%0 Generic
%A Gigis, Petros
%A Handley, Mark James
%A Vissicchio, Stefano
%C Sydney, NSW, Australia
%D 2024
%F discovery:10195697
%I Association for Computing Machinery (ACM)
%K traffic testing,  ISPs,  internet routing,  IP spoofing,,  TCP,  BGP
%P 311-326
%T Bad Packets Come Back, Worse Ones Don't
%U https://discovery.ucl.ac.uk/id/eprint/10195697/
%X ISPs may notice that traffic from certain sources is entering their network at an unexpected location, but it is hard to know if this represents a problem or is just normal spoofed background noise. If such traffic is not spoofed, it would be useful to generate alerts, but alerting on background noise is not useful.  We describe Penny, a test ISPs can run to tell unspoofed traffic aggregates arriving on the wrong port from spoofed ones. The idea is simple: when receiving new traffic at unexpected routers, drop a few TCP packets. Non-spoofed TCP packets ("bad packets") will be retransmitted while spoofed ones ("worse packets") will not. However, building a robust test on top of this simple idea is subtle. We show how to deal with conflicting goals: minimizing performance degradation for legitimate flows, dealing with external conditions such as path changes and remote packet loss, and ensuring robustness against spoofers trying to evade our test.
%Z This work is licensed under a Creative Commons Attribution International 4.0 License.