WHY it works: every server has a finite resource R (e.g. number of half-open TCP connections). If attacker requests cost the server more than they cost the attacker, the attacker wins by asymmetry.
Recall Countermeasures for (D)DoS
SYN cookies: server encodes connection state into the initial sequence number instead of allocating memory → no state until the ACK proves the client is real. Removes the asymmetry.
Rate limiting / traffic shaping, ingress filtering (BCP 38) to drop spoofed source IPs at the edge.
Rate limit / no state till verified (SYN cookies, scrubbing)
MITM
I'm talking to the real party
Authentication (TLS certs, signed DH)
Replay
A valid msg is valid once
Freshness (nonce, timestamp, challenge)
Recall Feynman: explain it to a 12-year-old
Imagine a shop (the server). DDoS is a flash mob crowding the door so real customers can't get in — you fix it by checking a quick ticket before letting anyone block the doorway. Man-in-the-middle is a sneaky messenger who carries notes between you and your friend, secretly reading and changing them — you beat him by sealing notes with a stamp only your friend can verify. Replay is someone who photocopies your "give me a cookie" note and hands it in again tomorrow — you stop it by writing today's secret password on each note so old copies don't work.
The attacker's cost per packet ca is far less than the server's forced cost cs, so amplification A=cs/ca≫1.
In a SYN flood, what resource is exhausted and how?
The half-open connection backlog: spoofed SYNs make the server reserve and hold slots until timeout T; with rate λ, held slots ≈λT.
State the SYN-flood collapse condition and its derivation.
λ≥B/T, from Little's Law L=λT exceeding backlog size B.
How do SYN cookies defeat SYN floods?
The server encodes connection state into the initial sequence number instead of allocating memory, so no state is kept until a valid ACK proves the client is real.
Why does DNS amplification use spoofed source IPs?
So the large reply (reflection) is sent to the victim, and the visible source is an innocent resolver, not the attacker.
Why is plain Diffie–Hellman vulnerable to MITM?
It provides a shared secret but no identity proof; Eve runs two DH exchanges and shares a key with each party. Fix: sign/authenticate the DH public values.
What single property does MITM exploit and what fixes it?
Missing authentication; fixed by certificates/signatures (TLS) binding identity to keys.
Why doesn't encryption alone stop a replay attack?
The attacker resends the genuine ciphertext without reading it; you need freshness (nonce/timestamp/sequence number), not just secrecy.
What is the role of a nonce vs a timestamp in replay defense?
Nonce: a once-only value tracked in a "seen" set so repeats are rejected; timestamp: accept only if within window Δ so old captures expire.
Why must a nonce be combined with a MAC?
Otherwise the attacker could simply change the nonce; the MAC t=MACK(m∥n) ties freshness to integrity.
Map each attack to its broken assumption.
DDoS: enough resources; MITM: talking to the real party; Replay: a valid message is valid only once.
How does challenge–response prevent replay?
Server issues a fresh random r; client returns MACK(r); an old response won't verify against the new challenge.
Network security me teen classic attacks samajhna 80/20 hai. DDoS me attacker ek hi server par hazaaron compromised machines (botnet) se traffic bhejta hai taaki uske resources khatam ho jaayein aur real users ko service na mile. Iska core idea asymmetry hai: attacker ko ek chhota SYN packet bhejna sasta padta hai, lekin server ko us half-open connection ka memory slot timeout T tak hold karna mehnga. Little's Law se held slots ≈λT, aur jab ye backlog B se bada ho jaaye (λ≥B/T) to server choke ho jaata hai. Fix: SYN cookies — server state allocate hi nahi karta jab tak valid ACK na aaye, plus rate limiting aur scrubbing.
Man-in-the-Middle me ek attacker beech me baith ke dono parties ke messages relay aur change karta hai, jabki dono soch rahe hote hain ki wo seedha baat kar rahe hain. Plain Diffie–Hellman isliye fail hota hai kyunki wo secret to bana deta hai par identity verify nahi karta — Eve do alag DH chala leti hai. Iska ilaaj hai authentication: TLS certificates ya signed keys, taaki tum confirm kar sako ki saamne wala asli server hi hai.
Replay attack sabse tricky hai: attacker tumhara genuine encrypted message bina padhe capture karta hai aur baad me dobara bhej deta hai (jaise "₹1000 transfer karo" do baar chal jaaye). Yahaan encryption kaam nahi aata kyunki message valid hi hai — problem freshness ki hai. Solution: har message me ek nonce (ek baar use hone wala number) ya timestamp lagao, aur usko MAC se bind karo. Server purana nonce dekh ke reject kar deta hai. Yaad rakho: DDoS → rate-limit, MITM → authentication, Replay → freshness. Yehi pura chapter ka nichod hai.