Jump to content

Protocol spoofing

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Dcirovic (talk | contribs) at 06:04, 5 June 2016 (refs, typo(s) fixed: 2400 bps → 2400 bit/s using AWB). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Protocol spoofing is used in data communications to improve performance in situations where an existing protocol is inadequate, for example due to long delays or high error rates.

Note: In a computer security context, spoofing refers to various forms of falsification of data that are unrelated to the techniques discussed here. See spoofing attack.

Spoofing techniques

In most applications of protocol spoofing, a communications device such as a modem or router simulates ("spoofs") the remote endpoint of a connection to a locally attached host, while using a more appropriate protocol to communicate with a compatible remote device that performs the equivalent spoof at the other end of the communications link.

File transfer spoofing

Error correction and file transfer protocols typically work by calculating a checksum or CRC for a block of data known as a packet, and transmitting the resulting number at the end of the packet. At the other end the receiver re-calculates the number and compares it to what was sent from the remote machine. If the two match the packet was transmitted correctly, and the receiver sends an ACK to signal that it's ready to receive the next packet.

The time to transmit the ACK back to the sender is a function of the phone lines, as opposed to the modem's speed, and is typically about 1/10 of a second. For a protocol using small packets, this delay can be larger than the time needed to send a packet. For instance, the UUCP "g" protocol and Kermit both use 64-byte packets, which on a 9600 bit/s link takes about 1/20th of a second to send. XModem used a slightly larger 128 byte packet, which takes about 110 of a second to send.

Since the next packet of data cannot be sent until the ACK for the previous packet is received. In the case of XModem, for instance, that means it takes 210 of a second for the cycle to complete for a single packet. This means that the overall speed is only half the theoretical maximum, or a 50% channel efficiency.

Protocol spoofing addresses this problem by having the local modem generate a false ACK message as soon as the packet is completely sent to the modem. This causes the local host computer to immediately send another packet, and so on. The data for multiple packets is held in an internal buffer while the modem is sending it to the remote machine. This allows the packets to be sent continually, greatly improving channel efficiency. However, this also requires the link between the two systems to be error free, as the modem has already ACKed the packets even before they have been sent. This was normally addressed by using a modem-level error correction protocol, like Microcom Networking Protocols.

Protocol spoofing was also wide used with another feature of earlier high-speed modems. Before the introduction of echo cancellation in v.32 and later protocols, high-speed modems typically had a very slow "backchannel" for sending things like these ACKs back to the sender. On a ~18,000 bit/s TrailBlazer, for instance, the modem could send as many as 35 UUCP packets a second to the receiver, but the backchannel offered only 75 bit/s, not nearly enough for the 35 bytes (280 bits) of ACK messages generated by the remote host.

In this case, the spoofing allowed the sending modem to continue sending packets as fast as it could. At the same time, the receiving modem dropped the ACK packets being generated by the local computer's software, keeping the backchannel clear. Since the channel efficiency only became a major problem at speeds over 2400 bit/s, and modems able to run faster than that typically had significant processing power anyway, protocol spoofing was mostly associated with these higher speed systems.

TCP spoofing

TCP connections may suffer from performance limitations due to insufficient window size for links with high bandwidth x delay product, and on long-delay links such as those over GEO satellites, TCP's slow-start algorithm significantly delays connection startup. A spoofing router terminates the TCP connection locally and translates the TCP to protocols tailored to long delays over the satellite link such as XTP.

RIP/SAP spoofing

SAP and RIP periodically broadcast network information even if routing/service tables are unchanged. dial-on-demand WAN links in IPX networks therefore never become idle and won't disconnect. A spoofing router or modem will intercept the SAP and RIP broadcasts, and re-broadcast the advertisements from its own routing/service table that it only updates when the link is active for other reasons.

See also

  • UUCP `g' Protocol
  • Ishac, Joseph; Allman, Mark (2001). "On the Performance of TCP Spoofing in Satellite Networks" (PDF). {{cite journal}}: Cite journal requires |journal= (help)