Macroscopical Quantity Balance Of TCP Packets

The quantity balance of TCP controlling packet for the intact TCP flows was obtained by the analysis of the TCP interactive process, which is the basement of Macroscopical Quantity Balance of TCP Packets'Number (MQBTP). The MQBTP defines a metric system to evaluate the controlling packets'amounts of intact TCP connections with three steps of the open, the transmitting and the close process. The effect analysis over metrics by some typical TCP macroscopical abnormal behaviors validated that these metrics can be deployed as an effectual tool to evaluate the TCP macroscopical abnormal behaviors.The systemized metrics were proposed by the detailed analysis of the TCP interactive length and their arrival model, and their measuring error model under different time granularity was discussed. The measuring error is not only related to the time granularity of measuring, but also affected by the RTT distribution of TCP and the internal packet delay in the TCP flow. The theory analysis, simulation and emulation suggested that the measuring time granularity in 5-10min is a suitable measuring duration for most measuring process.The metrics'thresholds of MQBTP for normal/abnormal TCP behavior were deducted by the measuring mismatching model when deployed 64s as the upper limit of RTT and suitable measuring time granularity. The short interval situations which interact less than 2 times, such as DDoS attacks, scanning, worm dispersing, forwarding loop, were discussed in this paper, and the different value thresholds of the MQBTP metrics'were defined to judge normal/abnormal behaviors. The variances of MQBTP metrics under typical large scaled TCP abnormal behaviors were discussed with some instances, the analysis suggests that the appearing time of the TCP macroscopical abnormal behaviors can be determined by MQBTP metrics and their thresholds.The aggregation property of MQBTP was discussed after the discussion of the hash functions'aggregating character, which implies that the MQBTP keeps tenable under the synchronized hash function aggregating. More importantly, after synchronized hashing, the numbers of the counters, which are at the same locations in different hash space of the TCP packets'hash function, also obey to MQBTP.