We propose a detection mechanism called DCAP for a network provider to monitor incoming traffic and identify misbehaving flows without having to keep per-flow acounting at any of its routers. Misbehaving flows refer to flows that exceed their stipulated bandwidth limit either due to misconfigurations or malicious intentions. It is crucial to detect and penalize misbehaving flows because they can potentially starve other flows sharing the same physical resources, resulting in degraded performance for legitimate flows.
In the context of IntServ, Diffserv and ATM networks, traffic policing has been performed by monitoring every admitted flow at the routers. Within an ISP's network, the policing has been restricted to its ingress routers (the entry point of a network). However, this requires edge routers to maintain per-flow information (O(n) state where n is the number of admitted flows) and may incur significant processing overhead, resulting in poor scalability. In contrast to per-flow policing, our paper proposes an aggregate policing mechanism that has both a good misbehaving flow detection probability and a reduced state and overhead at the routers.
Through collaborative aggregate policing at both ingress and egress nodes, DCAP is able to quickly narrow the search to a candidate group that contains the misbehaving flows, and eventually identify the individual culprits. In comparison to per-flow policing, the amount of state maintained at an edge router is reduced from O(n) to O(\sqrt{n}), where n is the number of admitted flows. Simulation results show that DCAP can successfully detect a majority (64-83%) of the misbehaving flows with almost zero false-alarms. Packet losses suffered by innocent flows due to undetected misbehaving activity are insignificant (0.02-0.9%). We also successfully build a prototype that demonstrates how DCAP can be deployed with minimal processing overhead in a soft-QoS architecture.
| Publications |