Load-balanced agent activation for value-added network services

Abstract

In relation to its growth in size and user population, the Internet faces new challenges that have triggered the proposals of value-added network services, e.g., IP multicast, IP traceback, DiffServ, IntServ, etc. In addition, recent advances in processor and hardware techniques have enabled the production of high speed and powerful routers. Therefore, it is not unreasonable to expect the Internet to provide a variety of value-added network services other than packet forwarding in the near future. Depending on their purposes, value-added services may improve the scalability and efficiency of end user applications or may enhance the reliability and security of the network infrastructure. On the other hand, they may incur non-trivial overhead on the routers providing these services. It is a thorny problem to reach a balance between the performance of value-added services and the incurred overhead. In this paper, we study this problem in the context of both reliable multicast and distributed denial-of-service (DDoS) defense. In either scenario, a software agent is activated at some routers in a tree topology to provide the required functionality. We formulate the problem as load-balanced agent activation problem (LBAAP). Our goal is to develop a mechanism to activate value-added service agents in the network for the purpose of reaching a balance between the performance and overhead. We develop a polynomial time algorithm to solve the LBAAP problem in single tree case, and propose a heuristic for the LBAAP problem in the case where multiple trees exist in the network, a problem we conjecture is NP-hard. Finally we evaluate the performances of various approaches for activating value-added service agents through simulation.

Introduction

During the recent years, several new technologies/services have been proposed/introduced into the Internet. These include quality of service (QoS) routing [1], [2], content delivery networks [3], multicast communication services [4], and so on. In addition, the increasing rate of denial-of-service (DoS) attacks in the Internet has clearly shown the need for effective DoS defense mechanisms most of which require additional support from the network [5], [6], [7].

One common characteristic of these technologies is that they introduce additional functionalities into the network devices, i.e., routers and/or servers co-located with routers. In this paper, we refer to this type of additional functionalities as value-added network services (VAS). VASs are typically implemented as software modules at routers and/or co-located servers. We refer to this type of software modules as VAS agents. A VAS agent at a network device can be turned on (activated) or turned off (deactivated). If a VAS agent is activated at a device, we say that the device hosts the VAS agent. VAS agents help to improve the performance of end user applications and to enhance the robustness of the network infrastructure. However, VAS agents incur non-trivial overhead on the devices hosting them.

In this paper, we use reliable multicast and distributed denial-of-service (DDoS) defense as example services to study the tradeoff between the VAS performance and the overhead introduced by VAS agents on the network devices. Our goal is to develop a mechanism to activate VAS agents on a proper set of network devices so that (1) VAS performance requirements are satisfied and (2) the resulting assignment does not cause any load imbalance among the network devices.

Reliable multicast is a value-added network service that provides reliable data transport from a single source to multiple receivers in the Internet. A key challenge in reliable multicast is scalability. The main difficulty in making reliable multicast scalable is the feedback message implosion at the multicast source site. As the number of receivers increases, their feedback messages back to the source could eventually overwhelm the computing resources and even the link bandwidth at the source site.

The usual approach to ensure reliable delivery in reliable multicast protocols is the use of Negative Acknowledgements (NAK). That is, receivers send out NAK messages to inform the source about packet loss. Compared with Positive Acknowledgement (ACK), NAK in reliable multicast can alleviate feedback message implosion at the source as long as the chance of packet loss is lower than that of successful packet delivery. In a NAK protocol, when a packet loss occurs close to the source, most of the receivers will detect the loss and send out NAK messages. The mere amount of these NAKs can easily result in implosion at the source.

One common approach to avoid feedback implosion at the source site is feedback suppression. In this scheme, a VAS agent, called NAK suppression agent, is set up at internal nodes in a multicast tree. NAK messages are unicasted from the receiver to its nearest ancestor node hosting a NAK suppression agent in the multicast tree. The ancestor node then forwards one NAK message to its nearest agent-hosting ancestor node and suppresses all duplicate NAKs.

NAK suppression agents are helpful for implosion prevention which is a key issue in reliable multicast. At the same time, however, they incur memory and processing overhead on routers. A NAK suppression agent must store sequence number information for each outstanding NAK message to suppress future duplicate NAKs. NAK messages are extracted from the IP fast forwarding path for a more detailed processing at the router where the NAK suppression agent is activated. The NAK suppression agent examines every received NAK to decide whether to forward it or to suppress it. Moreover, in order to eliminate the security vulnerability of false NAKs, the NAK suppression agent needs to deploy some authentication mechanism [8].

DoS attacks work by flooding some resource (a remote server or network) with large amounts of traffic, thereby preventing legitimate users from accessing that resource. A DDoS attack is a type of DoS attack where the attack traffic originates from multiple sources. (D)DoS attacks are threatening the utility of the Internet severely [9]. There has been a substantial amount of research work on defending against (D)DoS attacks.

The goal of IP traceback [5], [6] is to construct the attack tree of a DDoS attack, which is composed of the network paths from attack sources to the victim. In practice, wily attackers can counterfeit extra routers into the traceback path [5] and IP traceback may be only partially deployed in the network [10]. Because of these practical limitations, the current IP traceback techniques can only construct an approximate or incomplete attack tree for a DDoS attack. Inaccurate attack trees are still valuable to DDoS defense as the defense measures such as packet filtering can be applied closer to the attack sources. Due to the possibility of source IP spoofing [11], the effective way to identify attack traffic is based on destination IP addresses. Blocking attack traffic based on destination IP addresses usually incurs collateral damage, that is, blocks the innocent traffic destined to the victim. Therefore, a better DoS defense measure is rate-limiting, instead of blocking, the attack traffic.

Pushback [7] is a cooperative mechanism in which a router can ask upstream routers to rate-limit DoS attack traffic. Given an attack tree constructed in IP traceback process, pushback mechanism can be used to (1) determine the rate limits for the attack traffic at different routers in the attack tree and (2) decide when to stop the rate-limiting process. In pushback, a VAS agent, called aggregate-based congestion control (ACC) agent, is activated at the routers in an attack tree. The ACC agent at a router periodically reports local status to the nearest ancestor ACC agent in the attack tree through a pushback feedback message. After combining the feedback from the nearest descendent ACC agents and local status, the ACC agent calculates/updates the rate limits for the attack traffic at the current router and the descendent routers, and then informs the ACC agents at those descendent routers.

Similar to NAK suppression agents, ACC agents incur memory and processing overhead on routers. ACC agents keep track of the status of attack traffic and reconsider rate limiting decisions periodically to update the rate limit for attack traffic. For each arriving packet, ACC agents need to check whether that packet belongs to attack traffic, and if so, forward or discard the packet according to the rate limit for the attack traffic.

In either reliable multicast or DDoS defense, a key problem is to decide where to activate VAS agents (NAK suppression agents or ACC agents) in a tree topology (multicast tree or attack tree). On one hand, a trivial approach which activates a VAS agent at every router in the tree meets VAS performance requirements (prevent implosion at the reliable multicast source or protect the victim under DDoS attack from malicious traffic), but leads to excessively high total memory and processing overhead on the routers. On the other hand, activating VAS agents at just a few routers in the tree reduces the total overhead, but may fail to satisfy the performance requirements, or even worse, may overload some routers with excessive feedback messages, thereby degrading the performance of packet forwarding for all traffic through those routers.

In the context of multiple trees, the situation becomes even more complicated. If many multicast/attack trees pass through a router, the trivial approach mentioned above will activate a VAS agent for every tree and the resultant memory requirement could overload the router. A naive solution to avoid the memory overload on routers is to deactivate the VAS agent for a randomly chosen tree at the overloaded router. However, such an approach has a deficiency that the casual selection of the tree being “dropped” may impair the VAS performance or overload other routers in that tree with excessive feedback messages.

Reaching a compromise between the VAS performance and the overhead of VAS agents is a complex problem. In this paper we explore a simplified version of that problem, referred to as Load-Balanced Agent Activation Problem (LBAAP). Specifically, the LBAAP problem is how to determine the number and placement of VAS agents in order to satisfy VAS performance requirements, with minimal total memory and processing overhead on routers and without overloading any router.

We examine the LBAAP problem in different contexts, propose corresponding algorithms, and evaluate the performances of various approaches by simulation.

The rest of this paper is organized as follows. In Section 2, we define and analyze the LBAAP problem. In Section 3, we study the LBAAP problem and propose algorithms for both single tree case and multiple tree case. In Section 4, we evaluate the performances of various VAS agent activation approaches by simulation. In Section 5, we discuss the limitations of our algorithms and possible extensions. We survey related work in Section 6. Finally, we conclude the paper in Section 7.