Analysis of UDP Traffic Usage on Internet Backbone -

Analysis of UDP Traffic Usage on Internet Backbone Links

Min Zhang1, Maurizio Dusi2, Wolfgang John3 and Changjia Chen11Beijing Jiaotong University, China. email: [email protected] degli Studi Brescia, Italy. email: [email protected]

3Chalmers University, Sweden. email: [email protected]

1 Introduction

It is still an accepted assumption that Internet traffic isdominated by TCP [2]. However, the rise of new streamingapplications (e.g. IPTV such as PPStream, PPLive) and newP2P protocols (e.g. uTP1) trying to avoid traffic shapingtechniques (such as RST packet injection) is expected toincrease the usage of UDP as transport protocol. Since UDPlacks congestion-control, this could potentially raise seriousconcerns about fairness and stability in the Internet.

The goal of this paper is to shed some lights on the as-sumption that TCP is the dominant transport protocol on theInternet. We evaluate the amount of UDP and TCP traffic,in terms of flows, packets and bytes, on traces collected inthe period 2002-2009 on several backbone links located inthe US and Sweden. According to our best available data,the use of UDP as transport protocol is gaining popularityin the recent years, especially in terms of number of flows.A first analysis suggests that most UDP flows use randomhigh ports and carry few packets and little data. This indi-cates that the current increases in UDP traffic are mainly aside product of the general increase of P2P traffic [3], usingrandom ports in order to evade detection and utilizing UDPas signaling traffic for establishing P2P overlay networks.

2 Datasets

The analysis was done on real traffic traces of backbonelinks in the US and in Sweden.

The data from Sweden was collected on an OC192 linkinside the GigaSUNET network of 2006, and on an OC192connection link of the current OptoSUNET network. Traf-fic from GigaSUNET includes two traces of 20 minutescollected in April and November 2006, summing up to9M flows, carrying 422M IP packets and 294GB of data.Two samples of 20-minute each were collected from Opto-SUNET in January and February 2009, and include 41Mflows, 1100M packets and 657GB of data. Find details

1Micro Transport Protocol, based on UDP

about the measurement procedure at DatCat2.The data from the United States was collected by CAIDA

on a peering link for a large ISP (OC48) and on one OC192backbone link. Two 60-minute long traces were collectedon the OC48 link in August 2002 and January 2003. Intotal, the OC48 traces include 105M flows, 1834M pack-ets and 1105GB of data. Traces from the OC192 link arealso 60-minute long samples, collected in 2008 and 2009,and consist of 379M flows, carrying 8434M packets and4446GB of data in total. Further details about the datasetsare available at the CAIDA webpage3.

3 Analysis of UDP traffic

We used CoralReef4 to extract TCP and UDP flows fromour traces. Each flow record, defined by the five-tuple(source and destination IP, port numbers and protocol), in-cludes the counts of packets and bytes exchanged.

In Table 1 we report the ratio between UDP and TCPtraffic, in terms of packets, bytes and flows. The use of UDPas transport protocol has rapidly increased from 2002 to2009, although TCP sessions are still responsible for mostof packets and bytes. However, in terms of flows UDP turnsout to be the dominant transport protocol: on OptoSUNET(2009), we statistically observe one TCP flow every threeUDP flows. Note that the OptoSUNET data include a sub-stantial portion of traffic on UDP port 53, due to the pres-ence of a RIPE DNS server located inside SUNET, servingover 400 zones. Traffic coming from and to port 53 of thisserver cannot be considered native SUNET traffic and wedecide to filter it out for the purpose of our paper.

A per-port analysis helped us to infer the nature of theUDP flows. Figure 1 reports the CDFs of the port num-bers used by UDP flows (x-axis in log-scale). As for tracesof 2002-2003, around 40% of UDP flows run on ports be-low 1024, including DNS (port 53), NTP (port 123) and

2http://imdc.datcat.org/collection/1-04HN-W=SUNET+OC+192+Traces

3http://www.caida.org/data/passive/4http://www.caida.org/tools/measurement/coralreef/

Trace Sample UDP/TCP Ratiopackets bytes flows

CAIDA-OC48 08-2002 0.11 0.03 0.1101-2003 0.12 0.05 0.27

GigaSUNET 04-2006 0.06 0.02 1.0611-2006 0.08 0.03 1.45

CAIDA-OC192 06-2008 0.14 0.05 1.4302-2009 0.19 0.07 2.34

OptoSUNET 01-2009 0.21 0.11 3.0902-2009 0.20 0.11 2.63

Table 1. Values of UDP/TCP ratio.

NetBios traffic (port 137). Since 2003, usage of ephemeralports (>1024) has started to be increasingly common. Ac-cording to a port-based classifier, besides DNS, NTP andNetBios the top-used ports in terms of UDP flows are theones normally used by P2P applications, such as 4672 and4665 (eDonkey), 6881 (BitTorrent), 6346 (Gnutella) and6257 (WinMX).

We attribute the flows running on those ephemeral portsto P2P overlay signaling rather than to bulk transferring.In fact, a further analysis reveals that flows on the top-tenports do generally carry less than 7 packets and about 10KBon average: larger UDP flows are mainly observed in earlytraces (2002-2003), suggesting a drift of the UDP traffic to-wards small (signaling) flows (see Figure 2 for details).

100

101

102

103

104

0

0.2

0.4

0.6

0.8

1

Port Number

CD

F o

f UD

P F

low

s

CAIDA−OC48−08−2002CAIDA−OC48−01−2003CAIDA−OC192−04−2008CAIDA−OC192−02−2009GigaSUNET−04−2006GigaSUNET−11−2006OptoSUNET−01−2009OptoSUNET−02−2009

1024

Figure 1. CDFs of UDP flows based on port number.

4 Summary and Conclusion

In this paper we compared the usage of UDP and TCPon several traffic traces collected in different network andgeographical locations, as well as in different time periods.We show that TCP is still dominating in terms of packet andbyte numbers, while UDP is responsible for the main part oftraffic flows. A port-based analysis suggests that the recentincrease in UDP flows stems mainly from P2P applicationusing UDP for their overlay signaling traffic.

Things might however change with the advent of IPTVand UDP based P2P applications, when not only signaling,but also data traffic will be transported via UDP. We there-fore plan to continue analysis of upcoming traces in order tofurther observe trends in UDP usage: the analysis will also

101

102

103

104

105

100

101

102

Port Number

Pac

kets

/Flo

w


101

102

103

104

105

101

102

103

104

105

106

Port Number

Byt

es/F

low


Figure 2. Average packets (top) and bytes (bottom) perflow. Axes are in log-scale.

include Chinese datasets, since IPTV applications based onUDP are already very common in China today.

In order to provide a more detailed analysis, traffic clas-sification methods beyond simple port classification are re-quired. Unfortunaletely, most current traffic classificationtechniques focus entirely on TCP [4, 5], and only prelim-inary works [1] propose classification techniques that dealwith UDP traffic other than the packet-inspection approach.We therefore believe that traffic analysis and classificationmethods must design their techniques to handle UDP trafficas well, especially given that even P2P applications, respon-sible for most of the modern Internet traffic, are shiftingtheir transport protocol to UDP.

References

[1] T. Z. Fu, Y. Hu, D. M. Chiu, and J. C. Lui. Pbs: Periodicbehavioral spectrum of p2p applications.PAM, April 2009.

[2] W. John and S. Tafvelin. Analysis of internet backbone trafficand header anomalies observed. InIMC, 2007.

[3] W. John, S. Tafvelin, and T. Olovsson. Trends and differ-ences in connection-behavior within classes of internet back-bone traffic. InPAM, 2008.

[4] T. Nguyen and G. Armitage. A survey of techniques for inter-net traffic classification using machine learning.IEEE Com-munications Surveys & Tutorials, 10(4), 2008.

[5] M. Zhang, W. John, K. Claffy, and N. Brownlee. State of theart in traffic classification: A research review.PAM StudentWorkshop, April 2009.

2

Documents

Analysis of UDP Traffic Usage on Internet Backbone -