Introduction

Most “Network Security” tutorials teach you to install a firewall. Real Network Security is understanding that packets are just electricity. If 100Gbps of electricity hits your 10Gbps network card, no firewall software can save you. The wire melts.

In this lesson, we stop configuring UFW and start analyzing the Physics of Attack Vectors.

---

The Physics: DDoS Amplification

How does a teenager in a basement knock offline a bank? Leverage. They don’t send traffic. They trick others into sending traffic.

The Reflector Attack:

1. Attacker sends a UDP packet to a DNS Server.
   • Source IP: Spoofed (Victim’s IP).
   • Payload (64 bytes): “Tell me everything about google.com”.
2. DNS Server responsibly replies to the Victim.
   • Payload (3000 bytes): “Here is everything.”

$Amplification = \frac{Output}{Input} = \frac{3000}{64} \approx 46x$

If the attacker has 1Gbps bandwidth, the victim gets hit with 46Gbps. Physics: UDP has no handshake, so source spoofing is trivial.

---

Layer 2: ARP Spoofing (The Local Assassin)

Switches do not know IP addresses. They know MAC addresses. ARP maps IP -> MAC. “Who has 192.168.1.1?” -> “MAC AA:BB:CC has it.”

The Attack: I just shout: “I have 192.168.1.1!” (Gratuitous ARP). The switch believes me. All traffic for the Gateway now flows through my laptop. I can read, modify, or drop packets at will.

Defense: Static ARP entries or Dynamic ARP Inspection (DAI) on enterprise switches.

---

Defense: XDP & eBPF (The Speed of Light)

iptables is slow. It processes packets after the kernel allocates memory (sk_buff) for them. If you are hit by a DDoS, the memory allocation overhead kills you before the firewall rules even run.

The Solution: XDP (eXpress Data Path). It runs eBPF code inside the Network Driver, before the Operating System sees the packet.

• iptables: ~1 Million packets/sec.
• XDP: ~20 Million packets/sec (Line rate).

---

Code: The SYN Flood

A TCP connection requires state (memory). If I send 1 million SYN packets but never send the ACK, your server allocates 1 million buffers waiting for me. RAM fills up. Kernel panics.

The Defense: SYN Cookies.

# Check if SYN Cookies are enabled (Linux)
sysctl net.ipv4.tcp_syncookies

# Physics: 
# Server doesn't allocate memory. 
# It encodes the connection state INTO the Sequence Number of the SYN-ACK.
# If the Client ACKs with (Seq+1), the server recalculates the hash to verify validity.
# Stateless Validation.

---

Practice Exercises

Exercise 1: Amplification Calculation (Beginner)

Scenario: NTP Monlist command returns 4KB. Request is 200 bytes. Task: Calculate the Amplification Factor. If you control a botnet of 1000 IoT toasters each with 10Mbps upload, what is the total attack size?

Exercise 2: Firewall Performance (Intermediate)

Scenario: A 10Gbps link. Average packet size 500 bytes. Task: How many Packets Per Second (PPS) must your CPU process? Can iptables handle it?

Exercise 3: ARP Poisoning (Advanced)

Task: Use arp -a to see your local ARP table. Concept: If two entries had the same MAC address for different IPs, what does that imply?

---

Knowledge Check

1. Why can’t you spoof a Source IP in a TCP connection?
2. What is the difference between a Reflector attack and a Direct attack?
3. Why is XDP faster than iptables?
4. What does a Switch use to route packets?
5. How do SYN Cookies prevent RAM exhaustion?

Answers

1. Handshake. You need to receive the SYN-ACK to complete the connection. If you spoof the source, the SYN-ACK goes to the victim, not you.
2. Hiding. Reflector hides the attacker’s IP and amplifies bandwidth. Direct attack exposes the attacker.
3. Execution point. XDP runs in the driver (NIC), avoiding sk_buff allocation and context switching.
4. MAC Addresses. (Layer 2).
5. Statelessness. The server stores no state until the final ACK arrives.

---

Summary

• UDP: The weapon of choice for DDoS (Spoofing + Amplification).
• ARP: The Achilles heel of local networks.
• eBPF: The firewall of the future.

---