Skip to content
STAGING — not production

Network Security: The Physics of Attack

How to drop 100Gbps of traffic without crashing. Understanding DDoS physics, ARP Spoofing, and Kernel-level filtering.

Beginner 40 min read Expert Version →

🎯 What You'll Learn

  • Calculate the Amplification Factor of a DNS Reflector Attack
  • Deconstruct an ARP Spoofing attack (Layer 2)
  • Compare iptables (Netfilter) vs XDP (eBPF) packet dropping
  • Architect a DMZ using VLANs and Subnets
  • Analyze a SYN Flood at the TCP/IP stack level

Introduction

Most “Network Security” tutorials teach you to install a firewall. Real network security starts with understanding that packets are just electricity. If 100Gbps of traffic hits your 10Gbps network card, no firewall software can save you — the link is saturated before any rules run.

In this lesson, we stop configuring UFW and start analyzing the physics of attack vectors.

DDoS Amplification

How does an attacker with 1Gbps of bandwidth knock offline a target with 46Gbps? Reflection + Amplification.

They don’t send traffic directly. They trick others into sending traffic.

The Reflector Attack:

  1. Attacker sends a UDP packet to a DNS Server.
    • Source IP: Spoofed (Victim’s IP).
    • Payload (64 bytes): “Tell me everything about google.com”.
  2. DNS Server replies to the Victim.
    • Payload (3000 bytes): “Here is everything.”

Amplification=OutputInput=30006446xAmplification = \frac{Output}{Input} = \frac{3000}{64} \approx 46x

If the attacker has 1Gbps bandwidth, the victim gets hit with 46Gbps. UDP has no handshake, so source IP spoofing is trivial.

Layer 2: ARP Spoofing (The Local Assassin)

Switches route by MAC address, not IP. ARP maps IP -> MAC. “Who has 192.168.1.1?” -> “MAC AA:BB:CC has it.”

The Attack: An attacker broadcasts: “I have 192.168.1.1!” (Gratuitous ARP). The switch updates its ARP table. All traffic for the gateway now flows through the attacker’s machine. They can read, modify, or drop packets at will.

Defense: Static ARP entries or Dynamic ARP Inspection (DAI) on managed switches.

Defense: XDP & eBPF

iptables processes packets after the kernel allocates a socket buffer (sk_buff) for them. During a DDoS, the memory allocation overhead kills you before the firewall rules even run.

XDP (eXpress Data Path) runs eBPF code inside the network driver, before the OS sees the packet.

Rough comparison:

  • iptables: ~1 million packets/sec (single core, varies widely)
  • XDP: ~20+ million packets/sec at line rate

These numbers vary significantly by hardware, kernel version, and packet size. The key point is XDP runs much earlier in the stack.

The SYN Flood

A TCP connection requires state (memory). If an attacker sends 1 million SYN packets but never sends the ACK, your server allocates memory for 1 million half-open connections waiting to complete. RAM fills up.

The Defense: SYN Cookies.

# Check if SYN Cookies are enabled (Linux)
sysctl net.ipv4.tcp_syncookies

# How it works:
# Server doesn't allocate state.
# It encodes the connection state INTO the Sequence Number of the SYN-ACK.
# If the Client ACKs with (Seq+1), the server recalculates the hash to verify.
# Stateless validation.

Practice Exercises

Exercise 1: Amplification Calculation (Beginner)

Scenario: NTP Monlist command returns 4KB. Request is 200 bytes. Task: Calculate the Amplification Factor. If you control a botnet of 1000 IoT devices each with 10Mbps upload, what is the total attack size against the victim?

Exercise 2: Firewall Performance (Intermediate)

Scenario: A 10Gbps link. Average packet size 500 bytes. Task: How many Packets Per Second (PPS) must your CPU process? Can iptables handle it reliably?

Exercise 3: ARP Poisoning (Advanced)

Task: Use arp -a to see your local ARP table. Concept: If two entries had the same MAC address for different IPs, what does that imply about the network?

Knowledge Check

  1. Why can’t you spoof a Source IP in a TCP connection?
  2. What is the difference between a Reflector attack and a Direct attack?
  3. Why is XDP faster than iptables?
  4. What does a Switch use to route packets?
  5. How do SYN Cookies prevent RAM exhaustion?
Answers
  1. Handshake. You need to receive the SYN-ACK to complete the connection. If you spoof the source, the SYN-ACK goes to the victim, not you.
  2. Hiding. Reflector hides the attacker’s IP and amplifies bandwidth. Direct attack exposes the attacker.
  3. Execution point. XDP runs in the driver (NIC), avoiding sk_buff allocation and context switching.
  4. MAC Addresses. (Layer 2).
  5. Statelessness. The server stores no state until the final ACK arrives.

Summary

  • UDP: The weapon of choice for DDoS (spoofing + amplification).
  • ARP: The weak point of local networks.
  • eBPF/XDP: The fast path for packet filtering.

Want to go deeper?

Weekly infrastructure insights for engineers who build trading systems.

Free forever. Unsubscribe anytime.

You're in. Check your inbox.

Questions about this lesson? Working on related infrastructure?

Let's discuss