4.3.31Computer Networks

Network security — DDoS, man-in-the-middle, replay attacks, countermeasures

2,413 words11 min readdifficulty · medium

1. Denial-of-Service & DDoS

WHY it works: every server has a finite resource RR (e.g. number of half-open TCP connections). If attacker requests cost the server more than they cost the attacker, the attacker wins by asymmetry.

Recall Countermeasures for (D)DoS
  • SYN cookies: server encodes connection state into the initial sequence number instead of allocating memory → no state until the ACK proves the client is real. Removes the asymmetry.
  • Rate limiting / traffic shaping, ingress filtering (BCP 38) to drop spoofed source IPs at the edge.
  • Scrubbing centers / CDNs / Anycast absorb and disperse volumetric floods.
  • CAPTCHAs / proof-of-work raise cac_a so AA drops.

2. Man-in-the-Middle (MITM)

Recall MITM countermeasures
  • TLS with certificates: server proves identity via a CA-signed certificate; the public key is bound to the domain name. Pin certs for extra safety.
  • HSTS forces HTTPS so attacker can't strip it to HTTP.
  • Mutual authentication, DNSSEC, dynamic ARP inspection on switches.
  • General rule: encrypt + authenticate. Encryption alone (no identity check) still allows MITM.

3. Replay Attacks

Figure — Network security — DDoS, man-in-the-middle, replay attacks, countermeasures

4. Comparison table (80/20 core)

Attack Broken assumption Core fix
DDoS Server resources are enough Rate limit / no state till verified (SYN cookies, scrubbing)
MITM I'm talking to the real party Authentication (TLS certs, signed DH)
Replay A valid msg is valid once Freshness (nonce, timestamp, challenge)

Recall Feynman: explain it to a 12-year-old

Imagine a shop (the server). DDoS is a flash mob crowding the door so real customers can't get in — you fix it by checking a quick ticket before letting anyone block the doorway. Man-in-the-middle is a sneaky messenger who carries notes between you and your friend, secretly reading and changing them — you beat him by sealing notes with a stamp only your friend can verify. Replay is someone who photocopies your "give me a cookie" note and hands it in again tomorrow — you stop it by writing today's secret password on each note so old copies don't work.


Flashcards

What asymmetry makes (D)DoS effective?
The attacker's cost per packet cac_a is far less than the server's forced cost csc_s, so amplification A=cs/ca1A=c_s/c_a \gg 1.
In a SYN flood, what resource is exhausted and how?
The half-open connection backlog: spoofed SYNs make the server reserve and hold slots until timeout TT; with rate λ\lambda, held slots λT\approx \lambda T.
State the SYN-flood collapse condition and its derivation.
λB/T\lambda \ge B/T, from Little's Law L=λTL=\lambda T exceeding backlog size BB.
How do SYN cookies defeat SYN floods?
The server encodes connection state into the initial sequence number instead of allocating memory, so no state is kept until a valid ACK proves the client is real.
Why does DNS amplification use spoofed source IPs?
So the large reply (reflection) is sent to the victim, and the visible source is an innocent resolver, not the attacker.
Why is plain Diffie–Hellman vulnerable to MITM?
It provides a shared secret but no identity proof; Eve runs two DH exchanges and shares a key with each party. Fix: sign/authenticate the DH public values.
What single property does MITM exploit and what fixes it?
Missing authentication; fixed by certificates/signatures (TLS) binding identity to keys.
Why doesn't encryption alone stop a replay attack?
The attacker resends the genuine ciphertext without reading it; you need freshness (nonce/timestamp/sequence number), not just secrecy.
What is the role of a nonce vs a timestamp in replay defense?
Nonce: a once-only value tracked in a "seen" set so repeats are rejected; timestamp: accept only if within window Δ\Delta so old captures expire.
Why must a nonce be combined with a MAC?
Otherwise the attacker could simply change the nonce; the MAC t=MACK(mn)t=\text{MAC}_K(m\|n) ties freshness to integrity.
Map each attack to its broken assumption.
DDoS: enough resources; MITM: talking to the real party; Replay: a valid message is valid only once.
How does challenge–response prevent replay?
Server issues a fresh random rr; client returns MACK(r)\text{MAC}_K(r); an old response won't verify against the new challenge.

Connections

  • Transport Layer — TCP three-way handshake (SYN flood target)
  • Diffie–Hellman key exchange and TLS handshake (MITM defense)
  • Message Authentication Codes (MAC) & HMAC (replay + integrity)
  • Public Key Infrastructure & Certificates (authentication)
  • Little's Law (queueing math used in SYN-flood capacity)
  • Firewalls, NAT & Ingress Filtering (BCP 38) (anti-spoofing)

Concept Map

resource assumption broken

identity assumption broken

one-time assumption broken

works via

maximized by

maximized by

spoofs source IP fills backlog

reflection amplifies traffic

countered by

countered by

countered by

Network: trust over untrusted medium

DDoS

Man-in-the-Middle

Replay attack

Asymmetry A = cs/ca

SYN flood

DNS amplification

Authentication

Freshness

Rate/resource limits

Hinglish (regional understanding)

Intuition Hinglish mein samjho

Network security me teen classic attacks samajhna 80/20 hai. DDoS me attacker ek hi server par hazaaron compromised machines (botnet) se traffic bhejta hai taaki uske resources khatam ho jaayein aur real users ko service na mile. Iska core idea asymmetry hai: attacker ko ek chhota SYN packet bhejna sasta padta hai, lekin server ko us half-open connection ka memory slot timeout TT tak hold karna mehnga. Little's Law se held slots λT\approx \lambda T, aur jab ye backlog BB se bada ho jaaye (λB/T\lambda \ge B/T) to server choke ho jaata hai. Fix: SYN cookies — server state allocate hi nahi karta jab tak valid ACK na aaye, plus rate limiting aur scrubbing.

Man-in-the-Middle me ek attacker beech me baith ke dono parties ke messages relay aur change karta hai, jabki dono soch rahe hote hain ki wo seedha baat kar rahe hain. Plain Diffie–Hellman isliye fail hota hai kyunki wo secret to bana deta hai par identity verify nahi karta — Eve do alag DH chala leti hai. Iska ilaaj hai authentication: TLS certificates ya signed keys, taaki tum confirm kar sako ki saamne wala asli server hi hai.

Replay attack sabse tricky hai: attacker tumhara genuine encrypted message bina padhe capture karta hai aur baad me dobara bhej deta hai (jaise "₹1000 transfer karo" do baar chal jaaye). Yahaan encryption kaam nahi aata kyunki message valid hi hai — problem freshness ki hai. Solution: har message me ek nonce (ek baar use hone wala number) ya timestamp lagao, aur usko MAC se bind karo. Server purana nonce dekh ke reject kar deta hai. Yaad rakho: DDoS → rate-limit, MITM → authentication, Replay → freshness. Yehi pura chapter ka nichod hai.

Go deeper — visual, from zero

Test yourself — Computer Networks