The packet matching approach may provide a relatively straightforward mechanism for establishing round-trip timing metrics for specific packet flows. However, in some cases such a mechanism may be insufficient to solely determine whether packets are being surreptitiously redirected as the round trip route times may vary during ordinary use. Additional discriminating characteristics of the packet route may be used to distinguish between “normal” packet round trip times and surreptitiously redirected packets.

In an embodiment, those packets which are not extensively processed by the endpoints may be identified their round trip times measured. One example of these types of packets include the packets that make up the TCP/IP “3-way handshake” that occurs during TCP/IP session setup. These packets are characterized by the use of the SYN flag in the packet header. The following packet flow typically is used to implement this handshake:

Host A sends a TCP synchronize packet (SYN) to Host B.

Host B receives A's SYN.

Host B sends a synchronize-acknowledgement (SYN-ACK).

Host A receives B's SYN-ACK.

Host A sends an acknowledge response (ACK).

Host B receives ACK.

TCP session connection is ESTABLISHED.

Since Host A and Host B process the 3-way handshake protocol packets at a low level of the IP stack, these processing times are generally less affected by server loads than processes running at the application level on the server. This approach mitigates the effects of server load on the packet round-trip timing.