What QUIC Backscatter Reveals About the Hidden Shape of the Internet

The internet’s largest providers operate at a scale that makes direct measurement nearly impossible. Google, Cloudflare, Meta, Akamai, and a handful of others collectively serve a significant fraction of all global traffic, but the internal topology of their deployments is mostly opaque. You can ping an anycast address and get a response, but you rarely know whether that response came from one of three servers or one of three thousand. A recent post on the APNIC blog describes a technique that changes this, using QUIC’s own stateless mechanisms as a measurement primitive to peel back some of that opacity.

The approach builds on a long tradition in network measurement called backscatter analysis. The original TCP backscatter technique, developed and refined by researchers at CAIDA over two decades, exploited a simple fact: when a DDoS attack spoofs source addresses, the SYN/ACK responses get delivered to innocent third parties who never sent a SYN. Those unsolicited packets, visible to anyone operating a large enough telescope network, revealed both the scale of attacks and the distribution of responding servers. The technique worked because TCP’s stateful handshake generates observable responses to inputs the sender didn’t actually produce.

QUIC introduces a different class of observable response through its Stateless Reset mechanism, defined in RFC 9000. When a QUIC endpoint receives a packet whose connection ID it doesn’t recognize, it has no session state to look up, so it can’t decrypt or process the packet normally. Rather than silently drop it, the endpoint may send a Stateless Reset, a short UDP datagram containing a token derived from the connection ID. The token proves to the original sender that the endpoint is legitimate without requiring the endpoint to maintain per-connection state. This design is intentional and sensible; it lets servers restart without stranding clients permanently. But it also means that sending a crafted QUIC packet to an address will often produce a measurable, token-bearing response, even with no prior handshake.

The measurement technique works roughly like this. A researcher sends QUIC Initial or short-header packets containing fabricated connection IDs to a target address. If the server has no state for that connection ID, it may respond with a Stateless Reset carrying a token. By varying the connection IDs across many probes and collecting the resulting reset tokens, the researcher can fingerprint individual servers. Two probes that elicit identical tokens almost certainly hit the same physical or logical endpoint. Two probes with different tokens hit different endpoints. At scale, across all the IP addresses that a hypergiant routes to a given anycast prefix, this lets you count and characterize the server population.

This matters because hypergiants deploy almost universally via anycast, a routing technique where many geographically distributed servers share a single IP address. When you connect to 1.1.1.1, BGP routes you to whichever Cloudflare node is topologically closest, but you have no visibility into whether that node is a single machine, a rack, or a data center with thousands of servers behind a local load balancer. The QUIC backscatter technique exposes the second layer: given that you’ve landed at a particular anycast site, how many distinct QUIC endpoints sit behind that address, and how does load balancing route connections among them?

The answer varies considerably by provider and deployment strategy. Some providers use QUIC-LB, a proposed standard that encodes routing information directly into connection IDs so that load balancers can forward packets to the correct backend without maintaining per-flow state. If a provider uses QUIC-LB, the connection ID carries an opaque routing token, and probes with the same routing bits consistently reach the same backend. This makes the backscatter tokens predictable and correlated, revealing the load balancing topology directly. Other providers use stateless or hash-based routing that doesn’t encode routing info in the connection ID, resulting in responses that vary more randomly across probes and revealing a flatter or more uniform backend distribution.

What researchers can extract from this data includes the effective server multiplicity behind an anycast node, whether load balancing is sticky (consistent hashing) or ephemeral (round-robin or random), whether connection migration is supported across backends (implying shared session state or a distributed state store), and changes in backend count over time as providers scale capacity up or down.

For a provider like Google, which has been deploying QUIC since before it was standardized, this kind of measurement reveals something about the maturity and sophistication of their infrastructure. Google’s QUIC implementation has gone through multiple generations, from the original GQUIC to the standardized IETF QUIC, and their deployment spans thousands of machines globally. The backscatter signature of a well-tuned QUIC-LB deployment looks structurally different from a deployment where stateless resets are generated ad hoc. Cloudflare, whose infrastructure philosophy emphasizes running the same software stack uniformly across all edge locations, should in principle show a consistent backscatter signature across geographic sites. Deviations from that consistency indicate either heterogeneous software versions or location-specific configuration.

There is an interesting irony in this technique. One of QUIC’s design goals was to reduce the observability of connections to passive on-path observers. Unlike TCP, whose handshakes and sequence numbers are plaintext, QUIC encrypts nearly everything including packet numbers after the initial handshake. The QUIC invariants document deliberately leaves very little visible to middleboxes. But the stateless reset mechanism, necessary for operational correctness, creates a new observation surface that is arguably more informative than anything TCP exposed about server-side topology. You can’t see the QUIC payload, but you can see how many servers share an address and how they coordinate.

This is a recurring pattern in protocol design. Designing away one measurement surface often creates another. HTTPS eliminated passive content inspection but made TLS certificate metadata a rich source of fingerprinting. IPv6 privacy addresses broke address-based tracking but QUIC connection IDs have been used for cross-network correlation in their place, a concern explicit enough to merit its own section in RFC 9000, section 9.5. The backscatter work sits in a similar space: the feature that creates observability is not a bug or an oversight, it is a load-bearing part of the protocol’s operational design.

From a network measurement perspective, the value of this technique extends beyond satisfying curiosity about CDN architecture. Understanding hypergiant deployment configurations matters for capacity planning, for understanding resilience to failures, for BGP routing analysis, and for characterizing how concentrated the serving of internet traffic actually is. If six anycast addresses collectively handle 40% of global HTTP/3 traffic, and each address is backed by an average of N distinct server pools, that concentration has implications for both the robustness of the internet and the competitive dynamics of infrastructure at scale.

For researchers, the practical requirements are modest. QUIC runs over UDP, probing is fast, and the response rate for Stateless Reset is high enough to build statistically useful samples with relatively small probe volumes. The technique is passive in the sense that it doesn’t require cooperation from the providers being measured, and the probing traffic is indistinguishable from legitimate connection attempts that fail due to a server restart or session expiry.

For the providers themselves, the main takeaway is that QUIC’s operational behaviors are not invisible even when the data is encrypted. The structural fingerprint of a deployment, the number of backends, the load balancing algorithm, the presence or absence of shared session state, leaks through the stateless reset mechanism regardless of what is in the payload. Operators who care about this exposure can reduce it by rate-limiting or suppressing stateless resets, but that trades measurement opacity for degraded client experience when servers restart. It is the usual tradeoff between operational correctness and information hiding, and as with most such tradeoffs, the correct answer depends heavily on threat model.

The broader implication is that as QUIC adoption continues to grow, the measurement community will develop an increasingly detailed picture of how the infrastructure running it is actually structured. TCP gave us flow-level visibility. QUIC, ironically, may give us topology-level visibility into the server farms that the protocol was partly designed to make opaque.