Yuichi Ohsita

Gradually reconfiguring virtual network topologies based on estimated traffic matrices

Traffic matrix is essential to traffic engineering (TE) methods. Because it is difficult to monitor traffic matrices directly, several methods for estimating them from link loads have been proposed. However, estimated traffic matrix includes estimation errors which degrade the performance of TE significantly. In this paper, we propose a method that reduces estimation errors while reconfiguring the virtual network topology (VNT) by cooperating with the VNT reconfiguration. In our method, the VNT reconfiguration is divided into multiple stages instead of reconfiguring the suitable VNT at once. By dividing the VNT reconfiguration into multiple stages, our traffic matrix estimation method calibrates and reduces the estimation errors in each stage by using information monitored in prior stages. We also investigate the effectiveness of our proposal using simulations. The results show that our method can improve the accuracy of the traffic matrix estimation and achieve an adequate VNT as is the case with the reconfiguration using the actual traffic matrices.

Detecting Distributed Denial-of-Service Attacks by Analyzing TCP SYN Packets Statistically

Distributed denial-of-service attacks on public servers have recently become more serious. More are SYN Flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. To assure that network services will not be interrupted, we need faster and more accurate defense mechanisms against malicious traffic, especially SYN Floods. One of the problems in detecting SYN Flood traffic is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of SYN Flood attack. Moreover, since the rate of normal network traffic may vary, we cannot use an explicit threshold of SYN arrival rates to detect SYN Flood traffic. In this paper we introduce a mechanism for detecting SYN Flood traffic more accurately by taking into consideration the time variation of arrival traffic. We first investigate the statistics of the arrival rates of both normal TCP SYN packets and SYN Flood attack packets. We then describe our new detection mechanism based on the statistics of SYN arrival rates. Our analytical results show that the arrival rate of normal TCP SYN packets can be modeled by a normal distribution and that our proposed mechanism can detect SYN Flood traffic quickly and accurately regardless of time variance of the traffic.

Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically

Distributed denial-of-service attacks on public servers have recently become more serious. More are SYN flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. To assure that network services will not be interrupted, we need faster and more accurate defense mechanisms against malicious traffic, especially SYN floods. One of the problems in detecting SYN flood traffic is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of SYN flood attack. Moreover, since the rate of normal network traffic may vary, we cannot use an explicit threshold of SYN arrival rates to detect SYN flood traffic. In this paper we introduce a mechanism for detecting SYN flood traffic more accurately by taking into consideration the the time variation of arrival traffic. We first investigate the statistics of the arrival rates of both normal TCP SYN packets and SYN flood attack packets. We then describe our new detection mechanism based on the statistics of SYN arrival rates. Our analytical results show that the arrival rate of normal TCP SYN packets can be modeled by a normal distribution and that our proposed mechanism can detect SYN flood traffic quickly and accurately regardless of time variance of the traffic.

Gradually Reconfiguring Virtual Network Topologies Based on Estimated Traffic Matrices

In this paper, we present a practical VNT (virtual network topology) reconfiguration method for large-scale IP and optical networks with traffic matrix estimation considerations. We newly introduce a partial VNT reconfiguration algorithm with multiple transition stages. By dividing the whole VNT transition sequence into multiple transitions, estimation errors are calibrated at each stage by using network state information of prior stages. Because estimation errors are mainly due to the fewer information in the estimated traffic matrix calculation, our approach tries to increase the constraint conditions for traffic matrix estimation by introducing partial reconfiguration, and to relax the impact of estimation errors by limiting the number of optical-paths reconfigured at each stage. We also investigate the effectiveness of our proposal through simulations and clarify the robustness against estimation errors by using partial reconfiguration.

Virtual network reconfiguration for reducing energy consumption in optical data centers

Energy consumption by data centers has become a serious problem, and measures for its reduction should be developed. Such measures should address not only the energy consumption of the servers but also that of the network itself, because the latter is responsible for a substantial portion of the total energy consumption. One approach to reducing the energy consumption of the network within a data center is to use optical circuit switches (OCSs) at the core of the data center, where electronic switches are connected to the OCSs. In such a network, a virtual network can be configured by setting the OCSs to connect different ports of the electronic packet switches. Thus, the energy consumption of the network can be reduced by configuring the virtual network to minimize the number of ports required by the electronic packet switches and powering down any unused ports. In this paper, we propose a method called virtual network reconfiguration for data center networks (VNR-DCN) that immediately reconfigures the virtual network so as to reduce the energy consumption under the constraints on the bandwidth and delay between servers in data center networks based on optical communication paths. In VNR-DCN, we configure the virtual network to satisfy the requirements by setting the parameters of the topology, called generalized flattened butterfly, instead of solving an optimization problem. In the evaluation, we show that a virtual network configured by VNR-DCN requires a small number of active ports. In addition, we show the impact of virtual network configuration on energy consumption.

Deployable overlay network for defense against distributed SYN flood attacks

Distributed denial-of-service attacks on public servers have recently become more serious. To assure that network services will not be interrupted, we need faster and more accurate defense mechanisms against malicious traffic, especially SYN floods. But single point defense (ex. firewalls) lacks a scalability to catch up the increase of the attack traffic. In this paper, we introduce a distributed defense mechanism using overlay networks. This mechanism detects attacks near the victim servers and alert messages are sent via the overlay networks. Then defense nodes identify legitimate traffic and block malicious ones. The legitimate traffic is protected via the overlay networks. We simulate and verify our proposed method can effectively block malicious traffic and protect legitimate traffic. We also describe the deployment scenario of our defense mechanism.

Data Center Network Topologies Using Optical Packet Switches

The large data center network constructed of only the electronic packet switches consumes large power to provide enough bandwidth for all server pairs. One approach to construct the data center network that provides enough bandwidth with small energy consumption is to use the optical packet switches. In the data center network using the optical packet switches, however, the failures of the optical packet switches may have large impacts on the communication between servers. In this paper, we propose the data center network topology using the optical packet switches that can provide enough bandwidth even when some optical packet switches fail. We evaluate our topology and clarify that our topology can provide enough bandwidth even when some optical packet switches fail.

A virtual network to achieve low energy consumption in optical large-scale datacenter

A data center network should provide communication with sufficiently large bandwidth and small delay between all servers. On the other hand, energy consumption of the data center network should be minimized. To satisfy all of the above requirements, in this paper, we introduce the virtual network configured over the data center network constructed of the optical cross connects (OXCs) and the electronic switches. We design the virtual network topology (VNT) so as to achieve sufficiently large bandwidth and small delay with small energy consumption. To calculate the suitable VNT in a short period, we propose the topology called Generalized Flattened Butterfly and a method to set the parameters so as to suit the current condition. In our evaluation, we clarify that our method achieves the sufficient bandwidth and the target maximum number of hops between top-of rack(ToR) switches with small energy consumption.

Identification of Attack Nodes from Traffic Matrix Estimation

Distributed denial-of-service attacks on public servers have recently become more serious. The most effective way to prevent this type of traffic is to identify the attack nodes and detach (or block) attack nodes at their egress routers. However, existing traceback mechanisms are currently not widely used for several reasons, such as the necessity of replacement of many routers to support traceback capability, or difficulties in distinguishing between attacks and legitimate traffic. In this paper, we propose a new scheme that enables a traceback from a victim to the attack nodes. More specifically, we identify the egress routers that attack nodes are connecting to by estimating the traffic matrix between arbitral source-destination edge pairs. By monitoring the traffic variations obtained by the traffic matrix, we identify the edge routers that are forwarding the attack traffic, which have a sharp traffic increase to the victim. We also evaluate the effectiveness of our proposed scheme through simulation, and show that our method can identify attack sources accurately.

Traffic engineering based on stochastic model predictive control for uncertain traffic change

Traffic engineering (TE) plays an essential role in deciding routes that effectively use network resources. This is particularly important when one considers the increasing time variation of Internet traffic such as streaming and cloud services. Traffic engineering with traffic prediction is one approach to stably accommodating time-varying traffic. This approach calculates routes from predicted traffic to avoid congestion, but predictions may include errors that instead cause congestion. We propose a prediction-based traffic engineering method that is robust to prediction errors by considering the probability distribution of predicted traffic. Our approach is based on a control-theoretic approach called stochastic model predictive control. Routes are calculated using a probability distribution of prediction errors so that the occurrence probability of congestion is lower than an operator-specified level. By considering the multi-step future dynamics of traffic, the routes are changed gradually to avoid route oscillation. We also show a relaxation method for unreliable far-future probabilistic constraints to avoid overly conservative route changes. Through simulations using backbone network traffic traces, we demonstrate that our method can accommodate most traffic variations under a given target link capacity without sudden large routes changes.