Speaker
Description
ISPs may notice that traffic from certain sources is entering their network at an unexpected location, but it is hard to know if this represents a problem or is just normal spoofed background noise. If such traffic is not spoofed, it would be useful to generate alerts, but alerting on background noise is not useful.
We describe Penny, a robust, reliable, and practical traffic checker that helps ISPs distinguish between non-spoofed traffic aggregates arriving at the wrong ingress point and spoofed ones. The idea is simple: when new traffic arrives at unexpected routers, drop a few TCP packets. Non-spoofed packets ("bad packets") will be retransmitted, while spoofed packets ("worse packets") will not.
However, building a robust test around this idea requires care. We address key challenges: minimising performance degradation for legitimate flows, handling external conditions like path changes or remote packet loss, and ensuring resilience against spoofers attempting to evade detection.
In this presentation, we outline our vision for Penny as an open-source tool (openPenny) that ISPs can use not only to detect routing misconfigurations, recommend policy or commercial agreement adjustments, and safeguard against security threats such as BGP hijacks, but also to identify upstream/downstream packet loss, detect abruptly terminated TCP flows, and observe load-balancing behaviour.
Summary
In this presentation, we introduce Penny, a lightweight and practical traffic checker that enables ISPs to identify non-spoofed traffic entering at unexpected locations. By leveraging TCP retransmission behaviour, Penny helps operators detect routing misconfigurations, recommend policy and commercial agreement adjustments, safeguard against security attacks (e.g., BGP hijacks).
| Talk Duration | 10 Minutes Presentation (+5 Minutes Q&A) |
|---|---|
| Can your presentation be broadcast live on our webcast, which will be accessible via Youtube? | Yes |
| Can your presentation slides be published publicly on our Indico instance and the NetUK website? | Yes |
| Can a recording of your presentation be published publicly on our website? | Yes |
| Can a recording of your presentation be uploaded to our public YouTube channel? | Yes |
| Do you consent for us to publish your name and affiliation as a Speaker on the NetUK website and Social Media? | Yes |
