Title : Bad Packets Come Back, Worse Ones Don’t
Authors : Petros Gigis, Mark Handley, Stefano Vissicchio (University College London)
Scribe : Huisan Xu (Xiamen University)
Introduction
This work helps ISPs handle traffic entering their network at unexpected locations, which can be caused by either network misconfiguration or just normal spoofed background noise.In the first case, it would be useful to generate alerts on routers’ filtering and forwarding behaviors. But in the second case, the random background noise is not worth attention.
This paper describe Penny, a test program that ISPs can run to tell unspoofed traffic aggregates arriving on the wrong port from spoofed ones. Experiments show that Penny can achieve with very limited impact on genuine, closed-loop traffic
Key idea and contribution
The key idea of Penny is simple: when receiving new traffic at unexpected routers, drop a few TCP packets. Non-spoofed TCP packets (“bad packets”) will be retransmitted while spoofed ones (“worse packets”) will not. However, building a robust test on top of this simple idea is subtle. So in this paper the authors show how to deal with conflicting goals: minimizing performance degradation for legitimate flows, dealing with external conditions such as path changes and remote packet loss, and ensuring robustness against spoofers trying to evade our test.
Personal thoughts
This paper introduces a fascinating and practical concept for identifying and differentiating between spoofed and unspoofed network traffic by employing a simple method. Upon receiving new traffic at unexpected routers, Penny drops a few TCP packets and differentiates based on whether these packets are retransmitted. Non-spoofed TCP packets (“bad packets”) get retransmitted, whereas spoofed ones (“worse packets”) do not.
The key contribution of this paper is the provision of a straightforward yet effective mechanism that aids Internet Service Providers (ISPs) in distinguishing between unspoofed traffic aggregates arriving on incorrect ports and spoofed traffic. This is particularly crucial in the realm of cybersecurity, as accurately identifying spoofed traffic can help prevent various cyber attacks, such as DDoS attacks, among others.
Moreover, the authors explore how to maintain the robustness of the test under different external conditions like path changes, remote packet loss, and against spoofers attempting to dodge the test. This demonstrates that their focus is not only on the basic functionality of the test but also on ensuring its usability and reliability in dynamic network environments.