Service Violation Monitoring Model for Detecting and Tracing Bandwidth Abuse


Bandwidth abuse is a critical Internet service violation. However, its origins are difficult to detect and trace given similarities between abusive and normal traffic. So far, there is no capable and scalable mechanism to deal with bandwidth abuse. This paper proposes a distributed edge-to-edge model for monitoring service level agreement (SLA) violations and tracing abusive traffic to its origins. The mechanism of policing misbehaving user traffic at a single random early detection (RED) gateway is used in the distributed monitoring of SLA violations, including violations carried out through several gateways. Each RED gateway reports misbehaving users who have been sent notifications of traffic policing to an SLA monitoring unit. Misbehaving users are considered suspicious users and their consumed bandwidth shares are aggregated at every gateway to be compared with SLA-specified ratios. Bandwidth is abused when SLA-specified ratios are exceeded. By reporting bandwidth abuse, illegitimate users can be isolated from legitimate ones and source hosts of abusive traffic may be traced. Approximate simulation results show that the proposed model can detect any SLA violation and identify abusive users. In addition, the proposed model can trace user violations back to their source machines in real time.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12


  1. 1.

    Suresh, M., Anitha, R., Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D.: Evaluating Machine Learning Algorithms for Detecting DDoS Attacks Advances in Network Security and Applications, vol. 196, pp. 441–452. Springer, Berlin (2011)

    Google Scholar 

  2. 2.

    Jing, L., Yang, X., Kaveh, G., Hongmei, D., Jingyuan, Z.: Botnet: classification, attacks, detection, tracing, and preventive measures. In: Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control: IEEE Computer Society (2009)

  3. 3.

    Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29, 124–140 (2009)

    Article  Google Scholar 

  4. 4.

    Singh, S., Gyanchandani, M.: Analysis of Botnet behavior using Queuing theory. Int. J. Comput. Sci. Commun. 1, 239–241 (2010)

    Google Scholar 

  5. 5.

    Jose, N.: DDoS attack evolution. Netw. Secur. 7, 7–10 (2008)

    Google Scholar 

  6. 6.

    Zeidanloo, H. R., Manaf, A.B.A: Botnet detection by monitoring similar communication patterns. IJCSIS. 7(3), (2010)

  7. 7.

    Habib, A., Fahmy, S., Bhargava, B.: Monitoring and controlling QoS network domains. Int. J. Netw. Manag. 15, 11–29 (2005)

    Article  Google Scholar 

  8. 8.

    Habib, A., Fahmy, S., Avasarala, S.R., Prabhakar, V., Bhargava, B.: On detecting service violations and bandwidth theft in QoS network domains. Comput. Commun. 26, 861–871 (2003)

    Article  Google Scholar 

  9. 9.

    Habib, A., Hefeeda, M.M., Bhargava, B.: Detecting service violations and DoS attacks. In: Proceeding of Network and Distributed System Security Symposium (NDSS’03), San Diego, California, pp. 177–189 (2003)

  10. 10.

    Serral-Gracia, R., Labit, Y., Domingo-Pascual, J., Owezarski, P.: Towards end-to-end SLA assessment. In: The 28th conference on computer communications. IEEE. In: INFOCOM 2009, pp. 2581–2585 (2009)

  11. 11.

    Joel, S., Paul, B., Nick, D., Amos, R.: Accurate and efficient SLA compliance monitoring. In: Proceedings of the 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications Kyoto: ACM, 2007, Japan, pp. 109–120 (2007)

  12. 12.

    Heinanen, J., Baker, F., Weiss, W., Wroclawski, J.: Assured forwarding PHB group. RFC 2597 (1999)

  13. 13.

    Tham, C.-K., Liu, Y.: Assured end-to-end QoS through adaptive marking in multi-domain differentiated services networks. Comput. Commun. 28, 2009–2019 (2005)

    Article  Google Scholar 

  14. 14.

    Xipeng, X., Ni, L.M.: Internet QoS: a big picture. Netw. IEEE. 13, 8–18 (1999)

    Article  Google Scholar 

  15. 15.

    Cisco Systems Inc: Internetworking Technology Handbook, 4th edn. Cisco Press, Indiana (2009)

  16. 16.

    Floyd, S., Jacobson, V.: Random early detection gateways for congestion avoidance. IEEE/ACM Trans. Netw. 1, 397–413 (1993)

    Article  Google Scholar 

  17. 17.

    Athuraliya, S., Low, S.H., Li, V.H., Yin, Q.: REM: active queue management. IEEE Netw. 15, 48–53 (2001)

    Article  Google Scholar 

  18. 18.

    Anjum, F., Tassiulas, L.: Fair bandwidth sharing among adaptive and nonadaptive flows in the internet. IEEE INFOCOM. 3, 1412–1420 (1999)

    Google Scholar 

  19. 19.

    Shreedhar, M., Varghese, G.: Efficient fair queuing using deficit round robin. IEEE/ACM Trans. Netw. 4, 375–385 (1996)

    Article  Google Scholar 

  20. 20.

    Bigdelia, N., Haeri, M.: CDM-based design and performance evaluation of a robust AQM method for networks. Comput. Commun. 32, 213–229 (2009)

    Google Scholar 

  21. 21.

    Abbasov, B., Korukoglu, S.: Effective RED: an algorithm to improve RED’s performance by reducing packet loss rate. J. Netw. Comput. Appl. 32, 703–709 (2009)

    Article  Google Scholar 

  22. 22.

    Wang, C., Liu, J., Li, B., Sohraby, K., Hou, H.Y.: LRED: a robust and responsive AQM algorithm using packet loss ratio measurement. In: IEEE Transactions on Parallel and Distributed Systems, TPDS-0179-0205, vol. 18, pp. 29–43 (2007)

  23. 23.

    Hollot, C.V., Misra, V., Towsley, D., Gong, W.B.: A control theoretic analysis of RED. IEEE Infocom, pp. 1510–1519 (2001)

  24. 24.

    Ababneh, M.F.: Average delay in TCP networks. Am. J. Sci. Res. 5–9 ISSN 1450-223X (2009)

  25. 25.

    Jacek, K., Dominik, R., Krzysztof, Z., Slawomir, Z., Grzegorz, P., Pawel, N.: Definition and evaluation of penalty functions in SLA management framework. In: Proceedings of the Fourth International Conference on Networking and Services, Gosier, IEEE Computer Society, pp. 176–181 (2008)

  26. 26.

    Verma, D.C.: Service level agreements on IP networks. Proc. IEEE 92, 1382–1388 (2004)

    Article  Google Scholar 

  27. 27.

    Ahsan, H., Maleq, K., Bharat, B.: Edge-to-Edge Measurement-Based Distributed Network Monitoring, vol. 44, pp. 211–233. Elsevier Holland, Inc., New York (2004)

    Google Scholar 

  28. 28.

    Lu, W.Z., Gu, W.X., Yu, S.Z.: One-way queuing delay measurement and its application on detecting DDoS attack. J. Netw. Comput. Appl. 32, 367–376 (2009)

    Article  Google Scholar 

  29. 29.

    Hong-Hua, Z., Ming, C.: Network topology inference based on delay variation. In: ICACC, 2009 International Conference on Advanced Computer Control, Singapore 2009, pp. 772–776 (2009)

  30. 30.

    Ahmed, A.A., Jantan, A., Wan, T.C.: SLA-based complementary approach for network intrusion detection. Comput. Commun. 34, 1738–1749 (2011)

    Article  Google Scholar 

  31. 31.

    Ahmed, A.A., Jantan, A., Ali, G.A.: A potent model for unwanted traffic detection in QoS network domain. JDCTA 4, 122–130 (2010)

    Article  Google Scholar 

  32. 32.

    Paruchuri, V., Durresi, A., Chellappan, S.: TTL based packet marking for IP traceback. Global Telecommunications Conference, New Orleans, LO, IEEE GLOBECOM 2008, IEEE, pp. 1–5 (2008)

  33. 33.

    Goodrich, M.T.: Probabilistic packet marking for large-scale IP traceback. IEEE/ACM Trans. Netw. 16, 15–24 (2008)

    Article  Google Scholar 

  34. 34.

    Choi YS, Seo D, Sohn SW, Lee SH (2003) Network-based real-time connection traceback system (NRCTS) with packet marking technology. In: Computational Science and its Applications. ICCSA 2003, vol. 2668, pp. 972–972. Springer, Berlin (2003)

  35. 35.

    Yan, Q., He, X., Ning, T.: An Improved dynamic probabilistic packet marking for IP traceback. IJCNIS 2, 47–53 (2010)

    Article  Google Scholar 

  36. 36.

    Stefanidis, K., Serpanos, D.S.: Implementing filtering and traceback mechanism for packet-marking IP-traceback schemes against DDoS attacks. In: 4th International IEEE Conference Intelligent Systems (2008), vol. 3, pp. 1428–1433 (2008)

  37. 37.

    Xiang, Y., Zhou, W., Guo, M.: Flexible deterministic packet marking: an IP traceback system to find the real source of attacks. IEEE Trans. Parallel Distrib. Syst. 20, 567–580 (2009)

    Article  Google Scholar 

  38. 38.

    Sun, Y.Y., Zhang, C., Meng, S.Q., Lu, K.N.: Modified deterministic packet marking for DDoS attack traceback in IPv6 network. In: 2011 IEEE 11th International Conference on Computer and Information Technology (CIT), pp. 245–248 (2011)

  39. 39.

    Belenky, A.: IP traceback with deterministic packet marking DPM. Commun. Lett. IEEE 7, 162–164 (2003)

    Article  Google Scholar 

  40. 40.

    Yonghui, L., Yulong, W., Fangchun, Y., Sen., S., Dong, Y.: Deterministic packet marking based on the coordination of border gateways. In: 2010 2nd International Conference on Education Technology and Computer (ICETC), vol. 2, pp. V2-154–V2-161 (2010)

  41. 41.

    Yu, S., Zhou, W., Doss, R., Jia, W.: Traceback of DDoS attacks using entropy variations. IEEE Trans. Parallel Distrib. Syst. 22, 412–425 (2011)

    Article  Google Scholar 

  42. 42.

    Wei, J., Chen, K., Lian, Y.F., Dai, Y.X.: A novel vector edge sampling scheme for IP traceback against DDoS attacks. In: 2010 International Conference on Machine Learning and Cybernetics (ICMLC), pp. 2829–2832 (2010)

  43. 43.

    Moreira, M.D.D., Laufer, R.P., Fernandes, N.C., Duarte, O.C.M.B.: A stateless traceback technique for identifying the origin of attacks from a single packet. In: 2011 IEEE International Conference on Communications (ICC), pp. 1–6 (2011)

  44. 44.

    Tupakula, U.K., Varadharajan, V.: Analysis of traceback techniques. In: Fourth Australasian Information Security Workshop (Network Security) (AISW 2006), vol. 54, ACS, Hobart, Australia, pp. 115–124 (2006)

  45. 45.

    Henry, C., Lee, J., Vrizlynn, L.L., Thing, Y.X., Ma, M.: ICMP traceback with cumulative path, an efficient solution for IP traceback. Lecture Notes in Computer Science including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics, vol. 2836, pp. 124–135 (2003)

  46. 46.

    Shi, Y., Yang, X.: A novel architecture for detecting and defending against flooding-based DDoS attacks. In: Computational Intelligence and Security, vol. 3802, pp. 364–374. Springer, Berlin (2005)

  47. 47.

    Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6, 426–437 (2011)

    Article  Google Scholar 

  48. 48.

    Tatsuya, B., Shigeyuki, M.: Tracing network attacks to their sources. IEEE Educ Activities Dep. 6, 20–26 (2002)

    Google Scholar 

  49. 49.

    Zhaoyang, Q., Chunfeng, H.: A fractional-step DDoS attack source traceback algorithm based on autonomous system. In: Proceedings of the International Conference on Intelligent Information Hiding and Multimedia Signal Processing: IEEE Computer Society, pp. 1383–1387 (2008)

  50. 50.

    Floyd, S., Fall, K.: Router mechanisms to support end-to-end congestion control. Technical report, LBL ( (1997)

  51. 51.

    Forouzandeh, F.Z., Mohamed, O.A.: An FPGA Implementation of a Modified Version of RED Algorithm. In Proceedings of IEEE International Conference on Field Programmable Technology, 2004. 425–428 (2004)

  52. 52.

    Hu, N., Steenkiste, P.: Evaluation and characterization of available bandwidth probing techniques. IEEE J. Sel. Areas Commun. 21(6), 879–894 (2003)

    Article  Google Scholar 

  53. 53.

    The Network Simulator (ns-2) home page. Accessed 5 Nov 2011

  54. 54.

    Law, T.K.T., Lui, J.C.S., Yau, D.K.Y.: You can run, but you can’t hide: an effective statistical methodology to trace back DDoS attackers. IEEE Trans. Parallel Distrib. Syst. 16, 799–813 (2005)

    Article  Google Scholar 

Download references


This research is sponsored by RU Grant No. 1001/PKOMP/817048, School of Computer Sciences, Universiti Sains Malaysia (USM), Penang, Malaysia.

Author information



Corresponding author

Correspondence to Abdulghani Ali Ahmed.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Ahmed, A.A., Jantan, A. & Rasmi, M. Service Violation Monitoring Model for Detecting and Tracing Bandwidth Abuse. J Netw Syst Manage 21, 218–237 (2013).

Download citation


  • RED gateways
  • Service level agreement
  • Distributed monitoring
  • Malicious users
  • Source machine traceback