TY - GEN
T1 - Flow-level loss detection with Δ-sketches
AU - Feibish, Shir Landau
AU - Liu, Zaoxing
AU - Ivkin, Nikita
AU - Chen, Xiaoqi
AU - Braverman, Vladimir
AU - Rexford, Jennifer
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/10/19
Y1 - 2022/10/19
N2 - Packet drops caused by congestion are a fundamental problem in network operation. Yet, it is difficult to detect where drops are happening, let alone which flows are most affected. Detecting the small-timescale drops caused by short bursts of traffic is even more challenging, and traditional monitoring techniques can easily miss them. To uncover packet drops as they occur inside a switch, the analysis must be real-time, fine-grained, and efficient. However, modern switches have distributed packet-processing pipelines that see either the arriving or departing traffic, but not the packet drops. Additionally, they do not have enough memory to store per-flow state. Our MIDST system addresses these challenges through a distributed compact data structure with lightweight coordination between ingress and egress pipelines. MIDST identifies the flows experiencing loss, as well as the bursty flows responsible, across different burst durations. Our evaluation with real-world traces and TCP connections shows that MIDST uses little memory (e.g., 320KB) while providing high accuracy (95% to 98%) under varying loss rates and burst durations. We evaluate a low-rate DDoS attack and demonstrate the potential use of our measurement results for attack detection and mitigation.
AB - Packet drops caused by congestion are a fundamental problem in network operation. Yet, it is difficult to detect where drops are happening, let alone which flows are most affected. Detecting the small-timescale drops caused by short bursts of traffic is even more challenging, and traditional monitoring techniques can easily miss them. To uncover packet drops as they occur inside a switch, the analysis must be real-time, fine-grained, and efficient. However, modern switches have distributed packet-processing pipelines that see either the arriving or departing traffic, but not the packet drops. Additionally, they do not have enough memory to store per-flow state. Our MIDST system addresses these challenges through a distributed compact data structure with lightweight coordination between ingress and egress pipelines. MIDST identifies the flows experiencing loss, as well as the bursty flows responsible, across different burst durations. Our evaluation with real-world traces and TCP connections shows that MIDST uses little memory (e.g., 320KB) while providing high accuracy (95% to 98%) under varying loss rates and burst durations. We evaluate a low-rate DDoS attack and demonstrate the potential use of our measurement results for attack detection and mitigation.
KW - network monitoring
KW - programmable devices
KW - sketches
UR - http://www.scopus.com/inward/record.url?scp=85141035847&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85141035847&partnerID=8YFLogxK
U2 - 10.1145/3563647.3563653
DO - 10.1145/3563647.3563653
M3 - Conference contribution
AN - SCOPUS:85141035847
T3 - SOSR 2022 - Proceedings of the 2022 Symposium on SDN Research
SP - 25
EP - 32
BT - SOSR 2022 - Proceedings of the 2022 Symposium on SDN Research
PB - Association for Computing Machinery, Inc
T2 - 2002 ACM SIGCOMM Symposium on SDN Research, SOSR 2022
Y2 - 20 October 2022
ER -