The Tiger Effect
Internet Providers usually spend their time worrying about threats from
hackers, link failures, and router configuration errors. Yesterday,
though, many of them were worried about Tigers…
Starting around 9 am Pacific and peaking at 1:30 pm yesterday, many
ISPs noticed an unusual increase in traffic. At first, a few security
engineers worried they were under some type of new DDoS attack. But the flood
of traffic did not appear directed at any individual customer — the gigabits of anomaly
traffic surged to almost all customers from multi-national banks to the bakery down the
street and home DSL / Cable users. For several ISPs, traffic into their network grew
by 15-25%. In one provider, inbound traffic nearly doubled.
It turns out that the U.S. Open played at Torrey Pines yesterday
generated one of the larger Internet-wide flash crowds this
year. Traffic dipped and peaked corresponding to Tiger’s initial
misses and subsequent spectacular comeback as millions
of office bound fans tuned in to the live NBC and ESPN coverage.
The below graph shows data from 70 ISPs around the world sharing data
with Arbor’s Internet Traffic Observatory (we talked about this
project at the last NANOG). The orange filled area in the graph
represents the aggregate gigabits per second of Internet traffic to
TCP port 1935 (Flash Media) player into these 70 providers. The
accompanying chart helpfully provides a brief timeline of the
U.S. Open action.
Although Tiger’s fame may be worldwide, the Internet flash-crowd
traffic was predominantly associated with North America providers. The
largest increases in traffic were seen out of Akamai and Limelight CDN
providers and their upstreams. For the most part, the Internet
infrastructure handled the increased traffic without a problem (though
some Observatory data shows traffic drops from a handful of ISPs to
the CDNs during peak periods of the U.S. Open).
Credit goes to Jason McEachin (one of Arbor’s Consulting Engineers) who
first observed the “Tiger Effect”.