Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf ·...
Transcript of Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf ·...
![Page 1: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/1.jpg)
Sting: a TCP-based network measurement tool
Stefan Savage
Department of Computer Science and EngineeringUniversity of Washington
![Page 2: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/2.jpg)
Simple problem
● Can we measure one-way packet loss rates to and from unmodified hosts?
● ICMP-based tools (e.g. ping) ■ Can’t measure one-way loss ■ Must cope with degraded service for ICMP
● Measurement infrastructures (e.g. NIMI)■ Require cooperation from remote endpoints
![Page 3: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/3.jpg)
Mind-expanding moment…
Stop thinking of TCP as a transport protocol
Think of it… as an opportunity
![Page 4: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/4.jpg)
Overview
● Sting’s key features■ Measures one-way packet loss rates■ Does not require remote cooperation■ TCP-based measurement traffic (not filtered)
● Basic approach ■ Send selected TCP packets to remote host ■ Leverage TCP behavior to deduce which
packets were lost in each direction
![Page 5: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/5.jpg)
Deducing losses in a TCP transfer
● What we know■ How many data packets we sent■ How many acknowledgements we received
● What we need to know■ How many data packets were received?
– Remote host’s TCP MUST know
■ How many acknowledgements were sent?– Easy, if one ACK is sent for each data packet
(ACK parity)
![Page 6: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/6.jpg)
How TCP reveals packet loss
● Data packets ordered by seq#● ACK packets specify next seq# expected
Nothing lost ACK lostData lost
1
2
1
2
1
1
22
3DataACK
![Page 7: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/7.jpg)
Basic loss deduction algorithm
● Data seeding phase■ Send n packets (dataSent)■ Count ACKs received (ackReceived)
● Hole filling phase■ Send new packet; next ACK points to first loss ■ Reliably retransmit lost packet and increment
count of lost data (dataLost)■ Repeat until all packets delivered
![Page 8: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/8.jpg)
ExampleHole fillingData seeding
dataSent = 3ackReceived = 1
dataLost = 1ackSent = dataReceived = 2
1
22
3
2
4
22
5
=1 - (dataReceived/dataSent) = 33%=1 - (ackReceived/ackSent) = 50%
Lossfwd
Lossrev
![Page 9: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/9.jpg)
Guaranteeing ACK parity
● How do we know one ACK is sent for each data packet received?
● Exploit TCP’s fast retransmit algorithm■ TCP must send an immediate ACK for each
out-of-order packet it receives● Send all data packets out-of-order
■ Skip first sequence number■ Don’t count first “hole” in hole filling phase
![Page 10: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/10.jpg)
Managing limited receiver buffers
● Large packets can overflow receiver buffer● Mitigate by overlapping sequence numbers
1500 bytes1500 bytes1500 bytes1500 bytes1500 bytes
Sequencespace
1500
1504
1
5 packets sent(7500 bytes)
1504 bytes of buffer used
![Page 11: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/11.jpg)
Delaying connection termination
● Some Web servers/firewalls terminate connections abruptly by sending RST
● Solutions:■ Format data packets as valid HTTP request■ Set advertised receiver window to 0 bytes
– TCP flow control prevents server from sending– HTTP response, hence RST, trapped at server
![Page 12: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/12.jpg)
Sting implementation details
● Raw sockets to send TCP datagrams● Packet filter (libpcap) to get responses
●● ProblemsProblems with packet filters■ Very easy to race with native TCP stack■ Fragile; next version will use OS-specific
firewall interfaces
● Currently runs on Tru64 and FreeBSD
![Page 13: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/13.jpg)
Last-generation user interface# sting –c 100 –f poisson –m 0.500 –p 80 www.audiofind.com
Source = 128.95.2.93Target = 207.138.37.3:80dataSent = 100dataReceived = 98acksSentSent = 98acksReceived = 97Forward drop rate = 0.020000Reverse drop rate = 0.010204
![Page 14: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/14.jpg)
Preliminary experimental results
● Anecdotally■ Works great for debugging operational
problems
● Real data■ Measured loss rates from UW to 50 web
servers (25 random, 25 popular)■ Significant loss rate asymmetry
![Page 15: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/15.jpg)
Distribution of losses to Web servers
0.800.820.840.860.880.900.920.940.960.981.00
0 0.1 0.2 0.3
Loss rate
Cu
mu
lativ
e fr
actio
n
Forward loss rate
Reverse loss rate
0.800.820.840.860.880.900.920.940.960.981.00
0 0.05 0.1 0.15 0.2 0.25 0.3
Loss rate
Cu
mu
lati
ve f
ract
ion
Forward loss rate
Reverse loss rate
25 Popular servers 25 Random servers
![Page 16: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/16.jpg)
Conclusions
● TCP protocol features can be leveraged for non-standard purposes
● Packet loss is highly asymmetric● Ongoing work:
■ Using TCP to estimate one-way queuing delays, bottleneck bandwidths, propagation delay and server load
![Page 17: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/17.jpg)
![Page 18: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/18.jpg)
Loss rate as ping sees it
● Reported loss = 1 – (1-lossforw)(1-lossrev)● Both of these cases look the same:
EchoReqEchoReply
You Target You Target
![Page 19: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/19.jpg)
User/kernel races with packet filters
User Kernel
SYN
SYN/ACKTim
e
Remote server
RSTSYN/ACK
![Page 20: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/20.jpg)
Example: diurnal effects
0
0.05
0.1
0.15
0.2
0.25
0.3
0:00 4:00 8:00 12:00 16:00 20:00 0:00
Time of day
Est
imat
ed r
ever
se p
ath
loss
rat
e
Reverse path loss rate to www.idg.net
![Page 21: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/21.jpg)
ICMP rate limiting
Client ServerICMP EchoReq
Tim
e
ICMP EchoRep
ICMP EchoReqICMP EchoReq
![Page 22: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/22.jpg)
ICMP spoofing
Client FirewallICMP EchoReq
TCP ACK
ICMP EchoRep
TCP DATA
Tim
e
Server
TCP ACK
TCP DATA
![Page 23: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/23.jpg)
ICMP blocking
Client FirewallICMP EchoReq
TCP ACK
TCP DATA
Tim
e
Server
TCP ACK
TCP DATA
![Page 24: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/24.jpg)
Mapping seq#’s to packets
1500 bytes1500 bytes1500 bytes1500 bytes1500 bytes
Sequencespace
1500
1504
1
5 packets sent(7500 bytes)
1504 bytes of buffer used
![Page 25: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/25.jpg)
Data Seeding phase
for i = 1 to n
send packet w/seq #i
dataSent++
wait for long time
for each ack received
ackReceived++
![Page 26: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/26.jpg)
Hole Filling Phase
lastACK := 0
while lastAck = 0
send packet w/seq # n+1
while lastAck < n + 1
dataLost++
retransPkt := lastAck
while lastAck = retransPkt
send packet w/seq# retransPkt
dataReceveid := dataSent – dataLost
ackSent := dataReceived
for each ack received w/ack #j
lastAck = MAX(lastAck,j)
![Page 27: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/27.jpg)
Distribution of losses to 25 popular Web servers
0.800.820.840.860.880.900.920.940.960.981.00
0 0.05 0.1 0.15 0.2 0.25 0.3
Loss rate
Cu
mu
lati
ve f
ract
ion
Forward loss rate
Reverse loss rate
![Page 28: Sting: a TCP-based network measurement toolcseweb.ucsd.edu/~savage/papers/Usits99Slides.pdf · packets were lost in each direction. ... Some Web servers/firewalls terminate connections](https://reader033.fdocuments.us/reader033/viewer/2022050416/5f8c3d7a096b256b033a18b9/html5/thumbnails/28.jpg)
Distribution of losses to 25 random Web servers
0.800.820.840.860.880.900.920.940.960.981.00
0 0.05 0.1 0.15 0.2 0.25 0.3
Loss rate
Cu
mu
lati
ve f
ract
ion
Forward loss rate
Reverse loss rate