signals
• Wavelets –one powerful technique
– Allows analysis in both time and frequency
domain
• Per-sample analysis has more flexibility
– Not in forwarding path
67
Narasimha Reddy
Texas A & M University
Does this work?
68
Narasimha Reddy
Texas A & M University
Analysis of address signal
69
Narasimha Reddy
Texas A & M University
Image based analysis
• Treat the traffic data as images
• Apply image processing based analysis
• Treat each sample as a frame in a video
– Video compression techniques lead to data
reduction
– Scene change analysis leads to anomaly
detection
– Motion prediction leads to attack prediction
70
Narasimha Reddy
Texas A & M University
Signal Generation
0
1
..........
14
15
0
0
0
1
..........
0
254
0
255
16
17
..........
30
31
1
0
1
1
..........
1
254
1
255
..........
..........
IP byte 0
(source IP address,
destination IP address)
..........
..........
..........
..........
IP byte 0
224
225
..........
238
239
254
0
254
1
..........
254
254
254
255
240
241
..........
254
255
255
0
255
1
..........
255
254
255
255
IP byte 1
IP byte 0
IP byte 1
IP byte 2
IP byte 3
IP byte 2
IP byte 3
source IP address
IP byte 0
destination IP address
(a) 1 dimension
(b) 2 dimension
Figure 2. The visualization of network traffic signal in IP address
71
Narasimha Reddy
Texas A & M University
Two dimensional images
• Horizontal/vertical lines indicate anomalies
– Infected machine contacting multiple
destinations (worm propagation)
– Multiple source machines targeting a
destination (DDOS)
72
Narasimha Reddy
Texas A & M University
DCT analysis of addresses
73
Narasimha Reddy
Texas A & M University
Semi-random attacks
74
Narasimha Reddy
Texas A & M University
Random attacks
75
Narasimha Reddy
Texas A & M University
Complex attacks
76
Narasimha Reddy
Texas A & M University
Better than volume analysis
77
Narasimha Reddy
Texas A & M University
Evaluation
•
•
•
•
•
•
•
True Positive Rate
False Alarm Rate or False Positive Rate
True Negative Rate
False Negative Rate
LR = true positive rate/ false positive rate
NLR = false negative rate/true –ve rate
Ideally, LR = infinity, NLR = 0
78
Narasimha Reddy
Texas A & M University
Comparison of Scalar signals
79
Narasimha Reddy
Texas A & M University
Protocol Composition
• During attack, attack protocol volume will
be higher
– Observation of changes can lead to detection
80
Narasimha Reddy
Texas A & M University
Protocol Composition
81
Narasimha Reddy
Texas A & M University
Address based signals
82
Narasimha Reddy
Texas A & M University
Port Number Domain
83
Narasimha Reddy
Texas A & M University
Thresholds vs. Detection
84
Narasimha Reddy
Texas A & M University
Motion prediction
85
Narasimha Reddy
Texas A & M University
End host attacks
• Common solution to several kinds of attacks?
• Do something simple in the network layer
– State maintenance and policing
• Our Key Idea: Per Resource regulation
– Hierarchical regulation (per resource, per flow) also
possible
• Move regulation away from server into the
network (eg. At firewall)
86
Narasimha Reddy
Texas A & M University
QOS Regulation to control network
attacks
87
Narasimha Reddy
Texas A & M University
End host – QOS regulation
• Limit consumption of
each resource
– At bastion Host
• Limit resource
consumption to a
traffic class so that
other classes keep
getting service
88
Narasimha Reddy
Texas A & M University
End host protection
• Have a uniform picture of resources at the
network layer
– We do this at the QOS Regulator
• Resource Aggregates (resource principals)
– Memory, Protocol State Buffers, mbuf / sk_buff
Clusters, Network Bandwidth, CPU Cycles...
• Charge incoming traffic to one or more of
these resource aggregates
89
Narasimha Reddy
Texas A & M University
End host protection (cont’d)
• What does Rate Control achieve?
–
–
–
–
UDP food regulation
ICMP flood regulation
Interrupt / packet processing regulation
What about TCP SYN? CGI attack?
– Consume Fixed number of resources
• What does Window Control achieve?
– Regulates fixed number of resources
– Need to keep track of resource usage
– TCP SYN data structures, CGI processes, Memory
– Sometimes action required to reset system state and free resources
90
Narasimha Reddy
Texas A & M University
Experimental results
91
Narasimha Reddy
Texas A & M University
Results – SYN attacks
92
Narasimha Reddy
Texas A & M University
Advantages
• Not looking for specific known attacks
• Generic mechanism
• Works in real-time
– Latencies of a few samples
– Simple enough to be implemented inline
93
Narasimha Reddy
Texas A & M University
Prototypes
• Linux-PC boxes
• On Intel Network processors
– Can push to Gbps packet forwarding rates
– Forwarding throughput not impacted
– Sampling rates of a few ms possible
94
Narasimha Reddy
Texas A & M University
Related Work
• Resource usage monitoring
–
–
–
–
–
Estan & Verghese –Bloom filters
Kodialam & Lakshman – Run detection
Mahajan et al – RED-PD
Duffield (AT & T) – Sampling
Others
95
Narasimha Reddy
Texas A & M University
Related Work –Worms
• Payload monitoring
– Singh, Savage & Verghese, Tang & Chen
– Look for matches against constant length
payloads
• Sampling, Rabin Signatures
– Prototype implementation
– Detects worms within 5-30 seconds
– Effective with polymorphic worms
96
Narasimha Reddy
Texas A & M University
Related Work -- Worms
• Look for TCP Reset signals
–
–
–
–
–
–
–
Weaver & Paxson
Random host scan at a specific ports
Not all hosts open attack port
Attacking worm will get many Resets
Too many Resets => Attacker
Effective for TCP based attacks
Can detect/contain in real-time
97
Narasimha Reddy
Texas A & M University
Related Work -- Worms
• Quick spreading worms use randomly
generated addresses
– Normal users use names, DNS
– Worms don’t have DNS activity
– Lots of accesses without DNS requests =>
Worms
– Many detectors within a campus
• Local DNS servers
98
Narasimha Reddy
Texas A & M University
Related Work -- Worms
• Address honeypots
– Arbor networks, Paxson, CrowCroft
– Configure machines to accept packets for
unassigned addresses
– Only worms will contact these machines
– Capture payloads to analyze
– Quickly propagate signatures
99
Narasimha Reddy
Texas A & M University
Related Work -- Worms
• IP Traceback – Savage et al
– Address spoofing makes origin of attacks
difficult to detect
– Tracing, if universal, will limit attacks
• Fear of detection
– Post-attack detection
• Not helpful in mitigating or detection
– Most attack machines are innocent participants
100
Narasimha Reddy
Texas A & M University
Related Work –host based
• Limit the number of new connections of
individual hosts
– TwyCross & Williamson (HP)
– Reduces the speed at which a worm can spread
– Can be used to detect worms
• Monitor application execution sequences
– Profiling based indication of anomalous
behavior => Detect and sandbox worms
101
Narasimha Reddy
Texas A & M University
Conclusion
• Real-time resource accounting is feasible
• Real-time traffic monitoring is feasible
– Simple enough to be implemented inline
• Can rely on many tools from signal/image
processing area
– More robust offline analysis possible
– Concise for logging and playback
102
Narasimha Reddy
Texas A & M University
Thank you !!
For more information,
http://ee.tamu.edu/~reddy
[email protected]
103
Narasimha Reddy
Texas A & M University
% TCP Throughput
LRU-RED Results
50
40
Dropt ail
30
LQD
CHOKe
20
LRU
RED
10
0
50
67
75
80
% UDP flows
104
Narasimha Reddy
Texas A & M University
RTT Bias -TCP flows
8
% Droprate
7
6
CHOKe
5
RED
4
DropTail
3
LQD
2
LRU
1
0
8
8
44
84
84
4
12
4
20
4
20
4
40
RTT in m s
105
Narasimha Reddy
Texas A & M University
Impact of Cache size
• Effect of varying cache size
– to study impact of cache size on performance of
the scheme
– probability= 1/55, threshold = 125
– number of TCP flows=20
– equal weights for both queues.
106
Narasimha Reddy
Texas A & M University
Results – Cache size
107
Narasimha Reddy
Texas A & M University
Normal Workloads
• Performance under normal workloads
– working of scheme when non-responsive loads
are absent or use their fair share of bandwidth
– cache size = 9, threshold =125
– probability = 1/55
108
Narasimha Reddy
Texas A & M University
Results – Normal workload
109
Narasimha Reddy
Texas A & M University
Normal Mixed workload
110
Narasimha Reddy
Texas A & M University
Interrupt processing overhead for
server
Received UDP Goodput (Kpkts/sec) ->
(incoming UDP traffic = 100Mbps)
QoS Rate Limit on Regulator ->
Narasimha Reddy
Texas A & M University
111