Exercises — Network security — DDoS, man-in-the-middle, replay attacks, countermeasures
Symbols you will meet, in plain words first:
- — a finite resource the server has (memory slots, CPU cycles, bandwidth). Think of a car park with a fixed number of spaces. For a SYN flood the specific is the backlog of half-open connections, measured by below.
- — backlog size: how many half-finished TCP connections the server can remember at once (parking spaces reserved for cars still driving in). This is the concrete used in every SYN-flood exercise here.
- — timeout: how long a reserved slot is held before the server gives up and frees it.
- (lambda) — arrival rate: how many attack packets arrive per second.
- — time-in-system: how long one item stays inside the system before it leaves (for a SYN flood, this is exactly the hold time ). We name it separately only because the general Little's Law is written with ; here .
- — average number of slots occupied at any instant.
- — cost of one attack packet to the attacker vs to the server. Pick one metric per problem and keep it consistent: for amplification/reflection the metric is bytes on the wire (bandwidth); for state-exhaustion (SYN flood) the metric is memory held × time. Never mix the two in a single .
- — amplification factor (how much bigger the server's pain is than the attacker's effort), in whichever single metric the problem uses.
Level 1 — Recognition
L1.1 — Name the attack
For each scenario, name the attack (DDoS / MITM / Replay) and the broken assumption.
- (a) An attacker records your encrypted "pay ₹1000" message and sends the exact same bytes to the bank an hour later.
- (b) 40,000 hijacked home routers all request a webpage at the same second, and the site falls over.
- (c) On café Wi-Fi, someone forges ARP replies so your traffic flows through their laptop before reaching the router.
Recall Solution
- (a) Replay. Broken assumption: a valid message is valid only once. Note the attacker never decrypts anything — genuine bytes, faked freshness.
- (b) DDoS (distributed). Broken assumption: the server has enough resources for everyone. "Many machines" = distributed.
- (c) MITM (via ARP spoofing). Broken assumption: I'm talking directly to the real party.
L1.2 — Match the fix
Match each fix to the attack it primarily defeats: SYN cookies · CA-signed certificate · nonce in the message.
Recall Solution
- SYN cookies → DDoS (specifically SYN floods: don't allocate state until the client proves it's real).
- CA-signed certificate → MITM (authentication: bind the public key to the domain name).
- Nonce → Replay (freshness: a repeated nonce is rejected).
Level 2 — Application
L2.1 — SYN-flood threshold
A server holds each half-open connection for s and its backlog is slots (this is the concrete finite resource for this attack). Using (Little's Law) and the collapse condition , find the minimum attack rate (SYNs/sec) that fills the queue.
Recall Solution
WHAT: we want the smallest that makes occupied slots reach the ceiling . WHY Little's Law: Little's Law says the average number of items inside a system is , where is the arrival rate and is the time each item spends inside (both defined in the symbol list above). Here an "item" is a half-open connection, its arrival rate is the SYN rate , and its time-inside is exactly the hold time, so . Substituting gives . It answers "how many things are in the system on average" from just rate × time-inside — no simulation needed. So a trickle of ~18 spoofed SYNs per second already jams a naive server. That tiny number is exactly why SYN floods are dangerous — the attacker barely sweats.
L2.2 — Amplification factor
A DNS query is bytes; the reply is bytes. Here the metric for is bytes on the wire (bandwidth), not memory. (a) Compute . (b) If the attacker can push Mbit/s of queries, how much reflected traffic hits the victim?
Recall Solution
(a) (a pure bandwidth ratio — same unit top and bottom). (b) Reflected bandwidth . WHY it matters: the victim sees the attacker's output, and the source IPs are innocent resolvers — you can't just blocklist the attacker.
L2.3 — Timestamp freshness window
A server accepts a message with timestamp only if with s. A message stamped at s arrives at the server at s. Accept or reject? What if it arrives at s?
Recall Solution
- At : → accept.
- At : → reject (message is "too old", the capture has expired). WHY exists: it's the trade-off dial — small blocks replays faster but breaks under clock skew/network delay; large tolerates lag but leaves a longer replay window.
Level 3 — Analysis
L3.1 — Where does the SYN-flood formula stop applying?
The formula assumes every arriving SYN is held for the full timeout . Name three real mechanisms that break this assumption and say which direction each moves and why.
Recall Solution
- SYN cookies: the server holds no state, so effectively (no queue to fill) → . Direction: rises without bound. The formula no longer applies; the flood can't exhaust memory it never used.
- Adaptive/short timeout (SYN-RECV recycling): the server drops the oldest half-open entries early, so effective shrinks. Since , a smaller raises — the attacker must send faster to keep the queue full, because each slot frees sooner.
- Rate limiting (per source): treat it as an effective ceiling. If the limiter admits at most SYNs per source, then a single source must satisfy to collapse the queue — which it usually can't. Direction: the per-source is unchanged, but the rate any one source can actually deliver is capped below it, so a lone attacker can no longer reach . To still hit in aggregate the attacker needs at least distinct sources — and spoofing/botnets supply exactly those many IPs, defeating naive per-IP limits. This is the loophole figure s01 highlights (green floor = the SYN-cookie fix that removes entirely).
Read figure s01 below: the dashed gray line is the unbounded model ; the solid blue line is reality, rising with until it slams into the red ceiling and collapses. The orange marker sits at /s — the exact rate where the blue line first touches the ceiling. The green floor shows what SYN cookies do: with no state to hold, the occupancy line never leaves zero, so there is no ceiling to hit at any .

L3.2 — Why plain Diffie–Hellman falls to MITM
Alice and Bob run Diffie–Hellman (DH) to agree a secret over a public wire. Eve sits in the middle. Explain, step by step, why no eavesdropper reading the wire protects them, and what single property is missing.
Recall Solution
Notation used below (defined before use):
- A shared secret is the single number two parties end up both knowing after a DH run; nobody who only reads the wire can compute it.
- The double-arrow is read as: " and have completed a DH exchange and now jointly hold the secret ." It is a relationship label, not an equation — the arrow points both ways because a shared secret is symmetric (both sides hold the same ).
WHAT DH gives: each side sends a public value over the wire (Alice's and Bob's DH public values), and from the other side's public value plus its own private number it computes the shared secret. An eavesdropper who only reads the public values cannot derive that secret. So secrecy against a passive listener is real. WHY it still fails: Eve is active, not passive. She intercepts each public value and substitutes her own, running two separate DH exchanges. Below, and are the two resulting shared secrets (not the public values): is the secret Alice and Eve end up computing together, and is the secret Bob and Eve compute together. Alice thinks is shared with Bob; Bob thinks is shared with Alice — but both secrets are actually held by Eve. Eve decrypts each message with the key for that side and re-encrypts with the other, relaying invisibly. Missing property: authentication. DH never asks "is this public value really from Bob?" The cure is to sign the DH public values (a certificate binds the key to an identity) — exactly what TLS handshake does using Public Key Infrastructure & Certificates.
Read figure s02 below: the two orange double-arrows are the two separate secrets (Alice⟷Eve) and (Bob⟷Eve) that Eve actually holds; the dashed gray arrow underneath is the single direct channel Alice and Bob believe they have. The visual gap between the orange reality and the gray belief is the missing authentication.

L3.3 — Nonce vs timestamp: pick the failure mode
A payment API must stop replays. (a) With a nonce + "seen" set, what resource grows without bound, and what happens if it's cleared? (b) With a timestamp window , what silent assumption about the two clocks can an attacker exploit?
Recall Solution
(a) The "seen" set of used nonces grows forever (memory). If you clear it to save memory, a previously-used nonce becomes acceptable again → the old replay works. Pure nonce = perfect within one session but unbounded state. (b) Timestamps assume the client and server clocks agree (within ). If an attacker can push the server's clock (e.g. spoof NTP) or if is generous, a captured message stays "fresh" long enough to replay. Timestamps bound memory (no set) but trade it for a clock-trust assumption. Best practice: combine them — a short timestamp window plus a nonce set that only needs to remember nonces seen inside the current , keeping memory bounded.
Level 4 — Synthesis
L4.1 — Design a replay-proof, integrity-checked message
You must design a single message format so the server accepts each request at most once and rejects any tampering. You have a shared key and a MAC function. Write the message and the exact server-side accept rule, and justify each field.
Recall Solution
Message: where
- = the actual request ("transfer ₹1000 to Bob"),
- = a fresh nonce (never reused),
- = a tag over both the request and the nonce.
Server accept rule — all three must hold:
- recomputed → proves integrity + authenticity (only a holder of could make it; untampered).
- → proves freshness (not a replay).
- On accept, insert into SeenSet.
WHY the MAC covers too: if the tag were only over , Eve could swap in a new , keep the old valid tag on ... but the tag wouldn't match anymore — good. Conversely if we MAC'd alone, she could keep and change . Binding both under one tag ties freshness to integrity. This uses Message Authentication Codes (MAC) & HMAC.
L4.2 — Turn L4.1 into a challenge–response (no client-side nonce)
Redesign so the server supplies the freshness value, removing the client's "seen set" burden. Give the exact 3-step message format and accept rule, and make sure the request is integrity-protected (not optional).
Recall Solution
Challenge–response (request bound in, mandatory):
- Server → Client: a fresh random challenge . Why: is unpredictable, so a stored old response is useless; and the server owns freshness, so no unbounded client set is needed — is naturally single-use per session.
- Client → Server: the pair . Why: the tag covers both the fresh challenge and the request , so the client proves it knows right now, for this , and cannot be tampered without breaking the tag. (Binding is required, not optional — otherwise an attacker who saw a valid could attach any request to it.)
- Server: recompute using the it just issued; accept iff it matches and is still outstanding, then discard . Next session issues a new → yesterday's reply cannot verify.
Trade-off vs L4.1: costs one extra round-trip, but the server needs to remember only the currently outstanding challenges, not every nonce ever seen.
Level 5 — Mastery
L5.1 — Full attack-chain defense
An online bank is hit by three problems at once: (1) SYN floods from spoofed IPs, (2) café-Wi-Fi users getting MITM'd, (3) captured "transfer" requests being replayed. Assign one primary countermeasure to each and state the broken assumption each restores.
Recall Solution
| Problem | Primary fix | Restored assumption |
|---|---|---|
| (1) SYN flood | SYN cookies + [[Firewalls, NAT & Ingress Filtering (BCP 38) | ingress filtering]] |
| (2) MITM on Wi-Fi | TLS with CA-signed certificate (+ HSTS) | you're talking to the real bank (authentication) |
| (3) Replay of transfers | nonce + MAC (or challenge–response) | a valid message is valid once (freshness) |
| Each fix maps to exactly one of the three pillars from the parent note: rate/resource limits, authentication, freshness. |
L5.2 — Prove a mitigation actually removes the asymmetry
Recall . A SYN flood without cookies has = one 60-byte SYN and = a memory slot held for s → huge . Explain, in terms of , why SYN cookies neutralize the attack, and why a proof-of-work / CAPTCHA neutralizes an application-layer flood.
Recall Solution
Keep one metric in mind: effort per request. is the ratio of the server's effort to the attacker's effort for one request; the attacker wins only when . SYN cookies drive ≈ by lowering : the server encodes the connection state inside the initial sequence number it sends back, storing nothing. So a spoofed SYN now costs the server one cheap SYN-ACK computation and no held memory — collapses from "30 s of RAM" to "one hash." With now about as small as , we get : the attacker no longer gains leverage; to hurt the server it must spend as much as the server does, which for a botnet is no longer a bargain. Proof-of-work / CAPTCHA drive by raising : they force the client to burn CPU (solve a hash puzzle, PoW) or human time (read a CAPTCHA) before the server does its expensive work. Now balloons — say the puzzle costs the attacker as much as serving the request costs the server — so . A single attacker can no longer cheaply generate millions of costly requests, because each one now costs them real CPU or a human. The unifying idea: the attack lives entirely on . There are exactly two levers to force — shrink (cookies: don't do expensive work for unverified clients) or grow (PoW/CAPTCHA: make the client pay up front). Both destroy the asymmetry that made the flood profitable.
L5.3 — Numeric: does the fix hold under 10× attack?
Before cookies: , s, so collapse at /s (L2.1). The attacker now sends SYN/s (over 10× threshold). (a) By what factor is the pre-fix server over its limit? (b) After SYN cookies, the "held slots" model no longer applies — argue in one line why /s is now a non-event.
Recall Solution
(a) Over-limit factor . The pre-fix queue is swamped almost twelve-fold — total collapse for real users. (b) With cookies there is no backlog queue to fill: state lives in the sequence number, freed automatically because it's never stored. SYN-ACK computations/sec is trivial CPU; there is no resource being exhausted, so the collapse condition has no to reference. The attack's leverage () is gone.
Recall One-line self-test (cover the answers)
Broken assumption of DDoS ::: server has enough resources for everyone. Broken assumption of MITM ::: I'm talking to the real party (authentication missing). Broken assumption of replay ::: a valid message is valid only once (freshness missing). SYN-flood collapse condition ::: . What SYN cookies change in ::: they slash (no held state) so . What proof-of-work changes in ::: it grows so . Why plain DH is MITM-vulnerable ::: it gives secrecy but not authentication of the public values. Two fields a MAC must cover to stop replay ::: the message and the nonce , together.