Journal of Network and Systems Management

, Volume 21, Issue 2, pp 218–237 | Cite as

Service Violation Monitoring Model for Detecting and Tracing Bandwidth Abuse

  • Abdulghani Ali AhmedEmail author
  • Aman Jantan
  • Mohammed Rasmi


Bandwidth abuse is a critical Internet service violation. However, its origins are difficult to detect and trace given similarities between abusive and normal traffic. So far, there is no capable and scalable mechanism to deal with bandwidth abuse. This paper proposes a distributed edge-to-edge model for monitoring service level agreement (SLA) violations and tracing abusive traffic to its origins. The mechanism of policing misbehaving user traffic at a single random early detection (RED) gateway is used in the distributed monitoring of SLA violations, including violations carried out through several gateways. Each RED gateway reports misbehaving users who have been sent notifications of traffic policing to an SLA monitoring unit. Misbehaving users are considered suspicious users and their consumed bandwidth shares are aggregated at every gateway to be compared with SLA-specified ratios. Bandwidth is abused when SLA-specified ratios are exceeded. By reporting bandwidth abuse, illegitimate users can be isolated from legitimate ones and source hosts of abusive traffic may be traced. Approximate simulation results show that the proposed model can detect any SLA violation and identify abusive users. In addition, the proposed model can trace user violations back to their source machines in real time.


RED gateways Service level agreement Distributed monitoring Malicious users Source machine traceback 



This research is sponsored by RU Grant No. 1001/PKOMP/817048, School of Computer Sciences, Universiti Sains Malaysia (USM), Penang, Malaysia.


  1. 1.
    Suresh, M., Anitha, R., Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D.: Evaluating Machine Learning Algorithms for Detecting DDoS Attacks Advances in Network Security and Applications, vol. 196, pp. 441–452. Springer, Berlin (2011)CrossRefGoogle Scholar
  2. 2.
    Jing, L., Yang, X., Kaveh, G., Hongmei, D., Jingyuan, Z.: Botnet: classification, attacks, detection, tracing, and preventive measures. In: Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control: IEEE Computer Society (2009)Google Scholar
  3. 3.
    Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29, 124–140 (2009)CrossRefGoogle Scholar
  4. 4.
    Singh, S., Gyanchandani, M.: Analysis of Botnet behavior using Queuing theory. Int. J. Comput. Sci. Commun. 1, 239–241 (2010)Google Scholar
  5. 5.
    Jose, N.: DDoS attack evolution. Netw. Secur. 7, 7–10 (2008)Google Scholar
  6. 6.
    Zeidanloo, H. R., Manaf, A.B.A: Botnet detection by monitoring similar communication patterns. IJCSIS. 7(3), (2010)Google Scholar
  7. 7.
    Habib, A., Fahmy, S., Bhargava, B.: Monitoring and controlling QoS network domains. Int. J. Netw. Manag. 15, 11–29 (2005)CrossRefGoogle Scholar
  8. 8.
    Habib, A., Fahmy, S., Avasarala, S.R., Prabhakar, V., Bhargava, B.: On detecting service violations and bandwidth theft in QoS network domains. Comput. Commun. 26, 861–871 (2003)CrossRefGoogle Scholar
  9. 9.
    Habib, A., Hefeeda, M.M., Bhargava, B.: Detecting service violations and DoS attacks. In: Proceeding of Network and Distributed System Security Symposium (NDSS’03), San Diego, California, pp. 177–189 (2003)Google Scholar
  10. 10.
    Serral-Gracia, R., Labit, Y., Domingo-Pascual, J., Owezarski, P.: Towards end-to-end SLA assessment. In: The 28th conference on computer communications. IEEE. In: INFOCOM 2009, pp. 2581–2585 (2009)Google Scholar
  11. 11.
    Joel, S., Paul, B., Nick, D., Amos, R.: Accurate and efficient SLA compliance monitoring. In: Proceedings of the 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications Kyoto: ACM, 2007, Japan, pp. 109–120 (2007)Google Scholar
  12. 12.
    Heinanen, J., Baker, F., Weiss, W., Wroclawski, J.: Assured forwarding PHB group. RFC 2597 (1999)Google Scholar
  13. 13.
    Tham, C.-K., Liu, Y.: Assured end-to-end QoS through adaptive marking in multi-domain differentiated services networks. Comput. Commun. 28, 2009–2019 (2005)CrossRefGoogle Scholar
  14. 14.
    Xipeng, X., Ni, L.M.: Internet QoS: a big picture. Netw. IEEE. 13, 8–18 (1999)CrossRefGoogle Scholar
  15. 15.
    Cisco Systems Inc: Internetworking Technology Handbook, 4th edn. Cisco Press, Indiana (2009)Google Scholar
  16. 16.
    Floyd, S., Jacobson, V.: Random early detection gateways for congestion avoidance. IEEE/ACM Trans. Netw. 1, 397–413 (1993)CrossRefGoogle Scholar
  17. 17.
    Athuraliya, S., Low, S.H., Li, V.H., Yin, Q.: REM: active queue management. IEEE Netw. 15, 48–53 (2001)CrossRefGoogle Scholar
  18. 18.
    Anjum, F., Tassiulas, L.: Fair bandwidth sharing among adaptive and nonadaptive flows in the internet. IEEE INFOCOM. 3, 1412–1420 (1999)Google Scholar
  19. 19.
    Shreedhar, M., Varghese, G.: Efficient fair queuing using deficit round robin. IEEE/ACM Trans. Netw. 4, 375–385 (1996)CrossRefGoogle Scholar
  20. 20.
    Bigdelia, N., Haeri, M.: CDM-based design and performance evaluation of a robust AQM method for networks. Comput. Commun. 32, 213–229 (2009)Google Scholar
  21. 21.
    Abbasov, B., Korukoglu, S.: Effective RED: an algorithm to improve RED’s performance by reducing packet loss rate. J. Netw. Comput. Appl. 32, 703–709 (2009)CrossRefGoogle Scholar
  22. 22.
    Wang, C., Liu, J., Li, B., Sohraby, K., Hou, H.Y.: LRED: a robust and responsive AQM algorithm using packet loss ratio measurement. In: IEEE Transactions on Parallel and Distributed Systems, TPDS-0179-0205, vol. 18, pp. 29–43 (2007)Google Scholar
  23. 23.
    Hollot, C.V., Misra, V., Towsley, D., Gong, W.B.: A control theoretic analysis of RED. IEEE Infocom, pp. 1510–1519 (2001)Google Scholar
  24. 24.
    Ababneh, M.F.: Average delay in TCP networks. Am. J. Sci. Res. 5–9 ISSN 1450-223X (2009)Google Scholar
  25. 25.
    Jacek, K., Dominik, R., Krzysztof, Z., Slawomir, Z., Grzegorz, P., Pawel, N.: Definition and evaluation of penalty functions in SLA management framework. In: Proceedings of the Fourth International Conference on Networking and Services, Gosier, IEEE Computer Society, pp. 176–181 (2008)Google Scholar
  26. 26.
    Verma, D.C.: Service level agreements on IP networks. Proc. IEEE 92, 1382–1388 (2004)CrossRefGoogle Scholar
  27. 27.
    Ahsan, H., Maleq, K., Bharat, B.: Edge-to-Edge Measurement-Based Distributed Network Monitoring, vol. 44, pp. 211–233. Elsevier Holland, Inc., New York (2004)Google Scholar
  28. 28.
    Lu, W.Z., Gu, W.X., Yu, S.Z.: One-way queuing delay measurement and its application on detecting DDoS attack. J. Netw. Comput. Appl. 32, 367–376 (2009)CrossRefGoogle Scholar
  29. 29.
    Hong-Hua, Z., Ming, C.: Network topology inference based on delay variation. In: ICACC, 2009 International Conference on Advanced Computer Control, Singapore 2009, pp. 772–776 (2009)Google Scholar
  30. 30.
    Ahmed, A.A., Jantan, A., Wan, T.C.: SLA-based complementary approach for network intrusion detection. Comput. Commun. 34, 1738–1749 (2011)CrossRefGoogle Scholar
  31. 31.
    Ahmed, A.A., Jantan, A., Ali, G.A.: A potent model for unwanted traffic detection in QoS network domain. JDCTA 4, 122–130 (2010)CrossRefGoogle Scholar
  32. 32.
    Paruchuri, V., Durresi, A., Chellappan, S.: TTL based packet marking for IP traceback. Global Telecommunications Conference, New Orleans, LO, IEEE GLOBECOM 2008, IEEE, pp. 1–5 (2008)Google Scholar
  33. 33.
    Goodrich, M.T.: Probabilistic packet marking for large-scale IP traceback. IEEE/ACM Trans. Netw. 16, 15–24 (2008)CrossRefGoogle Scholar
  34. 34.
    Choi YS, Seo D, Sohn SW, Lee SH (2003) Network-based real-time connection traceback system (NRCTS) with packet marking technology. In: Computational Science and its Applications. ICCSA 2003, vol. 2668, pp. 972–972. Springer, Berlin (2003)Google Scholar
  35. 35.
    Yan, Q., He, X., Ning, T.: An Improved dynamic probabilistic packet marking for IP traceback. IJCNIS 2, 47–53 (2010)CrossRefGoogle Scholar
  36. 36.
    Stefanidis, K., Serpanos, D.S.: Implementing filtering and traceback mechanism for packet-marking IP-traceback schemes against DDoS attacks. In: 4th International IEEE Conference Intelligent Systems (2008), vol. 3, pp. 1428–1433 (2008)Google Scholar
  37. 37.
    Xiang, Y., Zhou, W., Guo, M.: Flexible deterministic packet marking: an IP traceback system to find the real source of attacks. IEEE Trans. Parallel Distrib. Syst. 20, 567–580 (2009)CrossRefGoogle Scholar
  38. 38.
    Sun, Y.Y., Zhang, C., Meng, S.Q., Lu, K.N.: Modified deterministic packet marking for DDoS attack traceback in IPv6 network. In: 2011 IEEE 11th International Conference on Computer and Information Technology (CIT), pp. 245–248 (2011)Google Scholar
  39. 39.
    Belenky, A.: IP traceback with deterministic packet marking DPM. Commun. Lett. IEEE 7, 162–164 (2003)CrossRefGoogle Scholar
  40. 40.
    Yonghui, L., Yulong, W., Fangchun, Y., Sen., S., Dong, Y.: Deterministic packet marking based on the coordination of border gateways. In: 2010 2nd International Conference on Education Technology and Computer (ICETC), vol. 2, pp. V2-154–V2-161 (2010)Google Scholar
  41. 41.
    Yu, S., Zhou, W., Doss, R., Jia, W.: Traceback of DDoS attacks using entropy variations. IEEE Trans. Parallel Distrib. Syst. 22, 412–425 (2011)CrossRefGoogle Scholar
  42. 42.
    Wei, J., Chen, K., Lian, Y.F., Dai, Y.X.: A novel vector edge sampling scheme for IP traceback against DDoS attacks. In: 2010 International Conference on Machine Learning and Cybernetics (ICMLC), pp. 2829–2832 (2010)Google Scholar
  43. 43.
    Moreira, M.D.D., Laufer, R.P., Fernandes, N.C., Duarte, O.C.M.B.: A stateless traceback technique for identifying the origin of attacks from a single packet. In: 2011 IEEE International Conference on Communications (ICC), pp. 1–6 (2011)Google Scholar
  44. 44.
    Tupakula, U.K., Varadharajan, V.: Analysis of traceback techniques. In: Fourth Australasian Information Security Workshop (Network Security) (AISW 2006), vol. 54, ACS, Hobart, Australia, pp. 115–124 (2006)Google Scholar
  45. 45.
    Henry, C., Lee, J., Vrizlynn, L.L., Thing, Y.X., Ma, M.: ICMP traceback with cumulative path, an efficient solution for IP traceback. Lecture Notes in Computer Science including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics, vol. 2836, pp. 124–135 (2003)Google Scholar
  46. 46.
    Shi, Y., Yang, X.: A novel architecture for detecting and defending against flooding-based DDoS attacks. In: Computational Intelligence and Security, vol. 3802, pp. 364–374. Springer, Berlin (2005)Google Scholar
  47. 47.
    Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6, 426–437 (2011)CrossRefGoogle Scholar
  48. 48.
    Tatsuya, B., Shigeyuki, M.: Tracing network attacks to their sources. IEEE Educ Activities Dep. 6, 20–26 (2002)Google Scholar
  49. 49.
    Zhaoyang, Q., Chunfeng, H.: A fractional-step DDoS attack source traceback algorithm based on autonomous system. In: Proceedings of the International Conference on Intelligent Information Hiding and Multimedia Signal Processing: IEEE Computer Society, pp. 1383–1387 (2008)Google Scholar
  50. 50.
    Floyd, S., Fall, K.: Router mechanisms to support end-to-end congestion control. Technical report, LBL ( (1997)
  51. 51.
    Forouzandeh, F.Z., Mohamed, O.A.: An FPGA Implementation of a Modified Version of RED Algorithm. In Proceedings of IEEE International Conference on Field Programmable Technology, 2004. 425–428 (2004)Google Scholar
  52. 52.
    Hu, N., Steenkiste, P.: Evaluation and characterization of available bandwidth probing techniques. IEEE J. Sel. Areas Commun. 21(6), 879–894 (2003)CrossRefGoogle Scholar
  53. 53.
    The Network Simulator (ns-2) home page. Accessed 5 Nov 2011
  54. 54.
    Law, T.K.T., Lui, J.C.S., Yau, D.K.Y.: You can run, but you can’t hide: an effective statistical methodology to trace back DDoS attackers. IEEE Trans. Parallel Distrib. Syst. 16, 799–813 (2005)CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  • Abdulghani Ali Ahmed
    • 1
    Email author
  • Aman Jantan
    • 1
  • Mohammed Rasmi
    • 1
  1. 1.School of Computer SciencesUniversiti Sains MalaysiaPenangMalaysia

Personalised recommendations