Abstract
Bandwidth abuse is a critical Internet service violation. However, its origins are difficult to detect and trace given similarities between abusive and normal traffic. So far, there is no capable and scalable mechanism to deal with bandwidth abuse. This paper proposes a distributed edge-to-edge model for monitoring service level agreement (SLA) violations and tracing abusive traffic to its origins. The mechanism of policing misbehaving user traffic at a single random early detection (RED) gateway is used in the distributed monitoring of SLA violations, including violations carried out through several gateways. Each RED gateway reports misbehaving users who have been sent notifications of traffic policing to an SLA monitoring unit. Misbehaving users are considered suspicious users and their consumed bandwidth shares are aggregated at every gateway to be compared with SLA-specified ratios. Bandwidth is abused when SLA-specified ratios are exceeded. By reporting bandwidth abuse, illegitimate users can be isolated from legitimate ones and source hosts of abusive traffic may be traced. Approximate simulation results show that the proposed model can detect any SLA violation and identify abusive users. In addition, the proposed model can trace user violations back to their source machines in real time.
Similar content being viewed by others
References
Suresh, M., Anitha, R., Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D.: Evaluating Machine Learning Algorithms for Detecting DDoS Attacks Advances in Network Security and Applications, vol. 196, pp. 441–452. Springer, Berlin (2011)
Jing, L., Yang, X., Kaveh, G., Hongmei, D., Jingyuan, Z.: Botnet: classification, attacks, detection, tracing, and preventive measures. In: Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control: IEEE Computer Society (2009)
Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29, 124–140 (2009)
Singh, S., Gyanchandani, M.: Analysis of Botnet behavior using Queuing theory. Int. J. Comput. Sci. Commun. 1, 239–241 (2010)
Jose, N.: DDoS attack evolution. Netw. Secur. 7, 7–10 (2008)
Zeidanloo, H. R., Manaf, A.B.A: Botnet detection by monitoring similar communication patterns. IJCSIS. 7(3), (2010)
Habib, A., Fahmy, S., Bhargava, B.: Monitoring and controlling QoS network domains. Int. J. Netw. Manag. 15, 11–29 (2005)
Habib, A., Fahmy, S., Avasarala, S.R., Prabhakar, V., Bhargava, B.: On detecting service violations and bandwidth theft in QoS network domains. Comput. Commun. 26, 861–871 (2003)
Habib, A., Hefeeda, M.M., Bhargava, B.: Detecting service violations and DoS attacks. In: Proceeding of Network and Distributed System Security Symposium (NDSS’03), San Diego, California, pp. 177–189 (2003)
Serral-Gracia, R., Labit, Y., Domingo-Pascual, J., Owezarski, P.: Towards end-to-end SLA assessment. In: The 28th conference on computer communications. IEEE. In: INFOCOM 2009, pp. 2581–2585 (2009)
Joel, S., Paul, B., Nick, D., Amos, R.: Accurate and efficient SLA compliance monitoring. In: Proceedings of the 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications Kyoto: ACM, 2007, Japan, pp. 109–120 (2007)
Heinanen, J., Baker, F., Weiss, W., Wroclawski, J.: Assured forwarding PHB group. RFC 2597 (1999)
Tham, C.-K., Liu, Y.: Assured end-to-end QoS through adaptive marking in multi-domain differentiated services networks. Comput. Commun. 28, 2009–2019 (2005)
Xipeng, X., Ni, L.M.: Internet QoS: a big picture. Netw. IEEE. 13, 8–18 (1999)
Cisco Systems Inc: Internetworking Technology Handbook, 4th edn. Cisco Press, Indiana (2009)
Floyd, S., Jacobson, V.: Random early detection gateways for congestion avoidance. IEEE/ACM Trans. Netw. 1, 397–413 (1993)
Athuraliya, S., Low, S.H., Li, V.H., Yin, Q.: REM: active queue management. IEEE Netw. 15, 48–53 (2001)
Anjum, F., Tassiulas, L.: Fair bandwidth sharing among adaptive and nonadaptive flows in the internet. IEEE INFOCOM. 3, 1412–1420 (1999)
Shreedhar, M., Varghese, G.: Efficient fair queuing using deficit round robin. IEEE/ACM Trans. Netw. 4, 375–385 (1996)
Bigdelia, N., Haeri, M.: CDM-based design and performance evaluation of a robust AQM method for networks. Comput. Commun. 32, 213–229 (2009)
Abbasov, B., Korukoglu, S.: Effective RED: an algorithm to improve RED’s performance by reducing packet loss rate. J. Netw. Comput. Appl. 32, 703–709 (2009)
Wang, C., Liu, J., Li, B., Sohraby, K., Hou, H.Y.: LRED: a robust and responsive AQM algorithm using packet loss ratio measurement. In: IEEE Transactions on Parallel and Distributed Systems, TPDS-0179-0205, vol. 18, pp. 29–43 (2007)
Hollot, C.V., Misra, V., Towsley, D., Gong, W.B.: A control theoretic analysis of RED. IEEE Infocom, pp. 1510–1519 (2001)
Ababneh, M.F.: Average delay in TCP networks. Am. J. Sci. Res. 5–9 ISSN 1450-223X (2009)
Jacek, K., Dominik, R., Krzysztof, Z., Slawomir, Z., Grzegorz, P., Pawel, N.: Definition and evaluation of penalty functions in SLA management framework. In: Proceedings of the Fourth International Conference on Networking and Services, Gosier, IEEE Computer Society, pp. 176–181 (2008)
Verma, D.C.: Service level agreements on IP networks. Proc. IEEE 92, 1382–1388 (2004)
Ahsan, H., Maleq, K., Bharat, B.: Edge-to-Edge Measurement-Based Distributed Network Monitoring, vol. 44, pp. 211–233. Elsevier Holland, Inc., New York (2004)
Lu, W.Z., Gu, W.X., Yu, S.Z.: One-way queuing delay measurement and its application on detecting DDoS attack. J. Netw. Comput. Appl. 32, 367–376 (2009)
Hong-Hua, Z., Ming, C.: Network topology inference based on delay variation. In: ICACC, 2009 International Conference on Advanced Computer Control, Singapore 2009, pp. 772–776 (2009)
Ahmed, A.A., Jantan, A., Wan, T.C.: SLA-based complementary approach for network intrusion detection. Comput. Commun. 34, 1738–1749 (2011)
Ahmed, A.A., Jantan, A., Ali, G.A.: A potent model for unwanted traffic detection in QoS network domain. JDCTA 4, 122–130 (2010)
Paruchuri, V., Durresi, A., Chellappan, S.: TTL based packet marking for IP traceback. Global Telecommunications Conference, New Orleans, LO, IEEE GLOBECOM 2008, IEEE, pp. 1–5 (2008)
Goodrich, M.T.: Probabilistic packet marking for large-scale IP traceback. IEEE/ACM Trans. Netw. 16, 15–24 (2008)
Choi YS, Seo D, Sohn SW, Lee SH (2003) Network-based real-time connection traceback system (NRCTS) with packet marking technology. In: Computational Science and its Applications. ICCSA 2003, vol. 2668, pp. 972–972. Springer, Berlin (2003)
Yan, Q., He, X., Ning, T.: An Improved dynamic probabilistic packet marking for IP traceback. IJCNIS 2, 47–53 (2010)
Stefanidis, K., Serpanos, D.S.: Implementing filtering and traceback mechanism for packet-marking IP-traceback schemes against DDoS attacks. In: 4th International IEEE Conference Intelligent Systems (2008), vol. 3, pp. 1428–1433 (2008)
Xiang, Y., Zhou, W., Guo, M.: Flexible deterministic packet marking: an IP traceback system to find the real source of attacks. IEEE Trans. Parallel Distrib. Syst. 20, 567–580 (2009)
Sun, Y.Y., Zhang, C., Meng, S.Q., Lu, K.N.: Modified deterministic packet marking for DDoS attack traceback in IPv6 network. In: 2011 IEEE 11th International Conference on Computer and Information Technology (CIT), pp. 245–248 (2011)
Belenky, A.: IP traceback with deterministic packet marking DPM. Commun. Lett. IEEE 7, 162–164 (2003)
Yonghui, L., Yulong, W., Fangchun, Y., Sen., S., Dong, Y.: Deterministic packet marking based on the coordination of border gateways. In: 2010 2nd International Conference on Education Technology and Computer (ICETC), vol. 2, pp. V2-154–V2-161 (2010)
Yu, S., Zhou, W., Doss, R., Jia, W.: Traceback of DDoS attacks using entropy variations. IEEE Trans. Parallel Distrib. Syst. 22, 412–425 (2011)
Wei, J., Chen, K., Lian, Y.F., Dai, Y.X.: A novel vector edge sampling scheme for IP traceback against DDoS attacks. In: 2010 International Conference on Machine Learning and Cybernetics (ICMLC), pp. 2829–2832 (2010)
Moreira, M.D.D., Laufer, R.P., Fernandes, N.C., Duarte, O.C.M.B.: A stateless traceback technique for identifying the origin of attacks from a single packet. In: 2011 IEEE International Conference on Communications (ICC), pp. 1–6 (2011)
Tupakula, U.K., Varadharajan, V.: Analysis of traceback techniques. In: Fourth Australasian Information Security Workshop (Network Security) (AISW 2006), vol. 54, ACS, Hobart, Australia, pp. 115–124 (2006)
Henry, C., Lee, J., Vrizlynn, L.L., Thing, Y.X., Ma, M.: ICMP traceback with cumulative path, an efficient solution for IP traceback. Lecture Notes in Computer Science including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics, vol. 2836, pp. 124–135 (2003)
Shi, Y., Yang, X.: A novel architecture for detecting and defending against flooding-based DDoS attacks. In: Computational Intelligence and Security, vol. 3802, pp. 364–374. Springer, Berlin (2005)
Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6, 426–437 (2011)
Tatsuya, B., Shigeyuki, M.: Tracing network attacks to their sources. IEEE Educ Activities Dep. 6, 20–26 (2002)
Zhaoyang, Q., Chunfeng, H.: A fractional-step DDoS attack source traceback algorithm based on autonomous system. In: Proceedings of the International Conference on Intelligent Information Hiding and Multimedia Signal Processing: IEEE Computer Society, pp. 1383–1387 (2008)
Floyd, S., Fall, K.: Router mechanisms to support end-to-end congestion control. Technical report, LBL (http://wwwnrg.ee.lbl.gov/nrg-papers.html). (1997)
Forouzandeh, F.Z., Mohamed, O.A.: An FPGA Implementation of a Modified Version of RED Algorithm. In Proceedings of IEEE International Conference on Field Programmable Technology, 2004. 425–428 (2004)
Hu, N., Steenkiste, P.: Evaluation and characterization of available bandwidth probing techniques. IEEE J. Sel. Areas Commun. 21(6), 879–894 (2003)
The Network Simulator (ns-2) home page. http://nsnam.isi.edu/nsnam/index.php/User_Information. Accessed 5 Nov 2011
Law, T.K.T., Lui, J.C.S., Yau, D.K.Y.: You can run, but you can’t hide: an effective statistical methodology to trace back DDoS attackers. IEEE Trans. Parallel Distrib. Syst. 16, 799–813 (2005)
Acknowledgments
This research is sponsored by RU Grant No. 1001/PKOMP/817048, School of Computer Sciences, Universiti Sains Malaysia (USM), Penang, Malaysia.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ahmed, A.A., Jantan, A. & Rasmi, M. Service Violation Monitoring Model for Detecting and Tracing Bandwidth Abuse. J Netw Syst Manage 21, 218–237 (2013). https://doi.org/10.1007/s10922-012-9236-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-012-9236-2