The most revealing things about a network are often the packets it sends when it thinks nobody asked. TCP has a long history of being measured this way: the UCSD Network Telescope and CAIDA’s network dark space projects have spent decades collecting unsolicited SYN-ACK replies that leak information about distributed denial-of-service attack sources, botnet behavior, and IP scanning campaigns. The technique is called backscatter analysis, and it works because protocols send replies to packets even when those packets were spoofed. QUIC, it turns out, is exceptionally good at this.
A recent piece on the APNIC blog describes using QUIC backscatter specifically to infer how large content providers, the hypergiants, have deployed their infrastructure. The approach produces a surprisingly detailed picture of CDN topology from a purely passive measurement perspective.
What QUIC backscatter actually is
QUIC is specified in RFC 9000 as a transport protocol running over UDP with TLS 1.3 embedded into its handshake. One of its core design goals was reducing handshake latency, and to achieve that it pushed a lot of logic into stateless packet handling. This design choice is exactly what makes it useful for backscatter measurement.
When a QUIC server receives an Initial packet with an unsupported version number, it responds with a Version Negotiation packet. Crucially, the server does this without creating any connection state. It reads the packet, determines it cannot handle that version, and emits a response to the source address on the packet. If that source address was spoofed, the response goes somewhere the attacker never intended. That misdirected packet is backscatter.
QUIC also defines Stateless Reset, where a server that receives a packet for a connection it cannot identify sends back a reset using a token derived deterministically from the connection ID, again without maintaining state. Retry packets, sent for address validation, have similar properties.
The key structural difference from TCP is that QUIC produces more information in its stateless responses. A TCP SYN-ACK tells you the server is alive and what its sequence number is. A QUIC Version Negotiation packet tells you which QUIC versions the server supports, the connection ID formats it uses, and, depending on server configuration, sometimes fields that vary by geographic location or load balancing tier.
What hypergiants are and why their topology is hard to measure
The term hypergiants refers to a small set of content providers whose networks carry a disproportionate share of global internet traffic. Research from CAIDA and various follow-on studies has consistently found that a handful of organizations, Google, Meta, Netflix, Akamai, Cloudflare, and a few others, account for a majority of inter-domain traffic volume.
These organizations do not serve their users the way a typical web host does. Rather than routing requests across the public internet to a central datacenter, they build private backbone networks and place edge nodes as close to users as possible. Their edge servers are often colocated inside ISP facilities using arrangements that are not publicly documented. The infrastructure is massive and intentionally opaque.
The standard technique for mapping anycast deployments is to use distributed vantage points, send probes, and see which physical location responds based on latency or traceroute path. Projects like RIPE Atlas and PEERING have done this extensively. But these active measurement approaches require coordination, vantage point access, and they produce measurements that operators can observe and react to.
Backscatter measurement is different. You are not probing the target directly. You are observing responses that arrive uninvited at addresses you control, which means the measurement is harder for the measured party to detect or filter.
How the measurement works in practice
The approach described in the APNIC article involves sending spoofed QUIC packets with modified or unsupported version numbers toward hypergiant IP ranges. The spoofed source addresses are within address space the researchers control, so they can collect the Version Negotiation responses that bounce back.
By varying the destination IPs across known hypergiant prefixes and observing which ones respond, researchers can enumerate QUIC-capable endpoints. By varying the source IP (within their controlled space) and observing which source addresses receive responses, they can infer geographic catchments for anycast deployments: requests from different source regions are handled by different edge nodes, which means the backscatter lands on different addresses in the controlled space.
This is a variant of the anycast catchment measurement problem, and it is considerably more scalable than active probing from distributed vantage points. The backscatter approach does not require a probe node in each geographic region of interest. It requires only that you can observe responses to packets sourced from those regions, which you can simulate by spoofing.
Connection ID structure adds another layer of information. QUIC servers return their own connection IDs in Version Negotiation and Initial responses. Hypergiants often encode routing information or load balancer identifiers into these IDs. Observing how connection IDs differ across response packets from the same IP prefix can reveal whether you are reaching a single physical machine, a cluster behind a load balancer, or separate PoPs behind an anycast prefix.
The QUIC design tension this exposes
QUIC’s stateless response behavior is a deliberate tradeoff. Making servers respond to Initial packets without state is essential for the protocol’s amplification resistance properties and for its ability to handle address validation via Retry without creating half-open connection state. TCP has the well-known SYN flood vulnerability partly because servers must allocate state for each incoming SYN. QUIC avoids this.
But stateless responses require the server to generate a reply based solely on the incoming packet content, without verifying that the source IP is real. This is the same property that enables backscatter collection. The designers of QUIC were aware of this and the RFC 9000 security considerations discuss amplification attacks, but the topological leakage angle is subtler. The protocol is not amplifying traffic to attack a victim; it is leaking infrastructure geometry to a careful observer.
There is also a connection ID confidentiality issue. RFC 9000 section 5.1 notes that endpoints should use unpredictable connection IDs to prevent linkability, but many production deployments encode routing information into CIDs because doing so lets load balancers route returning packets without maintaining external state tables. This is a widely documented operational pattern for QUIC load balancers, described in the QUIC-LB draft. The draft explicitly covers encoding server IDs in CIDs. Researchers with knowledge of the encoding schemes, or enough samples to reverse-engineer them, can extract routing topology from CID observations.
What this tells us about the internet’s structure
The broader implication is that protocol design choices compound over time in ways that are hard to anticipate. QUIC’s stateless response behavior was motivated by availability and DoS resistance. QUIC-LB’s CID encoding was motivated by operational simplicity. Neither decision was motivated by a desire to expose hypergiant topology to outside observers. But together, from a measurement perspective, they produce a protocol that is more transparent about infrastructure geography than TCP ever was.
For those of us building systems on top of hypergiant infrastructure, whether via CDN APIs, cloud providers, or direct peering arrangements, this research is a reminder that the physical shape of the internet is increasingly knowable even when operators do not publish it. BGP routing tables, latency measurements, and now QUIC backscatter all contribute to a steadily improving map of where traffic actually goes.
For protocol designers, it raises a genuine question about whether stateless response generation deserves more careful scoping. Responding to every malformed or unsupported-version packet with a detailed Version Negotiation listing supported versions and CID formats is convenient for clients, but it also turns every QUIC server into something that announces its configuration to anyone willing to send spoofed packets at it.
Measurement research like this tends to move faster than operational responses to it. Hypergiants will likely adapt their QUIC configurations, vary their CID encoding schemes more aggressively, or rate-limit Version Negotiation responses as this work becomes more widely known. In the meantime, the backscatter approach gives the internet measurement community a passive, scalable technique for tracking infrastructure that has historically been nearly impossible to observe from the outside.