Computer Science Technical Report Archive

USC Computer Science Technical Reports, no. 811 (2003)

(USC DC Other)

USC Computer Science Technical Reports, no. 811 (2003)

PDF

Download

Open document

Flip pages

Download a page range

Download transcript

Copy asset link

Request this asset

Transcript (if available)

Content
1
A Systematic Simulation-based Study of Adverse Impact
of Short-lived TCP Flows on Long-lived TCP Flows
Shirin Ebrahimi Ahmed Helmy Sandeep Gupta
Department of Electrical Engineering-Systems
University of Southern California
{sebrahim,helmy}@usc.edu sandeep@poisson.usc.edu

ABSTRACT
TCP is the dominant transport protocol accounting for 95% of
the traffic and 80% of the total number of flows in the Internet.
Naturally, TCP responsive behavior has become a gold standard
for identifying unresponsive flows. In general, best effort
applications over non-TCP protocols (e.g., UDP) can be
unfriendly and harmful if they get greater shares of the
bandwidth than what TCP connections get under the same
conditions. We have developed TCP attack scenarios that differ
from all prior research. We show that short-lived TCP flows also
have the potential to exacerbate the vulnerabilities of TCP
congestion avoidance mechanisms to throttle long-lived TCP
flows to a small portion of their fair share of the network
capacity. We explore heuristic congestion scenarios by running
detailed packet-level simulations to obtain a detailed
understanding of such interactions and derive simple and
heuristic rules from simulations. Simulation results indicate a
significant reduction (more than 85%) in throughput of long-
lived TCP flows due to malicious short-lived TCP flows.
Meanwhile, our observations indicate identical performance
profiles for several TCP variants under such attacks with
different packet drop policies. Our approach sheds light on the
interaction of TCP flows with multiple bottleneck links and their
sensitivity to correlated losses in the absence of so-called non-
TCP friendly flows and paves the way for a systematic synthesis
of worst-case congestion scenarios.
Categories and Subject Descriptors
Network Protocols, Denial of Service, Simulation
General Terms
Performance, Design, Simulation, Security
Keywords
TCP, Short-lived Flows, Retransmission TimeOut, Denial of
Service

1. INTRODUCTION
TCP carries 95% of today's Internet traffic and 80% of the total
number of flows in the Internet [6]. A large majority of TCP
flows are short-lived. The main distinction between short-lived
and long-lived TCP flows (also known as mice and elephants,
respectively) is how the congestion window grows. Short-lived
TCP flows spend most of their lifetime in the slow start phase
when the congestion window is increased exponentially. Long-
lived TCP flows also start in the slow start phase, but they spend
most of their lifetime in the congestion avoidance phase in
which they perform AIMD.
In the context of fairness, it has been shown that long-lived TCP
flows are disproportionately affected by non-TCP flows (namely
UDP), since these flows use more than their fair share of the
bandwidth compared to co-existing TCP flows. It is implicitly
assumed that since TCP flows are friendly to other TCP flows,
they cannot cause significant losses. Hence, all research on
attacks on TCP has focused on non TCP-friendly attacking
flows, such as UDP. However it is not clear whether interaction
of short-lived and long-lived TCP flows -that operate in
different phases of TCP algorithm for most of their lifetime-
causes a sustained pattern of significant losses at congested
routers. In other words, TCP self-sabotage is a possibility that
has never been ruled out or even considered. These concerns
highlight the importance of investigating the occurrences of such
scenarios.
We have developed TCP attack scenarios that significantly
depart from all prior work. First we use short-lived TCP flows
and not UDP flows to attack long-lived TCP flows. This allows
us to consider (a) scenarios where short-lived flows are
malicious, i.e., designed to attack, as well as (b) scenarios where
the short-lived flows are normal flows that coincidently
adversely affect the long-lived flows. Second, in contrast to all
previously studied scenarios, we show that an attack using short-
lived flows at bottleneck links does not necessarily cause
maximum loss of performance for the long-lived flows. Finally,
we derive rules to identify locations and durations of short-lived
flows that cause significant loss of performance for long-lived
flows. In short, our work is the first one (of which we are aware)
that heuristically generates scenarios in which short-lived TCP
flows attack long-lived TCP flows so as to drastically affect
their performance. We evaluate the effectiveness of the attacks
by the measuring the reduction percentage in throughput of
long-lived TCP flows. Simulation results show more than 85%
reduction percentage for various TCP flavors (Tahoe, Reno,
New Reno and Sack) and different packet drop policies
(DropTail and RED). Currently, we are analyzing large-scale
simulations to identify occurrences of such scenarios in normal
large-scale simulations. We propose to develop a mixed
simulation strategy for large-scale networks taking into account

2
characteristics of our worst-case scenarios. The remainder of
this paper is organized as follows. Section 2 reviews the related
work. Section 3 describes our research approach. In Section 4,
we explain the case studies and discuss the simulation results.
Finally, Section 5 concludes this paper.
2. RELATED WORK
A lot of research has been done to develop separate models for
mice [6] and elephants [2] in order to predict their performance.
Padhye et al. have developed an analytical model for the steady
state throughput of a bulk transfer TCP flow as a function of loss
rate and round trip time [2]. This model captures the behavior of
TCP’s fast retransmit mechanism as well as the effect of TCP’s
timeout mechanism. On the other hand, Mellia et al. [6] have
proposed an analytical model to predict TCP performance in
terms of the completion time for short-lived flows. Meanwhile
various active queue managements [3, 4] and routing schemes
[5] are proposed to ensure fairness between short-lived and
long-lived flows, especially under competition for bandwidth
when links operate close to their capacity. Guo and Matta
borrowed the concept of Differentiated Services (Diffserv)
architecture and proposed to employ a new TCP service in edge
routers [3]. In this architecture, TCP flows are classified based
on their lifetime and short-lived flows are given preferential
treatment inside the bottleneck queue so that short connections
experience less packet drop rate than long connections. This is
done by employing the RIO (RED with In and Out) queue
management policy, which uses different drop functions for
different classes of traffic. They have shown that preferential
treatment is necessary to improve response time for short-lived
TCP flows, while ensuring fairness and without hurting the
performance of long-lived flows. Additionally Kantawala and
Turner have studied the performance improvements that can be
obtained for short-lived TCP flows by using more sophisticated
packet schedulers [4]. They have presented two different packet-
drop policies in conjunction with a simple fair queuing
scheduler that outperform RED and Blue packet-discard policies
for various configurations and traffic mixes. Furthermore,
Vutukury and Garcia-Luna-Aceves have proposed a simple
heuristic and efficient algorithm for QoS-routing to
accommodate low startup latency and high call acceptance rates,
which is especially attractive for the short-lived flows [5].
Unlike conventional QOS-routing algorithms, this scheme uses
neither link-advertisements nor complex path-selection
algorithm hence low startup latency and high route-scalability.
Moreover Jin et al have developed a new version of TCP, called
FAST TCP [8] in which they use queuing delay in addition to
packet loss as a congestion measure. This allows a finer-grained
measure of congestion and helps to maintain stability as the
network scales up. Meanwhile FAST TCP employs pacing at the
sender to reduce burstiness and massive losses. It also manages
to converge rapidly to a neighborhood of the equilibrium value
after loss recovery by dynamically adjusting Additive Increase
Multiplicative Decrease (AIMD) parameters with more
aggressive increase and less severe decrease as congestion
window evolves. However, in the event that short-lived TCP
flows initiate a malicious attack on long-lived TCP flows, all
such improvements in favor of short-lived TCP flows may
considerably aggravate the situation and extremely affect the
performance of long-lived TCP flows. The work of Kuzmanovic
and Knightly [7], who investigated a class of low-rate UDP
denial of service attacks which are difficult for routers and
counter-DOS mechanisms to detect, is closest to the work
described in this paper in terms of Denial Of Service (DOS).
They have developed low-rate DOS traffic patterns using short-
duration bursts of UDP flows. Through a combination of
analytical modeling, simulation and Internet experiments, they
have shown that such periodic low-rate attacks are highly
successful against both short-lived and long-lived TCP flows
especially if their period matches one of the TCP null
frequencies. In fact, the vulnerability of TCP flows to the DOS
attacks is due to a mismatch of defense and attack timescales,
which cannot be completely eliminated without significantly
compromising the system performance. Our work breaks new
ground in that it presents a novel approach to synthesize attack
scenarios where short-lived TCP flows maliciously throttle co-
existing long-lived TCP flows under competition for bandwidth.
Since most mechanisms to detect malicious traffic focus on non-
TCP flows, our attack scenarios will remain, largely undetected.
3. DESCRIPTION
The Transmission Control Protocol (TCP) is developed as a
highly reliable end-to-end window-based protocol between hosts
in computer networks. Modern implementations of TCP contain
four intertwined algorithms: slow start, congestion avoidance,
fast retransmit, and fast recovery. When a new TCP connection
is established, TCP enters slow start when congestion window
(cwnd) evolves exponentially. On each acknowledgement for
new data, cwnd is increased by one packet. At some point the
capacity of the network is reached and packet losses at
congested routers are experienced. There are two indications of
packet loss: a timeout occurring and the receipt of duplicate
ACKs. If three or more duplicate ACKs are received, it is a
strong indication that a segment has been lost. TCP then
performs a retransmission of what appears to be the missing
segment, without waiting for a retransmission timeout timer to
expire. Then, congestion avoidance, but not slow start is
performed. This is the fast recovery algorithm. It is an
improvement that allows high throughput under moderate
congestion, especially for large windows. In the congestion
avoidance phase, the congestion window evolves linearly rather
than exponentially. However If packet losses are detected by the
timeout mechanism, TCP will set the slow start threshold to half
of the current congestion window, reduces the congestion
window to one, retransmit the missing segment, performs slow
start to that threshold and enters congestion avoidance thereafter
during which it performs Additive Increase Multiplicative
Decrease (AIMD). During Congestion Avoidance regime,
congestion window is either increased by one per round trip time
or one per window (Additive Increase) and if the packet loss is
detected by receiving three or more duplicate ACKs, congestion
window is reduced to half its current size (Multiplicative
Decrease) hence the name AIMD. Clearly TCP congestion
control mechanisms runs on respectively two short and long
timescales: Round Trip Time and Retransmission Time Out.
Allman and Paxon have experimentally shown that TCP nearly
obtains maximum throughput if there exists a lower bound of
one second for RTO [11]. Moreover, they have found out that in
order to achieve the best performance and ensure that the
congestion is cleared; all flows are required to have a minimum
timeout of one second.
Recall that TCP congestion window grows at different rates in
different phases of TCP congestion control. Specifically during
slow start a TCP connection opens its congestion window more
aggressively vs. during congestion avoidance when AIMD is

3
performed. It is not clear how short-lived and long-lived TCP
flows that operate in different regimes of TCP algorithm interact
and whether they consume a fair share of the network capacity
considering they belong to the same protocol family. The main
distinction between short-lived and long-lived TCP flows is the
rate of congestion window evolution. Short-lived TCP flows
spend their lifetime in the slow start phase when the congestion
windows are increased exponentially. Long-lived TCP flows
also start from slow start phase however they settle in the
congestion avoidance phase for the most part of their lifetime
when they perform AIMD.
In this paper we study such interactions and investigate the
occurrences of severe congestion where carefully chosen
malicious short-lived TCP flows attempt to deny network
capacity to long-lived TCP flows taking advantage of the
vulnerability of TCP timeout mechanism.
Consider an illustrative attack scenario with a single long-lived
TCP flow that passes through a bottleneck link along its path.
Initially, the long-lived TCP flow is in the congestion avoidance
phase and performs AIMD. We assume that the maximum
congestion window is limited by the bottleneck capacity. Now
assume a malicious user creates severe congestion on a link
along the path of the long flow by sending multiple short-lived
TCP flows that can be visualized as a series of spikes. During
each burst, when the total traffic generated by the spike and the
single long-lived flow exceeds the capacity of that link, enough
packet losses are induced that the long flow is forced back off
for an RTO of one second [11]. Suppose the RTO timer expires
at time=t
1
. Note that at this time the congestion window is set to
one, the value of RTO is doubled and packet transmission is
resumed by retransmission of the lost packet at time=t
1
. Now if
the same pattern of short-lived flows starts over between time=t
1

and time=t
1
+2RTT such that the retransmitted packet is also
lost, the sender of the long-lived TCP flow now has to wait for
2RTO seconds till the retransmission timer expires. As a result
the long TCP flow repeatedly enters the retransmission time out
phase, which is doubled every time retransmission of a lost
packet fails. Consequently, the long-lived flow obtains nearly
zero throughput. As the result of the described congestion
scenario throughput of the long-lived TCP flow is almost 100%
reduced. Figure 1 depicts the periodically injected short-lived
flows. Each spike is a short-lived TCP flow in slow start and its
congestion window grows exponentially from 1 to W
ij
before it
either hits congestion and enters timeout or is terminated. In
general, W
ij
may not be a power of two. Let M
ij
denote the last
value of the congestion window that is a power of two and r
ij

stand for the data in bytes that is transferred in a partial window
afterwards. Also let C denote the capacity of targeted link, T
L

the aggregated throughput of the long-lived flows, d
ij
the
duration of the spike which is the time it takes for a short-lived
flow to time out or be terminated, R the average rate of the
spikes in a period of P sec and N
ij
the total number of packets
sent in a spike. In general, there can be n groups of m spikes in a
period with a time gap g
ij
between successive spikes and another
time gap G at the end of each periodic interval before the next
interval starts. In order to force the long-lived flows to time out,
the overall throughput of all flows (short-lived and long-lived)
should exceed the targeted link capacity such that many packets
are lost from the corresponding window of data. Therefore the
average Rate of short-lived flows in a period should satisfy the
following condition:
C T R
L
> + (1)
Since short-lived flows are in slow start and the congestion
window evolves exponentially, it takes
ij ij
RTT M × ) (log
2
to
transmit the full windows and t
ij
to send the partial window
Equation (2) gives d
ij
in terms of M
ij
, RTT
ij
and t
ij
.
2
(log )
ij ij ij ij
dMRTTt = ×+ (2)
Also the total number of data packets sent in each spike (N
ij
)
can easily be found from M
ij
and r
ij
as shown in Equation (3).
21
ij ij ij
N Mr =×−+ (3)
Equation (4) gives the period of the attack in terms of the
durations of spikes and the time gaps.
1
()
n
ij ij
i
Pd g G
=
= ++
∑
(4)
Thus the average rate of the short-lived flows in a period is the
sum of the throughput of each row in Figure 1. The throughput
of each row is the amount of data transmitted in a period by the
spikes in that row divided by the period. Equation (5) shows the
average rate of the short-lived flows in a period.
11
11
1
(2 1 )
()
nn
ij ij ij
mm
ii
n
jj
ij ij
i
N Mr
R
P
dg G
==
==
=
×−+
==
++
∑∑
∑∑
∑
(5)
In order to satisfy condition (1), R should be maximized.
Therefore the time gaps in Figure (1) should be removed.
Figure 1: General stream of short-lived flows
Figure 2: Effective stream of short-lived
Time (sec)
Congestion
window
d(1,1)
P
(1,1)
(1,2)
(1,m)
(n,1)
(n,2)
(n,m)
(2,2)
m
(2,1)
(2,m)
g(1,1) d(i,j) g(i,j) d(n,1)g(n,1) G
(i,j)
W(i,j)
r(i,j)
W(1,1)
r(1,1)
W(n,1)
r(n,1)
M(1,1) M(i,j) M(n,1)
Time (sec)
Congestion
window
d(1,1)
P
(1,1)
(1,2)
(1,m)
(n,1)
(n,2)
(n,m)
(2,2)
m
(2,1)
(2,m)
g(1,1) d(i,j) g(i,j) d(n,1)g(n,1) G
(i,j)
W(i,j)
r(i,j)
W(1,1)
r(1,1)
W(n,1)
r(n,1)
M(1,1) M(i,j) M(n,1)
Reff
Teff
P
1 K
Rate (B/sec)
P
Reff
Teff
P
1 K
Rate (B/sec)
P
W’
d
M’
r’

4
1
1
1
21
n
ij ij
m
i
n
j
ij
i
M r
R
d
=
=
=
×−+
=
∑
∑
∑
(6)
Also it seems like increasing n would augment the summation in
the nominator of Equation (6) and consequently boost R.
However it should be noted that the value of M
ij
inversely
depends on n. In other words increasing n means, placing more
non-overlapping groups of short-lived flows in a period, which
results in smaller spikes (both in height and width) and
consequently smaller R. However if there is only one group of
short-lived flows in a period, they will have the entire period
interval to open and grow their congestion window as much as
the spare capacity on the targeted link allows. Since the flows in
this group are fully overlapped, R is the sum of their
throughputs. Hence increasing m will increase R until condition
(1) is satisfied at m=m
*
(Equation (7)). Conversely further
increasing m will result in smaller R, since the short-lived flows
will start competing with each other.
*
11
1
1
21
mm
jj
L
j
j
Mr
R CT
d
=
=
×−+
=>−
∑
(7)
Now recall from the illustrative attack scenario that the effective
time interval to attack is in the order of RTT of the long-lived
flows. Therefore condition (1) seems rather conservative. Figure
(2) shows a single fully overlapped group of short-lived flows in
a period. As can be seen from this figure, most of the energy of
short flows is concentrated around the peak of the spikes. In
other words, it suffices to have R
eff
exceed the spare capacity of
the targeted link provided that the buffers are already filled up.
However, it takes d-T
eff
to fill up the buffers along the targeted
path. Suppose the initial queue size in the buffer is Q
0
and the
masimum buffer size is Q. Then the time it takes to completely
fill the buffers is:
0
'
eff
L
QQ
dT
R TC
−
−=
+−
(8)
where R’ is the throughput of the short-flows during this time
interval. Equation (9) shows R’ in terms of d’, r’ and M’ for a
single group of m short-lived flows, similar to equation (7) for
R.
*
1
11
1
1
2' 1 '
'
j
mm
jj
jeff
j
M r
R
dT
=
=
×−+
=
−
∑
(9)
The modified condition is therefore:
eff L
R TC +> (10)
where R
eff
is the throughput of the short-lived flows during T
eff
.
However by this time the buffers of the targeted link(s) are
nearly full, therefore the short-lived flows can send at most one
more round of packets that is at most one full window before
they start losing packets. Since the short-lived flows are still in
slow start phase, then the next full window will be at most twice
as the last full congestion window. Therefore R
eff
for a single
group of m short-lived flows is:

*
1
1
1
'
j
mm
j
eff
eff
j
W
R
T
=
=
=
∑
(11)
Naturally it follows that the effective attack interval is T
eff
. As
mentioned before in the case of single long-lived flow, T
eff
is in
the order of the RTT of the long-lived flow. In a heterogeneous
environment with multiple long-lived flows with different round
trip times an analogous argument suggests that T
eff
should be
greater than or equal to all the round trip times an analogous
argument suggests that T
eff
should be greater than or equal to all
the round trip times of the long-lived flows. Hence most of the
long-lived flows (ideally all of them) are forced to timeout
simultaneously for at least RTO

seconds. In this case RTO is the
minimum retransmission time out of the heterogeneous long-
lived flows. Obviously during the timeout phase, condition (8)
does not hold. Furthermore, the interval between successive
T
eff
’s, which is ideally in the order of RTO, gives the short-lived
flows a chance to gain more energy, increase their overall rate
and prepare to attack during T
eff
.
We take the idea of creating such sustained patterns of severe
congestion and explore it in several dimensions. We investigate
the scalability of such scenarios in terms of the long-lived flows.
Further more, we study the effects of the temporal distribution
of malicious flow. Additionally, we look into the spatial
distribution of attacks on multiple links in an attempt to locate
the most vulnerable targets. Ultimately, we suggest the most
effective settings for the attack pattern that maximizes its effects
on the performance of the long-lived TCP flows. Since the
steady state performance of long-lived TCP flows (such as FTP
transfers that are used in the simulation of congestion scenarios)
is characterized by their throughput, we consider the reduction
percentage of overall throughput of long-lived TCP flows as the
evaluation metric.
4. SIMULATIONS
In this section we explore the impact of short-lived TCP attacks
on the performance of long-lived TCP flows. We design a series
of detailed packet level attack scenarios to answer the following
questions. As the number of long-lived TCP flows increases,
how should the pattern of the attack formed by short-lived TCP
spikes change in order to maintain the same near zero
throughput? What links should be the target of short-lived TCP
attacks to achieve the most aggregate throughput reduction? In
an arbitrary topology some TCP flows may share one or more
bottlenecks but not necessarily all share the same bottlenecks. In
a large-scale scenario, how are the period and duration of short-
lived TCP spikes determined?
The first group of such scenarios is designed for a chain
topology to study the effects of aggregation of homogeneous
long-lived TCP flows (in terms of RTT) in the event of attack
from short-lived TCP flows. The second group of attack
scenarios is designed for an arbitrary topology to investigate the
effects of aggregation of heterogeneous long-lived TCP flows
(in terms of RTT) with multiple bottleneck links. In general, we
refer to the link(s) with minimum unused capacity as the
bottleneck(s). In some cases, the bottleneck also happens to be
the link that carries maximum number of flows.

4.1 Single bottleneck topology
Here we describe the attack simulations on the Single bottleneck
topology (depicted in Figure 3) performed in NS-2 and discuss
the observations. In this topology, five groups of long-lived TCP
flows share a chain of links and each of these links is also shared
with a group of short flows. Link L3 is the bottleneck link with a
bandwidth of 3 Mbps and one-way propagation delay of 5 msec.

5
Initially; the long-lived TCP flows are in the Congestion
Avoidance phase. We assume that maximum congestion
windows of all TCP connections are limited by network
bottleneck capacity. Short-lived TCP flows are periodically
injected on links L1 to L5 according to the pattern depicted in
Figure 1. We measure the aggregate throughput reduction
percentage of the long flows and plot it vs. m, which is the
number of short-lived flows sent simultaneously in a time slot.
We also measure the overall throughput of short-lived flows and
plot against m. We try to identify the effective values for
parameters involved in the attack pattern, i.e. d, p, m and n.
Preliminary observations indicate that temporal distribution of
such attacks on these links is less effective as compared to
simultaneous attacks on those links. Therefore throughout the
rest of attack scenarios, malicious short-lived flows are just
spatially distributed on multiple links. In this case d refers only
to the slow start duration. In Figures 4 to 6, all the short-lived
flows are terminated after d=0.5 sec, d=0.75 sec and d=1 sec,
respectively. The attack period is changed from 0.5 to 2.5 sec
and the throughput reduction percentage of long-lived flows are
plotted vs. m for n=1. In this set of simulations the TCP version
for both long and short flows is Reno and the chosen packet
drop policy at all buffers is DropTail. As can be seen, regardless
of the value of d the highest reduction percentage corresponds to
the attack period of 1 sec. Interestingly, this is the default value
for TCP Retransmission Time Out value (RTO). In other words,
when the attack period matches the RTO of the TCP long flows,
the throughput degradation is maximized. As the attack period
increases, the gap between expiration of the retransmission
timers of the long flows and the subsequent attack interval
increases and consequently long flows obtain more throughputs.
Also among the three graphs, for m<15 the most of them are
already in the time out phase, when they are terminated at d=1
sec. For m<15 most effective scenario corresponds to d=1 sec
and p=1 sec. In this case, even a low-rate stream of malicious
flows can reduce the throughput of the long flows significantly.
For higher values of m, the reduction percentage is almost the
same for d=0.75 sec and d=1 sec. The time it takes for the short-
lived flows in these scenarios to enter retransmission time out
varies between about 0.75 sec and 1 sec. For m>15 and d= 1 sec
however, most of them are still in slow start, competing with
long-lived flows for 0.25 sec longer than when d=0.75 sec and
obviously at a higher rate. As a result more and more long-lived
flows are forced to time out for m<15. As m increases more
short-lived flows enter time out thus the throughput reduction
percentage for long-lived flows saturates and increasing d from
0.75 sec to 1 sec for m>15 does not make much difference.
As indicated by the shape of the curves, increasing the rate of
the malicious stream does not monotonically increases the
reduction percentage of the long flows throughput. When the
overall throughput of the long and malicious short flows reaches

0
10
20
30
40
50
60
70
80
90
10 0
0 5 10 15 2 0 2 5 3 0 35 40
m =N um ber of S hort F low s per Interval
Throughput Reduction Percentage, d=0.5 sec
p=0 .5
p=1
p=1 .5
p=2
p=2 .5
0
10
20
30
40
50
60
70
80
90
100
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Throughput Reduction Percentage, d=0.75 sec
p=0.5
p=1
p=1.5
p=2
p=2.5
0
10
20
30
40
50
60
70
80
90
100
0 5 10 15 20 25 30 35 40
m =N um ber of Short F low s per Interval
Throughput Reduction Percentage, d=1 sec
p= 0.5
p= 1
p= 1.5
p= 2
p= 2.5
Figure 5: Effect of period on reduction percentage, d=0.5
6
8
7
9
10
0
11
1 2 3 4 5 5Mbps,10msec
14 13 12 15
5Mbps,10msec 5Mbps,10msec 3Mbps,5msec 5Mbps,10msec 5Mbps,10msec
5Mbps,50msec
5Mbps,50msec
5Mbps,50msec
5Mbps,50msec
5Mbps,50msec
5Mbps,10msec
5Mbps,10msec
5Mbps,10msec
5Mbps,10msec
L1 L2 L3 L4 L5
Bottleneck
Figure 3: Single bottleneck topology
Figure 4: Effect of period on reduction percentage, d=0.5
Figure 6: Effect of period on reduction percentage, d=1

6
the capacity of the corresponding shared links increasing the rate
of the malicious short flows does not reduce the throughput of
the long flows any more.
Figure 7 shows the overall throughput of the short-lived flows
vs. m for different attack periods. Apparently, for a fixed
number of short-lived flows as the period of the attack increases
time gap between successive attacks becomes larger
consequently the average attack rate decreases. Figure 8 shows
the effect of n on the performance of long-lived flows.
During each attack period, n consecutive groups of m
simultaneous short-lived flows are injected on the targeted links.
Now, in order to fit more such groups in one period, n other
words in order to increase n, d should decrease, i.e. short-lived
flows should be terminated sooner. Consequently the overall
rate of the short-flows will decrease and fewer long-lived flows
will time out. As can be seen, at n=1, throughput reduction
percentage for the long-lived flows is maximized. According to
the observations, it seems that d=1 sec, p=1 sec and n=1 are
thus far the most effective settings. The rest of simulation results
is obtained with these settings. Figure 9 depicts the effect of
aggregation of homogeneous long-lived flows. As the number of
long-lived flows increases, the throughput reduction percentage
slightly decreases however the attacks are still highly successful
and severely degrade the throughput of long-lived flows. Figure
11 shows the simulation results for different TCP variants with
DropTail packet drop policy. TCP variants are basically
improvements to the original TCP algorithm to help TCP flows
survive multiple packet drops from a window or within an RTT
and maintain a high throughput under moderate congestion.
However simulation results indicate that all variants are
significantly affected by the attacks. In other words when too
many short-lived flows that are all in slow-start compete with
long-lived TCP flows that are in congestion avoidance, so many
of the packets from the window are lost that even these
improvements fail to make up for TCP inherent vulnerabilities.
Figure 10 demonstrates the same effect for different TCP
variants with RED packet drop policy. The main objective of
employing RED in routers is to prevent global synchronization
of TCP flows. It has been shown that RED is unable to avoid the
synchronization effects if the source of synchronization is an
external malicious source such as DOS attacks [7]. Interestingly,
we observe that even if the source of synchronization is TCP
itself, RED fails to avoid the synchronization of TCP flows
cutting their window in half or entering the time out almost
simultaneously. Since long-lived TCP flows have the same
minimum retransmission time out value, when the attack period
matches this value, it repeatedly induces a synchronization
effect by forcing the long-lived flows to enter the time out at
about the same time and exit the time out nearly together.
Figure 12 depicts the effect of attacking on different links in
figure 2 for the following settings (d=1sec, p=1 sec and m=30).
The horizontal axis shows the targeted links between node (a)
and node (b). For instance ‘2to4’ means attack on links L3 and
L4 that are between node 2 and node 4. As can be seen, the
throughput reduction percentage increases as more links are
targeted in the first 5 columns from left. The 5
th
column shows
the throughput reduction percentage when all 5 links (L1 to L5)
are attacked which is the most effective attack. Next 4 columns
correspond to the attacks initiated on links between node 1 and
node 2, 3, 4 and 5 respectively. Again increasing the targeted
path length increases the throughput degradation of the long-
lived flows. Next column shows effect of attacking the
bottleneck link. Surprisingly, the bottleneck link turns out to be
more robust to these attacks. The key reason for this behavior
goes back to our definition of the bottleneck link. The bottleneck
link is a link with the least unused capacity. Now the
effectiveness of such attacks highly depends on the ability of
malicious short-lived flows to force the long-lived flows to enter
timeout. When there is little capacity left on the targeted link,
0
500
1000
1500
2000
2500
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Overall Short Flows Throughput (KB/sec), d=1sec
p=0.5
p=1
p=1.5
p=2
p=2.5
Figure 7: Overall throughput of short-lived flows
-10
0
10
20
30
40
50
60
70
80
90
100
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Throughput Reduction Percentage,d=1 sec,p=1 sec
n=1
n=2
n=4
n=6
n=8
Figure 8: Effect of ‘n’ on reduction percentage
0
10
20
30
40
50
60
70
80
90
100
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Throughput Reduction Percentage,d=1sec,p=1sec
5 Groups of 3
5 Groups of 6
5 Groups of 9
5 Groups of 12
Figure 9: Effect of aggregation of long-lived flows

7
0
10
20
30
40
50
60
70
80
90
100
0to1 0to2 0to3 0to4 0to5 1to2 1to3 1to4 1to5 2to3 2to4 2to5 3to4 3to5 4to5
Attacked Paths, Node 'a' to Node 'b'
Throughput Reduction Percentage
d=1 sec, p=1 sec, m=30
0
200
400
600
800
1000
1200
1400
1600
1800
2000
0to1 0to2 0to3 0to4 0to5 1to2 1to3 1to4 1to5 2to3 2to4 2to5 3to4 3to5 4to5
Attacked Paths, Node 'a' to Node 'b'
O verall Short Flow s
T hroughput (K B /sec)
d=1 sec, p=1 sec, m =30

short-lived flows won’t be able to open their congestion window
so much as to inject enough packets on the link in order to create
many correlated packet losses from long-lived flows. Thus
fewer long-lived flows will enter retransmission timeout and the
attack won’t be very successful. Numerical results show a mere
25% throughput degradation when only the bottleneck link is
attacked. However attacking on the bottleneck link and other
links increases the effectiveness of the attack to more than 80%.
It is also observed that attacking the links closer to the
destination is slightly more effective because packets that are
dropped on the last links have already traveled the first and also
the intermediate links and added to the traffic and contributed to
the congestion on those links.
Figure 13 shows the overall throughput of the short-lived flows
when different links are targeted. Obviously attacking more
links using the same pattern requires more short-lived flows. As
a result the overall rate of short-lived flows increases when more
links are attacked. Needless to say when the bottleneck link is
targeted, the overall rate of the short-lived flows is minimal for
the similar reason mentioned above.
4.2 Multiple bottleneck topology
In this section we describe the attack simulations on an arbitrary
topology (figure 13) performed in NS-2 and explain the
observations.In this topology, we identify four duplex links B1
to B4 as the bottleneck links. 48 groups of 3 long-lived flows
originate and end in different stubs. These flows are further
categorized into eight larger groups according to the bottleneck
links they share. The throughput reduction percentage for each
of these groups, T
ij
, is measured and plotted vs. m. ‘i’ and ‘j’
denote the nodes incident on the bottleneck link that is shared by
each group. For instance, T03 is the throughput reduction
percentage of all the flows that pass through link B4 on the
direction from 0 to 3. All links have a bandwidth of 15Mbps and
the propagation delays vary from 1 to 49 msec. Again, we
assume that maximum congestion windows of all TCP
connections are limited by network bottlenecks capacity and
before the attack; the long-lived TCP flows are in the
Congestion Avoidance phase. The simulation results obtained
here are consistent with those obtained from the single
bottleneck topology simulation. We further use this arbitrary
topology to investigate the effects of aggregation of
heterogeneous long-lived TCP flows (in terms of RTT) with
multiple bottleneck links. Figures 14 and 15 show the simulation
results for two attack scenarios. In the first scenario short-lived
TCP flows are periodically injected on links B1 to B4 on both
directions according to the pattern shown in figure 1. Note that
there are two groups (T
02
and T
20
) that pass through two
bottleneck links. The throughput reduction percentage of each of
the other six groups is inversely proportional to the capacity left
on the corresponding bottleneck link. This unused capacity of
the link depends on the bandwidth delay product of the link, the
buffer size and the number of flows passing through that link.
As can be seen from figure 14, the more capacity left on a link,
the more short-lived flows will be able to steal this capacity. On
the other hand, the throughputs of the two groups that pass
through two bottleneck links are more degraded since they are
attacked on two links. This is of course consistent with the
results obtained from the chain topology that as more links are
attacked, throughput reduction percentage increases.
In the second scenario, 12 duplex links (A1 to A12) that are not
the bottleneck links are targeted by the same pattern of short-
lived flows. Figure 15 shows the throughput reduction
Figure 10: Comparing various TCP flavors, DropTail
Figure 11: Comparing various TCP flavors, RED
0
10
20
30
40
50
60
70
80
90
100
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Throughput Reduction Percentage,d=1sec,p=1sec
Reno, RED
New Reno, RED
Tahoe, RED
Sack, RED
0
10
20
30
40
50
60
70
80
90
100
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Throughput Reduction Percentage,d=1sec,p=1sec,m=30
Reno (DropTail)
New Reno (DropTail)
Tahoe (DropTail)
Sack (DropTail)
Figure 12: Comparing effects of attacks on links from
node ‘a’ to node ‘b’ in the single bottleneck topology
Figure 13: Overall throughput of short-lived flows
for attacks on links from node ’a’ to node ‘b’

8

percentage of the 8 mentioned groups vs. m. It’s worth
mentioning that in this scenario each of the flows in these
groups pass through two targeted links. For m<15, the
effectiveness of the attacks is highly dependent on the unused
capacity of the targeted links. However as m increases, more and
more short-lived flows are injected on these links such that
many correlated packet losses are created. Consequently the
throughput degradation varies between 80% and 90% in a quasi-
stable manner. Comparing the two scenarios, we conclude that
the second scenario is more effective since the throughput
reduction percentage for each group of long-lived flows in this
scenario is about 5% to 30% higher. However by looking at the
figures 16 and 17, we notice that the overall rate of the short-
lived flows in the second scenario is almost 3 times as high as
that in the first scenario, which is consistent with prior
observations from the parking lot topology. Recall that in the
second scenario 12 duplex links are targeted whereas in the first
scenario only 4 duplex links are attacked. The results obtained
from this set of simulations indicate that the proposed attack
pattern is highly successful in heterogeneous-RTT environments
with multiple bottlenecks and a high level of multiplexing.
5. CONCLUSIONS
In this paper we have presented heuristic TCP attack scenarios
that radically differ from all prior work. We have used short-
lived TCP flows and not UDP flows to design attack scenarios
against long-lived TCP flows. Through an extensive detailed set
of simulations we show that short-lived flows that spend most of
their lifetime in slow start can drastically reduce the throughput
of the long-lived flows (more than 85%) under competition for
network capacity. Simulation results confirm existence of a
natural time scale for the TCP flows that maximizes the adverse
effects of malicious attacks. This natural time scale is an
inherent vulnerability of TCP algorithm and corresponds to the
timeout mechanism. In other words, when the attack period of
the malicious flows is close to the minimum retransmission time
out value for the long-lived flows, throughput reduction
percentage is maximized. Moreover, we identify the most
effective settings for other parameters of the attack pattern based
on the observations. The simulations results also exhibit similar
performance profiles for various TCP flavors (Tahoe, Reno,
New Reno and Sack) with different packet drop policies
(DropTail and RED). Surprisingly, RED is unable to prevent
synchronization of TCP flows even when the source of
synchronization is nothing but TCP. Additionally, the obtained
results indicate that the effectiveness of the attack using short-
lived flows is weighted towards the links with more unused
capacity. As counter-intuitive as it may seem, targeting
bottleneck links do not necessarily cause maximal performance
degradation for the long-lived flows. According to the
observations, the success of such attacks is of little sensitivity to
the aggregation of homogeneous-RTT or heterogeneous- RTT
long-lived flows. Furthermore we showed that the effectiveness
Attack on Other Links
0
10
20
30
40
50
60
70
80
90
100
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Throughput Reduction Percentage,d=1sec,p=1sec
T03
T30
T12
T21
T13
T31
T20
T02
Attack on Backbone Links
0
10
20
30
40
50
60
70
80
90
100
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Throughput Reduction Percentage,d=1sec,p=1sec
T03
T30
T12
T21
T13
T31
T20
T02
B1
B2
B3
B4
A1
A2
A3
A4 A5
A6
A7
A8
A9
A11
A10
A12
Figure 14: Mutiple Bottleneck Topology
Figure 15: Effects of attacking non-backbone links
Figure 16: Effects of attacking backbone links
0
2
4
6
8
10
12
14
16
18
20
0 5 10 15 20 25 30 35 40
m=Number of Short Flows per Interval
Overall Short Flows Throughput (MB/sec),d=1sec,p=1sec
Backbone
Non-backbone
Figure 17: Comparing throughput of short-lived
flows attacking backbone and non-backbone links

9
of the attack depends to a great extent on the number of targeted
links.
Presently, we are analyzing large-scale simulations to identify
occurrences of such scenarios in normal large-scale simulations.
As the future course of action, we propose to develop a mixed
simulation strategy for large-scale networks taking into account
characteristics of our worst-case scenarios as well as discrete
models that capture details (e.g. queue size, protocol events),
which can later be employed in systematic synthesis of worst-
case congestion scenarios.
Acknowledgements
The authors hereby would like to extend their appreciation and
acknowledgement for the support from DARPA and NSF.

REFERENCES
[1] J. Postel, “Transmission control protocol,” RFC 793,
September 1981.
[2] J. Padhye, V. Firoiu, D. Towsley, and J. Kurose, “Modeling
TCP throughput: A Simple Model and Its Empirical Validation,”
Proc. of SIGCOMM, August 1998.
[3] L. Guo and I. Matta , “The War between Mice and

Elephants,” Proc. of ICNP'2001, November 2001.
[4] A. Kantawala and J. Turner, “Queue Management for Short-
Lived TCP Flows in Backbone Routers,” Proc. of High-Speed
Symposium, Globecom 2002.
[5] S. Vutukury and J.J. Garcia-Luna-Aceves, “WiNN: An
Efficient Method for Routing Short-Lived Flows,” Proc. IEEE
ICT 2003, February 23 - March 1, 2003.
[6] M. Mellia, I. Stoica, and H. Zhang, “TCP Model for Short
Lived Flows,” IEEE Communications Letters, February 2002.
[7] A. Kuzmanovic and E. Knightly, “Low-Rate TCP-Targeted
Denial of Service Attacks,” Proc. of SIGCOMM August 2003.
[8] C. Jin, D. X. Wei, and S. H. Low, “FAST TCP: motivation,
architecture, algorithms, performance,” IEEE Infocom, March
2004.
[9] V. Jacobson, “Congestion Avoidance and Control,” Proc. of
SIGCOMM 1988.
[10] K. Fall and S. Floyd, “Simulation-based Comparisons of
Tahoe, Reno, and SACK TCP,” ACM Computer
Communications Review, vol. 26, no. 3, July 1996.
[11] M. Allman and V. Paxon,”On estimating end-to-end
network path properties,” Proc. of SIGCOMM, September 1999

Linked assets

Computer Science Technical Report Archive

Conceptually similar

PDF

USC Computer Science Technical Reports, no. 801 (2003)

PDF

USC Computer Science Technical Reports, no. 674 (1998)

PDF

USC Computer Science Technical Reports, no. 755 (2002)

PDF

USC Computer Science Technical Reports, no. 726 (2000)

PDF

USC Computer Science Technical Reports, no. 727 (2000)

PDF

USC Computer Science Technical Reports, no. 696 (1999)

PDF

USC Computer Science Technical Reports, no. 734 (2000)

PDF

USC Computer Science Technical Reports, no. 809 (2003)

PDF

USC Computer Science Technical Reports, no. 763 (2002)

PDF

USC Computer Science Technical Reports, no. 673 (1998)

PDF

USC Computer Science Technical Reports, no. 690 (1998)

PDF

USC Computer Science Technical Reports, no. 663 (1998)

PDF

USC Computer Science Technical Reports, no. 765 (2002)

PDF

USC Computer Science Technical Reports, no. 860 (2005)

PDF

USC Computer Science Technical Reports, no. 931 (2012)

PDF

USC Computer Science Technical Reports, no. 716 (1999)

PDF

USC Computer Science Technical Reports, no. 814 (2004)

PDF

USC Computer Science Technical Reports, no. 856 (2005)

PDF

USC Computer Science Technical Reports, no. 672 (1998)

PDF

USC Computer Science Technical Reports, no. 790 (2003)

Description

Shirin Ebrahimi, Ahmed Helmy, Sandeep Gupta. "A systematic simulation-based study of adverse impact of short-lived TCP flows on long-lived TCP flows." Computer Science Technical Reports (Los Angeles, California, USA: University of Southern California. Department of Computer Science) no. 811 (2003).

Asset Metadata

Creator Ebrahimi, Shirin (author), Gupta, Sandeep (author), Helmy, Ahmed (author)

Core Title USC Computer Science Technical Reports, no. 811 (2003)

Alternative Title A systematic simulation-based study of adverse impact of short-lived TCP flows on long-lived TCP flows (title)

Publisher Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA (publisher)

Tag OAI-PMH Harvest

Format 9 pages (extent), technical reports (aat)

Language English

Unique identifier UC16270528

Identifier 03-811 A Systematic Simulation-based Study of Adverse Impact of Short-lived TCP Flows on Long-lived TCP Flows (filename)

Legacy Identifier usc-cstr-03-811

Format 9 pages (extent),technical reports (aat)

Rights Department of Computer Science (University of Southern California) and the author(s).

Internet Media Type application/pdf

Source 20180426-rozan-cstechreports-shoaf (batch), Computer Science Technical Report Archive (collection), University of Southern California. Department of Computer Science. Technical Reports (series)

Access Conditions The author(s) retain rights to their work according to U.S. copyright law. Electronic access is being provided by the USC Libraries, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.

Repository Name USC Viterbi School of Engineering Department of Computer Science

Repository Location Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089

Repository Email csdept@usc.edu

Inherited Values

Title Computer Science Technical Report Archive

Description Archive of computer science technical reports published by the USC Department of Computer Science from 1991 - 2017.

Coverage Temporal 1991/2017

Repository Email csdept@usc.edu

Repository Name USC Viterbi School of Engineering Department of Computer Science

Repository Location Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089

Publisher Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA (publisher)