Security vulnerabilities and solutions for packet sampling

Packet sampling supports a range of Internet measurement applications including characterizing the spatial flow of traffic through a network for traffic engineering purposes, identifying the flows utilizing a link for billing purposes or for intrusion detection, and monitoring end-to-end data-path quality. However, packet-sampling mechanisms must be robust to adversarial hosts that craft packet streams that are disproportionately selected by a packet sampler. For example, a botnet flooding a network with packets in a denial-of-service attack, or a greedy customer trying to avoid being billed for network utilization, each have a strong incentive to craft packet streams that evade selection by the packet sampler. In this paper, we focus on securing the passive packet sampling mechanisms recommended by PSAMP (the IETF Packet Sampling working group [1]) against adversarial hosts. We show that (1) some of the packet sampling techniques suggested in current drafts of the PSAMP charter have security vulnerabilities, (2) secure uncoordinated sampling can be achieved using random sampling with a cryptographic random number generator, and (3) secure coordinated sampling requires a cryptographic pseudorandom function, keyed with a secret key that should be changed each time the sampler leaks information to the hosts.