Towards Trustworthy Ingress Monitoring in ISPs with OpenPenny

To perform day-to-day network monitoring and understand where traffic enters and traverses their networks, operators rely on packet counters (e.g., sFlow) and control-plane data. Although these tools can detect traffic, they cannot determine the true origin of the observed traffic. This observability limitation creates uncertainty: when ISPs detect unexpected changes in traffic, they cannot know if this change is due to a routing misconfiguration, a policy violation, a stealthy hijack, or is just spoofed background noise. As a result, many alerts are noisy and not actionable.

In this talk, we present OpenPenny, an open-source tool that introduces a new data-plane primitive for validating whether traffic aggregates are non-spoofed. OpenPenny builds on Penny, a research prototype that exploits TCP’s reliable retransmission mechanism. In any legitimate TCP connection, when packets are lost, the receiver notifies the sender after a few RTTs, and the sender eventually retransmits them (closed-loop behavior). In contrast, spoofed traffic is open-loop: there is no interaction between the sender and the receiver, and thus it cannot react to missing data and retransmit it. Based on this observation, OpenPenny carefully drops a few packets and waits to see whether they are retransmitted, in order to infer whether the traffic is closed-loop and genuine.

We then present OpenPenny’s design for deployment in ISPs. It runs on commodity x86 hardware and uses frameworks such as XDP/AF_XDP and DPDK. In addition to the direct inference (active) mode, we support a passive mode that does not affect traffic and only collects signals (e.g., per-packet load balancing). We also describe how these two modes, in combination, enable operators to build trustworthy ingress maps, reduce false routing alerts, and uncover data-plane path anomalies that are invisible to control-plane monitoring alone. Finally, we present a demo of OpenPenny running on a real testbed in UCL.