NeTraMet Streams, DNS Response

Nevil Brownlee, U Auckland / CAIDA
IEPG, San Diego, Sun, 10 Dec 2000


  1. Overview

    • Streams / Flows / Torrents
    • SRL programs,'ambiguous' flows
    • The meter at SDSC
    • DNS response plots
      • Two week's data (Sat 18 - Fri 2 Dec 00)
      • Root and gTLD servers
      • Meters at SDSC and Auckland

  2. Streams, Flows and Torrents

    • Torrent
      • All traffic on a link

    • Flow
      • RTFM flow: bidirectional, specified by end-point attributes as determined by ruleset

    • Stream
      • IP 5-tuple contributing to an RTFM flow
      • Can build distributions of stream metrics, e.g. lifetime, size in packets or bytes
      • Can match DNS request/response packet pairs and build response-time distributions

  3. SRL Programs (1)
      if SourcePeerType == IPv4 save;
      else ignore;
      
      if SourceTransType == TCP save;
      else if SourceTransType == UDP save;
      else ignore;
      
      save FlowTime = 50.0.0!0 & 2.4.1!12000;
      # 50 buckets, PP_NO_TEST, log-scale bins, 10 ms..120 s
      count;
      
      set flow_stats_demo;
      format
        FlowRuleSet FlowIndex FirstTime SourceTransType
        "  " ToPDUs FromPDUs "  " ToOctets FromOctets
        " (" FlowTime ")";
      

  4. Meter setup at SDSC (1)

    • First guess ...


    • Problem: Very high observed loss rates (i.e. requests with no matching response)

  5. SDSC: Roots A, F
    Medians of 5-minute distributions

  6. Ambiguous-direction flows
      • 'Simple' case, dest port is enough to specify direction
      • 'Ambiguous' case, source & dest ports don't specify direction

    • If meter sees all packets in both directions,
      can use dest port plus dest address to specify direction
    • Otherwise specify both source and dest addresses

  7. UCSD / SDSC netblocks
      define UCSD_SUB       = 132.239/16;
      define UCSD_EXTRN     = 137.110/16;
      define UCSD_CERF      = 199.105.0/18;
      
      define CAIDA          = 192.172.226/24;
      define SDSC_APOLLO    = 192.31.21/24;
      define SDSCNET_CBLK   = 198.202.64/18;   # Salk Institute
      
      define UCSD           = 128.54/16;
      define MPL106         = 192.135.237/24;
      define MPL4           = 192.135.238/24;
      
      define SDSC2          = 132.249/16;
      define SCRIPPSNET_BIG = 137.131/16;     # Scripps Research Inst
      define HYPERNET       = 153.105/16;     # Dimension Systems, Poway
      define NET_NSI        = 198.133.185/24; # Neurosciences institute
      define SDSCFDDIDMZ    = 198.17.46/24;
      

    • Netblocks found using ruleset, saving SourcePeerAddress

  8. SRL Programs (2)
      # First attempt at SDSC DNS response distributions
      
      if SourcePeerType == IPv4 save;
      else ignore;  # Not IP
      if SourceTransType == UDP save;
      else ignore;  # Not UDP
      
      TestDestAddress;  # Sets FlowClass and FlowKind
      
      if FlowKind == 0 nomatch;  # Not a root or gtld nameserver
      else {
      
        if DestTransAddress == DNS save;  # Avoid meter warning msg
        else ignore;  # Not going to DNS port (shouldn't happen)
      
        save ToTurnaroundTime1 = 50.11.0!0 & 2.3.14!700;
        # 50 buckets, PP_UDP_DNS, log scale, 10**3 => 14..700 ms
        count;
        }
      

  9. Meter setup at SDSC (2)

    • The real thing ...
    • Other packets via vBNS, CALREN, etc.

  10. SRL Programs (3)
      # ’Well-behaved’ attempt at SDSC DNS response distributions
      
      define GOOD_NETS = 
        SCRIPPSNET_BIG, SDSCNET_CBLK, SDSC2, SDSC_APOLLO;
       
      if FlowKind == 0 nomatch;  # Not a root or gtld nameserver
      else {
      
        if DestTransAddress == DNS save;  # Avoid meter warning msg
        else ignore;  # Not going to DNS port (shouldn't happen)
      
        if SourcePeerAddress == (GOOD_NETS) {
          save ToTurnaroundTime1 = 50.11.0!0 & 2.3.14!700;
          # 50 buckets, PP_UDP_DNS, log scale, 10**3 => 14..700 ms
          count;
          }
        }
      

    • GOOD_NETS have flows with ToPDUs ~ FromPDUs

  11. SDSC: Roots A, F
    Medians of 5-minute distributions



  12. SDSC: gTLDs D, F
    Medians of 5-minute distributions



  13. SDSC: Root request packets
    Medians of 5-minute distributions

  14. SDSC: Root loss %
    Medians of 5-minute distributions. Filtered: at least 10 requests per 5-min interval

  15. SDSC: gTLD request packets
    Medians of 5-minute distributions.

  16. SDSC: gTLD loss %
    Medians of 5-minute distributions. Filtered: at least 10 requests per 5-min interval

  17. SDSC: One Day's gTLD loss %
    Medians of 5-minute distributions. Filtered: at least 10 requests per 5-min interval

  18. Work to do ...

    • Comparison with results from earlier rulesets
      • Use all UCSD+SDSC netblocks
    • Metering other paths in/out of SDSC
      • Get better understanding of asymmetric routes at UCSD, and the ways in which routes change
    • Monitor other nameservers
      • Which other nameservers?

  19. Nevil Brownlee (n.brownlee@auckland.ac.nz)
    Last updated: 5 December 2000