Protocol spoofing
Encyclopedia
Protocol spoofing is used in data communications to improve performance in situations where an existing protocol is inadequate, for example due to long delays or high error rates.
Note: In a computer security
context, spoofing refers to various forms of falsification of data that are unrelated to the techniques discussed here. See spoofing attack
.
or router simulates ("spoofs") the remote endpoint of a connection to a locally attached host, while using a more appropriate protocol to communicate with a compatible remote device that performs the equivalent spoof at the other end of the communications link.
or CRC
for a block of data known as a packet, and transmitting the resulting number at the end of the packet. At the other end the receiver re-calculates the number and compares it to what was sent from the remote machine. If the two match the packet was transmitted correctly, and the receiver sends an ACK to signal that it's ready to receive the next packet.
The time to transmit the ACK back to the sender is a function of the phone lines, as opposed to the modem
's speed, and is typically about 1/10 of a second. For a protocol using small packets, this delay can be larger than the time needed to send a packet. For instance, the UUCP
"g" protocol and Kermit
both use 64-byte packets, which on a 9600 bit/s link takes about 1/20th of a second to send. XModem
used a slightly larger 128 byte packet.
In early high-speed modems, before the introduction of echo cancellation
in v.32 and later protocols, modems typically had a very slow "backchannel" for sending things like these ACKs back to the sender. On a ~18,000 bit/s TrailBlazer
, for instance, the modem could send as many as 35 UUCP packets a second, but the backchannel offered only 75 bit/s, not nearly enough for the 35 bytes (280 bits) of ACK messages to get back in time to keep the transfer going.
Modems like TrailBlazer or Multi-Tech series address this by sending ACKs back from the local modem immediately. This allows the sending machine to continue streaming constantly with no interruptions. The data is then sent to the remote modem using an error-free link which requires considerably less backchannel overhead, invisibly stripping it off again at the far end. Likewise, the remote modem discards the ACKs being sent by the receiver's software.
, and on long-delay links such as those over GEO satellites, TCP's slow-start
algorithm significantly delays connection startup. A spoofing router terminates the TCP connection locally and translates the TCP to protocols tailored to long delays over the satellite link such as XTP
.
WAN links in IPX networks therefore never become idle and won't disconnect. A spoofing router or modem will intercept the SAP and RIP broadcasts, and re-broadcast the advertisements from its own routing/service table that it only updates when the link is active for other reasons.
Note: In a computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
context, spoofing refers to various forms of falsification of data that are unrelated to the techniques discussed here. See spoofing attack
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
.
Spoofing techniques
In most applications of protocol spoofing, a communications device such as a modemModem
A modem is a device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data...
or router simulates ("spoofs") the remote endpoint of a connection to a locally attached host, while using a more appropriate protocol to communicate with a compatible remote device that performs the equivalent spoof at the other end of the communications link.
File transfer spoofing
Error correction and file transfer protocols typically work by calculating a checksumChecksum
A checksum or hash sum is a fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage. The integrity of the data can be checked at any later time by recomputing the checksum and...
or CRC
CRC
- Organizations :* California Rehabilitation Center, a state prison in the USA* Cambridge Regional College, a further education college* Cambridge Regional College F.C., a semi-professional football club in England* Canada Research Chair* Capital Research Center...
for a block of data known as a packet, and transmitting the resulting number at the end of the packet. At the other end the receiver re-calculates the number and compares it to what was sent from the remote machine. If the two match the packet was transmitted correctly, and the receiver sends an ACK to signal that it's ready to receive the next packet.
The time to transmit the ACK back to the sender is a function of the phone lines, as opposed to the modem
Modem
A modem is a device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data...
's speed, and is typically about 1/10 of a second. For a protocol using small packets, this delay can be larger than the time needed to send a packet. For instance, the UUCP
UUCP
UUCP is an abbreviation for Unix-to-Unix Copy. The term generally refers to a suite of computer programs and protocols allowing remote execution of commands and transfer of files, email and netnews between computers. Specifically, a command named uucp is one of the programs in the suite; it...
"g" protocol and Kermit
Kermit (protocol)
Kermit is a computer file transfer/management protocol and a set of communications software tools primarily used in the early years of personal computing in the 1980s; it provides a consistent approach to file transfer, terminal emulation, script programming, and character set conversion across...
both use 64-byte packets, which on a 9600 bit/s link takes about 1/20th of a second to send. XModem
XMODEM
XMODEM is a simple file transfer protocol developed as a quick hack by Ward Christensen for use in his 1977 MODEM.ASM terminal program. XMODEM became extremely popular in the early bulletin board system market, largely because it was so simple to implement...
used a slightly larger 128 byte packet.
In early high-speed modems, before the introduction of echo cancellation
Echo cancellation
'The term echo cancellation is used in telephony to describe the process of removing echo from a voice communication in order to improve voice quality on a telephone call...
in v.32 and later protocols, modems typically had a very slow "backchannel" for sending things like these ACKs back to the sender. On a ~18,000 bit/s TrailBlazer
Telebit
Telebit was a US-based modem manufacturer, most notable for their TrailBlazer series of high-speed modems. One of the first modems to routinely exceed 9600 bit/s speeds, the TrailBlazer used a proprietary modulation scheme that proved highly resilient to interference, earning the product an almost...
, for instance, the modem could send as many as 35 UUCP packets a second, but the backchannel offered only 75 bit/s, not nearly enough for the 35 bytes (280 bits) of ACK messages to get back in time to keep the transfer going.
Modems like TrailBlazer or Multi-Tech series address this by sending ACKs back from the local modem immediately. This allows the sending machine to continue streaming constantly with no interruptions. The data is then sent to the remote modem using an error-free link which requires considerably less backchannel overhead, invisibly stripping it off again at the far end. Likewise, the remote modem discards the ACKs being sent by the receiver's software.
TCP spoofing
TCP connections may suffer from performance limitations due to insufficient window size for links with high bandwidth x delay productBandwidth-delay product
In data communications, bandwidth-delay product refers to the product of a data link's capacity and its end-to-end delay . The result, an amount of data measured in bits , is equivalent to the maximum amount of data on the network circuit at any given time, i.e. data that has been transmitted but...
, and on long-delay links such as those over GEO satellites, TCP's slow-start
Slow-start
Slow-start is part of the congestion control strategy used by TCP, the data transmission protocol used by many Internet applications. Slow-start is used in conjunction with other algorithms to avoid sending more data than the network is capable of transmitting, that is, to avoid causing network...
algorithm significantly delays connection startup. A spoofing router terminates the TCP connection locally and translates the TCP to protocols tailored to long delays over the satellite link such as XTP
Xpress Transport Protocol
Xpress Transport Protocol is a transport layer protocol for high-speed networks promoted by the XTP Forum developed to replace TCP. XTP provides protocol options for error control, flow control, and rate control. Instead of separate protocols for each type of communication, XTP controls packet...
.
RIP/SAP spoofing
SAP and RIP periodically broadcast network information even if routing/service tables are unchanged. dial-on-demandDial-on-demand routing
Dial on Demand Routing is a routing technique where a network connection to a remote site is established only when needed. In other words, if the router tries to send out data and the connection is off, then the router will automatically establish a connection, send the information, and close the...
WAN links in IPX networks therefore never become idle and won't disconnect. A spoofing router or modem will intercept the SAP and RIP broadcasts, and re-broadcast the advertisements from its own routing/service table that it only updates when the link is active for other reasons.