Packet sampling supports a range of Internet measurement applications including characterizing the spatial flow of traffic through a network for traffic engineering purposes, identifying the flows utilizing a link for billing purposes or for intrusion detection, and monitoring end-to-end data-path quality. However, packet-sampling mechanisms must be robust to adversarial hosts that craft packet streams that are disproportionately selected by a packet sampler. For example, a botnet flooding a

more »

... work with packets in a denial-of-service attack, or a greedy customer trying to avoid being billed for network utilization, each have a strong incentive to craft packet streams that evade selection by the packet sampler. In this paper, we focus on securing the passive packet sampling mechanisms recommended by PSAMP (the IETF Packet Sampling working group [1]) against adversarial hosts. We show that (1) some of the packet sampling techniques suggested in current drafts of the PSAMP charter have security vulnerabilities, (2) secure uncoordinated sampling can be achieved using random sampling with a cryptographic random number generator, and (3) secure coordinated sampling requires a cryptographic pseudorandom function, keyed with a secret key that should be changed each time the sampler leaks information to the hosts. • Greedy customers have an incentive to generate packet streams that evade selection by the Sampler in order to avoid being billed by providers for network utilization. • Malicious users or botnets performing a denial of service (DoS) attack have an incentive to generate packets that evade selection by the Sampler in order to avoid an intrusion detection system. • Malicious users or botnets may attempt to flood the