Hybrid Fiber Coax (HFC) cable networks were originally built to deliver broadcast-quality TV signals to homes. The wide availability of such systems and the extremely high bandwidth of these systems led to the extension of their functionality to include delivery of high-speed broadband data signals to end-users. Data over Cable System Interface Specifications (DOCSIS), a protocol elaborated under the leadership of Cable Television Laboratories, Inc., has been established as the major industry standard for two-way communications over HFC cable plants.
The basic elements of a DOCSIS 1.x compliant cable network are the cable modem (CM), located on at the subscriber's site, and the cable modem termination system (CMTS) and headend located in facilities operated by the cable service provider. The CM may be a discrete device or integrated into a device that provides additional functionality. The medium between the CMTS and the different CMs is a two-way shared medium, in which the downstream channels carry signals from the head-end to users and upstream channels carry signals from users to head-end. A CM is normally tuned to one upstream channel and the associated downstream channel. The upstream channel is an inherently shared medium in which slots are reserved using a contention system while the downstream is a broadcast dedicated link from the CMTS to the CM.
A quality of service (QoS) level is defined for communications between a CM and a CMTS for each service to which a subscriber subscribes. For example, a basic data service subscriber may receive downstream traffic at a maximum burst rate of 3 Mbps, while a premium subscriber may receive downstream traffic at maximum burst rate of 6 Mbps. Voice over IP (VoIP) services are typically provided with very stringent QoS requirements to assure that the quality of a cable-delivered telephone call will equal or exceed the call quality of a call placed over the public switched telephone network.
The principal mechanism in DOCSIS 1.x for providing enhanced QoS is to classify packets traversing a path between a CM and a CMTS into a service flow. A service flow is a unidirectional flow of packets that is provided a particular Quality of Service. The CM and CMTS provide this QoS by shaping, policing, and prioritizing traffic according to a QoS parameter set defined for the service flow.
Service flows exist in both the upstream and downstream direction, and may exist without actually being activated to carry traffic. Service flows typically have a 32-bit service flow identifier (SFID) assigned by the CMTS. An active and admitted upstream service flow also has a 14-bit Service Identifier (SID). At least two service flows are defined in a configuration file received by a CM—one for upstream and one for downstream service. The first upstream service flow describes the primary upstream service flow, and is the default service flow used for otherwise unclassified traffic. The first downstream service flow describes service to the primary downstream service flow. Additional service flows defined in the configuration file create service flows that provide QoS services.
Conceptually, incoming packets are matched to a classifier that determines to which QoS service flow the packet is forwarded. The header of the packet is examined. If the packet matches one of the classifiers, it is forwarded to the service flow indicated by the SFID attribute of the classifier. If the packet is not matched to a classifier, it is forwarded on the primary service flow.
Systems and methods for configuring service flows are described in commonly owned U.S. Pat. No. 7,388,870 entitled “A System and Method for Providing Premium Transport in a DOCSIS-Compliant Cable Network,” and pending continuation application Ser. No. 12/401,863. The U.S. Pat. No. 7,372,809 and the application Ser. No. 12/401,863 are incorporated herein in their entireties by reference for all purposes.
The process for managing service flows in the DOCSIS 1.x environment requires that policies be configured on the CM. In order to relieve the CM and other subscriber components from involvement in QoS determination and to support dynamic flows that may come and go, a newer architecture, PacketCable Multimedia (PCMM), was defined. PCMM is intended to provide a framework where reliable DOCSIS resources can be reserved for a variety of applications, which include videoconferencing, interactive gaming, streaming media, and so on. The PCMM framework allows for client devices to use PCMM resources without having to be tightly integrated in the resource reservation and commitment processes.
FIG. 1 is a block diagram illustrating the logical components of a PCMM framework implement in a DOCSIS-compliant network.
A multimedia client 100 is an application or device using a multimedia service. Multimedia clients include applications that stream audio and/or video, gaming consoles, voice over IP (VoIP) telephones. Typically, clients connect to the cable network via a cable modem 102.
A client may be categorized by how involved the client is in establishing the QoS for the application. Clients that have no involvement depend on an applications manager 106 to set up QoS resources. Other categories of clients may share the QoS setup functions with the applications manager 106 or perform all of the QoS setup functions locally. An applications server 104 may be configured to handle multimedia session requests on behalf of the client 102.
The applications manager 106 receives the request to establish a multimedia session either directly from the client 102 or from the applications server 104. The applications manager 106 is responsible for applying service policies. Applying service policies includes determining the QoS to which the client 102 is entitled. Information about the QoS is then conveyed to a policy server 108. This information may be in the form of specific QoS parameters or it may be in the form of a service name that the policy server 108 may associate with a set of parameters. The policy server 108 confirms the QoS selected by the applications manager 106. The applications manager 106 reserves the resources on behalf of the client.
The reserved QoS parameters are pushed to the CMTS 110 by the policy server 108.
Network resources are not only affected by the demands of the various applications run over the network. Overconsumption of network resources whether by high-demand subscribers or by attackers may also affect the QoS available to all subscribers.
Consider the impact on a network when a large number of subscribers are infected with software application (a “bot”) that either allows the attacker to control the infected computers or that performs automated routines on the infected computers that runs automated tasks and that facilitates a distributed denial of service (DDoS) attack on a DNS server. In a DDoS attack, the attacker infects a large number of computers connected to the Internet. A DDoS on DNS floods the DNS server with DNS request messages. Such an attack may exhaust bandwidth, router processing capacity, and network stack resources thereby breaking network connectivity to the targets. There are various techniques for detecting a DDoS attack. One approach is to detect changes in the packet traffic at one or more routers or nodes in the network being monitored. The changes are detected by comparing traffic in real-time or over a pre-set period to a baseline measure of traffic at the nodes. The baseline data may be time sensitive and destination (or port) sensitive. In addition, the changes may be measured in terms of volume (number of packets) and packet distribution (packet volume of the nodes relative to each other). Other techniques may also be used. Systems and methods for thwarting a DDoS are described in commonly owned U.S. Pat. No. 7,372,809 entitled, “Thwarting Denial of Service Attacks Originating in a DOCSIS-Compliant Cable Network,” which patent is incorporated herein in its entirety by reference for all purposes.
In a DOCSIS 1.X environment, a service provider may attempt to expand DNS capacity to dilute the effects of the DDoS attack or isolate the infected subscriber devices (“zombies”) by reconfiguring their modems. The latter solution necessitates a reboot of the infected modems and will result in increased subscriber complaints. The former will be transparent to the subscribers but is an inefficient use of network resources.
The PCMM architecture allows the network operator to dynamically restrict network access to subscribers who are exceeding a threshold usage limit. Throttling a subscriber dynamically may resolve the excess consumption situation but effectively denies the subscriber access to the data network.