The design of the IP protocol makes it difficult to reliably identify the originator of an IP packet. Even in the absence of any deliberate attempt to disguise a packet's origin, wide-spread packet forwarding techniques such as NAT and encapsulation may obscure the packet's true source. Techniques have been developed to determine the source of large packet flows, but, to date, no system has been presented to track individual packets in an efficient, scalable fashion. We present a hash-based technique for IP traceback that generates audit trails for traffic within the network, and can trace the origin of a single IP packet delivered by the network in the recent past. We demonstrate that the system is effective, space-efficient (requiring approximately 0.5% of the link capacity per unit time in storage) , and implementable in current or next-generation routing hardware. We present both analytic and simulation results showing the system's effectiveness.

Network traffic measurements provide essential data for networking research and network management. In this paper we describe a passive monitoring system designed to capture GPS synchronized packet level traffic measurements on OC-3, OC-12, and OC-48 links. Our system is deployed in four POPs in the Sprint IP backbone. Measurement data is stored on a 10 terabyte SAN (Storage Area Network) and analyzed on a computing cluster. We present a set of results to both demonstrate the strength of the system and identify recent changes in Internet traffic characteristics. The results include traffic workload, analyses of TCP flow round-trip times, out-ofsequence packet rates, and packet delay. We also show that some links no longer carry web traffic as their dominant component to the benefit of file sharing and media streaming. On most links we monitored, TCP flows exhibit low out-of-sequence packets rates and backbone delays are dominated by the speed of light.

We propose a simple and robust mechanism for detecting SYN flooding attacks. Instead of monitoring the ongoing traffic at the front end (like firewall or proxy) or a victim server itself, we detect the SYN flooding attacks at leaf routers that connect end hosts to the Internet. The simplicity of our detection mechanism lies in its statelessness and low computation overhead, which make the detection mechanism itself immune to flooding attacks. Our detection mechanism is based on the protocol behavior of TCP SYN--FIN (RST) pairs, and is an instance of the Sequential Change Point Detection [1]. To make the detection mechanism insensitive to site and access pattern, a non-parametric Cumulative Sum (CUSUM) method [4] is applied, thus making the detection mechanism much more generally applicable and its deployment much easier. The efficacy of this detection mechanism is validated by trace-driven simulations. The evaluation results show that the detection mechanism has short detection latency and high detection accuracy. Moreover, due to its proximity to the flooding sources, our mechanism not only sets alarms upon detection of ongoing SYN flooding attacks, but also reveals the location of the flooding sources without resorting to expensive IP traceback.

The volume and complexity of traffic on the Internet is increasing rapidly, making it both more difficult and more important to understand. To this end we have created the CoralReef passive traffic monitoring suite, which can be

The growth in the popularity of interactive network games has increased the importance of a better understanding of the effects of packet loss and latency on user performance. While previous work on network games has studied user tolerance for high latencies and has studied the effects of latency on user performance in real-time strategy games, to the best of our knowledge, there has been no systematic study of the effects of loss and latency on user performance. In this paper we study user performance for Unreal Tournament 2003 (UT2003), a popular first person shooter game, under varying amounts of packet loss and latency. First, we deduced typical real world values of packet loss and latency experienced on the Internet by monitoring numerous operational UT2003 game servers. We then used these deduced values of loss and latency in a controlled networked environment that emulated various conditions of loss and latency, allowing us to monitor UT2003 at the network, application and user levels. We designed maps that isolated the fundamental first person shooter interaction components of movement and shooting, and conducted numerous user studies under controlled network conditions. We find that typical ranges of packet loss have no impact on user performance or on the quality of game play. The levels of latency typical for most UT2003 Internet servers, while sometimes unpleasant, do not significantly affect the outcome of the game. Since most first person shooter games typically consist of generic player actions similar to those that we tested, we believe that these results have broader implications.

Variable latency on the Internet is a well-known problem for interactive applications. With the increase in interactive network games comes the increased importance of understanding the effects of latency on user performance. Classes of network games such as First Person Shooters (FPS) and Real Time Strategy (RTS) differ in their user interaction model and hence susceptibility to variable latency. While previous work has measured the effects of latency on FPS games, there has been no systematic investigation of the effects of latency on RTS games. In this work, we design and conduct user studies that measure the impact of latency on user performance in Warcraft III, a popular RTS game. As a foundation for the research, we separated typical Warcraft III user interactions into the basic components of explore, build and combat, and analyzed each individually. We nd modest statistical correlations with latency for exploration, but very weak correlations for building and combat. Overall, the effect of even very high latency, while noticeable to users, has a negligible effect on the outcome of the game. We attribute this somewhat surprising result to the nature of RTS game-play that clearly favors strategy over the real-time aspects.

We survey recent advances in theories and models for Internet Quality of Service (QoS). We start with the theory of network calculus, which lays the foundation for support of deterministic performance guarantees in networks, and illustrate its applications to integrated services, differentiated services, and streaming media playback delays. We also present mechanisms and architecture for scalable support of guaranteed services in the Internet, based on the concept of a stateless core. Methods for scalable control operations are also briefly discussed. We then turn our attention to statistical performance guarantees, and describe several new probabilistic results that can be used for a statistical dimensioning of differentiated services. Lastly, we review recent proposals and results in supporting performance guarantees in a best effort context. These include models for elastic throughput guarantees based on TCP performance modeling, techniques for some quality of service differentiation without access control, and methods that allow an application to control the performance it receives, in the absence of network support.

The packet-pair technique aims to estimate the capacity of a path (bottleneck bandwidth) from the dispersion of two equal-sized probing packets sent back to back. It has been also argued that the dispersion of longer packet bursts (packet trains) can estimate the available bandwidth of a path. This paper examines such packet-pair and packet-train dispersion techniques in depth. We first demonstrate that, in general, packet-pair bandwidth measurements follow a multimodal distribution and explain the causes of multiple local modes. The path capacity is a local mode, often different than the global mode of this distribution. We illustrate the effects of network load, cross-traffic packet-size variability, and probing packet size on the bandwidth distribution of packet pairs. We then switch to the dispersion of long packet trains. The mean of the packet-train dispersion distribution corresponds to a bandwidth metric that we refer to as average dispersion rate (ADR). We show that the ADR is a lower bound of the capacity and an upper bound of the available bandwidth of a path. Putting all of the pieces together, we present a capacity-estimation methodology that has been implemented in a tool called pathrate. We report on our experiences with pathrate after having measured hundreds of Internet paths over the last three years.

This paper provides a preliminary assessment of the effectiveness of an application layer tool that measures the Bulk Transfer Capacity (BTC) of a network path. BTC is roughly defined as the throughput that a flow using standard congestion control techniques would obtain across a given network path at a given time. We utilize the NIMI mesh of measurement hosts to compare stock BSD TCP with a new BTC measurement tool, cap. While BTC tools have been around for some time, no systematic evaluation of their accuracy with respect to standard TCP congestion control across a wide variety of network paths has been conducted. The goal of this paper is to provide such an empirical evaluation of a BTC tool and therefore assess the reliability of the measurements obtained using BTC tools.

Online gaming is one of the most profitable businesses over the Internet. Among all genres of the online games, the popularity of the MMORPG (Massive Multiplayer Online Role Playing Games) is especially prominent in Asia. Opting for a better understanding of the game traffic and the economic well being of the Internet, we analyze a 1,356-million-packet trace from a sizeable MMORPG, ShenZhou Online. This work is, as far as we know, the first formal analysis on the MMORPG server traces. We find that the MMORPG and FPS (First-Player Shooting) games are similar in that they both generate small packets and require low bandwidths. In particular, the bandwidth requirement of MMORPG is even lower due to the less real-time game play. More distinctive are the strong periodicity, temporal locality, and irregularity observed in the MMORPG traffic. The periodicity is due to a common practice in game implementation, where the game state updates are accumulated within a fixed time window before transmission. The temporal locality in the game traffic is largely due to the game nature where one action leads to another. The irregularity, particular unique in MMORPG traffic, is due to the diversity of game design where the user behavior can be drastically different depending on the quest at hand.