Experiences with Traffic Shaping

1
Experiences with Traffic Shaping

• Douglas Carson
• University of Toronto
• doug.carson_at_utoronto.ca

2
October 2001

• Inbound Internet gateway is saturated from 9 am
  to 3 am daily
• Peer-to-peer applications consuming 30 of the
  gateway bandwidth
• Problems managing residence traffic
• DDoS attacks
• Inappropriate internal file servers

3
Traffic Management Project

• Too many staff resources were being consumed
  trying to address problems on a case-by-case
  basis.
• Needed some way to effectively manage the
  ever-increasing demand for Internet bandwidth.
• Project increased in priority as demands (costs
  and complaints) continued to rise.

4
Objectives

• Manage, to a much finer degree, how the bandwidth
  was being consumed
• Enhance interactive applications
• Manage and control DDoS attacks
• Limit or filter inappropriate traffic
• Enhance reporting and analysis
• Analyze network and server delays

5
General Policies

• Interactive (time-sensitive) traffic will receive
  bandwidth in preference to non-interactive
  (time-insensitive) traffic.
• No one user will be allowed to monopolize a
  significant portion of the bandwidth to the
  exclusion of others.

6
General Policies, Cont.

• Residence traffic will be allocated bandwidth in
  a manner so as to not impact academic and
  administrative traffic.
• Traffic deemed to be of a nature inappropriate,
  detrimental or hostile to users of the network
  will be either filtered or controlled.

7
Technology Requirements

• Flexible, easy and powerful method for the
  creation of rules
• Support for hierarchical classification and
  shaping
• The system must be capable of managing full
  duplex data rates of 100 Mbps

8
Technology Requirements, Cont.

• Support for some method by which traffic destined
  for multiple destinations can be managed
  separately with appropriate traffic shaping rules
  enforced.
• Future support for GbE interfaces

9
Implementation

• Packeteer 6500 installed December 2001
• Traffic shaping activated mid January 2002
• Policies reconfigured February 2002
• Adjustments and tuning May-August 2002
• Grouping/tuning of residence bandwidth
• Separate shaping for ONet and CAnet networks
• Integrate reporting features into current NMS
  framework

10
General Shaping Policies

• Peer-to-peer traffic capped at 256 Kbps at all
  times
• IRC capped at 256 Kbps
• ICMP capped at 800 Kbps inbound and 2 Mbps
  outbound
• Total outbound FTP capped at 15 Mbps and certain
  individual servers to low as 50 Kbps

11
Residence Shaping Policies

• Grouped in a separate class for monitoring
  purposes
• Peer-to-peer traffic restricted to
• 256 Kbps in/out 8 am to 12 am Monday to Friday
• 15 Mbps in and 1 Mbps out 12 am-8 am Monday to
  Friday and all day Saturday and Sunday

12
Miscellaneous Shaping Policies

• Command and Control (i.e. DNS, NOC SNMP, etc.)
  traffic given high priority.
• All other SNMP, NetBIOS, tftp, bootp traffic is
  discarded outbound at traffic shaper and both
  outbound and inbound at the gateway router.

13
Current Status

• Successfully
• Controlling peer-to-peer traffic
• Limiting and blocking inappropriate traffic
• Controlling ICMP DDoS attacks
• Reporting (utilization statistics, protocol
  breakdowns, top talkers, etc.)
• Response time monitoring
• Unexpected issues
• Global shaping of major protocols did not work as
  expected
• Interactive traffic that wasnt

14
Conclusions

• Powerful tool management and analysis tool
• Black-box
• Brutally effective
• Start simple. Implement in steps and beware of
  making too many assumptions.

15
Contact Information

• Doug CarsonSupervisor, Network
  OperationsUniversity of Torontodoug.carson_at_utoro
  nto.ca