Protocol spoofing

Last updated

Protocol spoofing is used in data communications to improve performance in situations where an existing protocol is inadequate, for example due to long delays or high error rates.

Contents

Spoofing techniques

In most applications of protocol spoofing, a communications device such as a modem or router simulates ("spoofs") the remote endpoint of a connection to a locally attached host, while using a more appropriate protocol to communicate with a compatible remote device that performs the equivalent spoof at the other end of the communications link.

File transfer spoofing

Error correction and file transfer protocols typically work by calculating a checksum or CRC for a block of data known as a packet, and transmitting the resulting number at the end of the packet. At the other end of the connection, the receiver re-calculates the number based on the data it received and compares that result to what was sent from the remote machine. If the two match the packet was transmitted correctly, and the receiver sends an ACK to signal that it's ready to receive the next packet.

The time to transmit the ACK back to the sender is a function of the phone lines, as opposed to the modem's speed, and is typically about 110 of a second on short links and may be much longer on long-distance links or data networks like X.25. For a protocol using small packets, this delay can be larger than the time needed to send a packet. For instance, the UUCP "g" protocol and Kermit both use 64-byte packets, which on a 9600 bit/s link takes about 120 of a second to send. XMODEM used a slightly larger 128-byte packet, which takes about 110 of a second to send.

The next packet of data cannot be sent until the ACK for the previous packet is received. In the case of XMODEM, for instance, that means it takes a minimum of 210 of a second for the entire cycle to complete for a single packet. This means that the overall speed is only half the theoretical maximum, a 50% channel efficiency.

Protocol spoofing addresses this problem by having the local modem recognize that a data transfer is underway, often by looking for packet headers. When these are seen, the modem then looks for the end of the packet, normally by knowing the number of bytes in a single packet. XMODEM, for instance, has 132 bytes in a packet due to the header and checksum being added to the 128 bytes of actual data. When the modem sees the packet has ended, it immediately sends of spoofed ACK message back to the host. This causes the local computer to immediately send another packet, avoiding the latency of waiting for an ACK from the remote machine. The data for multiple packets is held in an internal buffer while the modem is sending it to the remote machine. This allows the packets to be sent continually, greatly improving channel efficiency. However, this also requires the link between the two systems to be error-free, as the modem has already ACKed the packets even before they have been sent. This was normally addressed by using a modem-level error correction protocol, like Microcom Networking Protocols.

Protocol spoofing was also widely used with another feature of earlier high-speed modems. Before the introduction of echo cancellation in v.32 and later protocols, high-speed modems typically had a very slow "backchannel" for sending things like these ACKs back to the sender. On the ~18,500 bit/s TrailBlazer, for instance, the modem could send as many as 35 UUCP packets a second to the receiver, but the backchannel offered only 75 bit/s, not nearly enough for the 35 bytes, 280 bits, of ACK messages generated by the remote host.

In this case, the spoofing allowed the sending modem to continue sending packets as fast as it could. At the same time, the modem on the remote receiving end dropped the ACK packets being generated by the local computer's software, keeping the backchannel clear. Since the channel efficiency only became a major problem at speeds over 2400 bit/s, and modems able to run faster than that typically had significant processing power anyway, protocol spoofing was mostly associated with these higher-speed systems.

TCP spoofing

TCP connections may suffer from performance limitations due to insufficient window size for links with high bandwidth-delay product, and on long-delay links such as those over GEO satellites, TCP's slow start algorithm significantly delays connection startup. A spoofing router terminates the TCP connection locally and translates the TCP to protocols tailored to long delays over the satellite link such as XTP.

RIP/SAP spoofing

SAP and RIP periodically broadcast network information even if routing/service tables are unchanged. dial-on-demand WAN links in IPX networks therefore never become idle and won't disconnect. A spoofing router or modem will intercept the SAP and RIP broadcasts, and re-broadcast the advertisements from its own routing/service table that it only updates when the link is active for other reasons.

See also

Related Research Articles

<span class="mw-page-title-main">IPv4</span> Fourth version of the Internet Protocol

Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

In computer networking, the User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data paths.

<span class="mw-page-title-main">Transport layer</span> Layer in the OSI and TCP/IP models providing host-to-host communication services for applications

In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet protocol suite and the OSI model. The protocols of this layer provide end-to-end communication services for applications. It provides services such as connection-oriented communication, reliability, flow control, and multiplexing.

UUCP is an acronym of Unix-to-Unix Copy. The term generally refers to a suite of computer programs and protocols allowing remote execution of commands and transfer of files, email and netnews between computers.

Telebit was a US-based modem manufacturer, known for their TrailBlazer series of high-speed modems. One of the first modems to routinely exceed 9600 bit/s speeds, the TrailBlazer used a proprietary modulation scheme that proved highly resilient to interference, earning the product an almost legendary reputation for reliability despite mediocre line quality. They were particularly common in Unix installations in the 1980s and 1990s.

The Parallel Line Internet Protocol (PLIP) is a computer networking protocol for direct computer-to-computer communications using the parallel port normally used for connections to a printer.

ZMODEM is an inline file transfer protocol developed by Chuck Forsberg in 1986, in a project funded by Telenet in order to improve file transfers on their X.25 network. In addition to dramatically improved performance compared to older protocols, ZMODEM offered restartable transfers, auto-start by the sender, an expanded 32-bit CRC, and control character quoting supporting 8-bit clean transfers, allowing it to be used on networks that would not pass control characters.

XMODEM is a simple file transfer protocol developed as a quick hack by Ward Christensen for use in his 1977 MODEM.ASM terminal program. It allowed users to transmit files between their computers when both sides used MODEM. Keith Petersen made a minor update to always turn on "quiet mode", and called the result XMODEM.

YMODEM is a file transfer protocol used between microcomputers connected together using modems. It was primarily used to transfer files to and from bulletin board systems. YMODEM was developed by Chuck Forsberg as an expansion of XMODEM and was first implemented in his CP/M YAM program. Initially also known as YAM, it was formally given the name "YMODEM" in 1985 by Ward Christensen, author of the original XMODEM.

Transmission Control Protocol (TCP) uses a network congestion-avoidance algorithm that includes various aspects of an additive increase/multiplicative decrease (AIMD) scheme, along with other schemes including slow start and congestion window (CWND), to achieve congestion avoidance. The TCP congestion-avoidance algorithm is the primary basis for congestion control in the Internet. Per the end-to-end principle, congestion control is largely a function of internet hosts, not the network itself. There are several variations and versions of the algorithm implemented in protocol stacks of operating systems of computers that connect to the Internet.

Nagle's algorithm is a means of improving the efficiency of TCP/IP networks by reducing the number of packets that need to be sent over the network. It was defined by John Nagle while working for Ford Aerospace. It was published in 1984 as a Request for Comments (RFC) with title Congestion Control in IP/TCP Internetworks in RFC 896.

IEEE 1355

IEEE Standard 1355-1995, IEC 14575, or ISO 14575 is a data communications standard for Heterogeneous Interconnect (HIC).

SEAlink is a file transfer protocol that is backward compatible with XMODEM but features a sliding window system for improved throughput. SEAlink was written in 1986 as a part of the SEAdog FidoNet mailer written by System Enhancement Associates, creators of the famous ARC program. It was licensed with a simple "give credit" requirement, but nevertheless was not very widely used except in FidoNet mailers. SEAlink, and most other XMODEM enhancements, were quickly displaced following the introduction of ZMODEM.

The Microcom Networking Protocols, almost always shortened to MNP, is a family of error-correcting protocols commonly used on early high-speed modems. Originally developed for use on Microcom's own family of modems, the protocol was later openly licensed and used by most of the modem industry, notably the "big three", Telebit, USRobotics and Hayes. MNP was later supplanted by v.42bis, which was used almost universally starting with the first v.32bis modems in the early 1990s.

In computer networks, goodput is the application-level throughput of a communication; i.e. the number of useful information bits delivered by the network to a certain destination per unit of time. The amount of data considered excludes protocol overhead bits as well as retransmitted data packets. This is related to the amount of time from the first bit of the first packet sent until the last bit of the last packet is delivered.

A sliding window protocol is a feature of packet-based data transmission protocols. Sliding window protocols are used where reliable in-order delivery of packets is required, such as in the data link layer as well as in the Transmission Control Protocol (TCP). They are also used to improve efficiency when the channel may include high latency.

In data networking, telecommunications, and computer buses, an acknowledgment (ACK) is a signal that is passed between communicating processes, computers, or devices to signify acknowledgment, or receipt of message, as part of a communications protocol. The negative-acknowledgement is a signal that is sent to reject a previously received message or to indicate some kind of error. Acknowledgments and negative acknowledgments inform a sender of the receiver's state so that it can adjust its own state accordingly.

Janus is a file transfer protocol for use on bulletin board systems (BBSs). It has the relatively rare feature that it is fully bidirectional, allowing the protocol to upload and download files at the same time. It was written by Rick Huebner in 1987; Huebner had previously written a ZMODEM module for the Opus-CBBS system.

MEGAlink is a file transfer protocol for modem-equipped microcomputers written by Paul Meiners in 1987. Like many protocols of the era, MEGAlink is an expanded version of the seminal XMODEM. While it was a relatively simple and high-performance system, it remains relatively obscure because it was overshadowed by ZMODEM, which had been released a year earlier and saw rapid uptake.