4.3.31 · D1Computer Networks

Foundations — Network security — DDoS, man-in-the-middle, replay attacks, countermeasures

2,067 words9 min readBack to topic

Before you can read the parent note Network security — DDoS, MITM, replay & countermeasures, you must be able to read its symbols on sight. This page builds each one from nothing, in an order where every idea rests only on the ones above it.


0. The stage: two friends and a wire

Picture a plain drawing. On the left, a person we call Alice. On the right, Bob. Between them a single line — the network wire. Sitting on that wire, able to see and touch everything crossing it, is Eve, the attacker.

Figure — Network security — DDoS, man-in-the-middle, replay attacks, countermeasures

Every attack in the parent note is just Eve doing one of the things her position allows. We need symbols to describe what she does and how we stop her — that is the rest of this page.


1. A packet and the SYN handshake vocabulary

The parent note throws around SYN, SYN-ACK, ACK, "half-open", "backlog". Here is where those come from.

The from-line matters enormously: nothing on the basic network checks that the from-line is true. Writing a false from-line is called spoofing — the single trick behind SYN floods and reflection.

Figure — Network security — DDoS, man-in-the-middle, replay attacks, countermeasures

Why the topic needs this: after step 2 the server has already written down who this half-finished connection is with, so it can recognise the ACK when it comes. That written-down note is called a half-open connection, and the shelf it sits on is the backlog queue. The whole SYN-flood attack is Eve filling that shelf with greetings she never finishes.


2. Rate, count, and Little's Law (, , )

The SYN-flood formula reads . Three Greek/Latin letters — let's earn them.

Figure — Network security — DDoS, man-in-the-middle, replay attacks, countermeasures

3. Cost, amplification, and the factor


4. Keys, secrets, and the two lock styles

MITM and replay both hinge on keys. Here is the minimum vocabulary.


5. MAC, nonce, timestamp — the freshness toolkit

Why the topic needs all this: a replay attack resends a genuine, valid message. Encryption can't stop it — the copy still decrypts fine. Only a one-time ingredient ( or ) makes yesterday's copy fail today. The MAC glues that ingredient to the message so Eve can't just swap in a fresh herself: .


6. Certificates and challenge–response


7. How it all feeds the topic

Alice Bob Eve on a wire

Packet with spoofable source

TCP handshake SYN SYN-ACK ACK

Backlog B and timeout T

Little's Law L equals lambda W

Cost c_a and c_s

Amplification A

DDoS section

Key K

Diffie Hellman

MITM section

Certificate and CA

MAC of m

Nonce n and timestamp T_s

Replay section


Equipment checklist

Read each cue, answer aloud, then reveal.

What does a spoofed source address let an attacker do?
Send packets that appear to come from someone else, so replies (or blame) go to a victim and the real sender is hidden.
State the TCP handshake in three words.
SYN, SYN-ACK, ACK.
In , what are , , ?
= SYN arrival rate, = backlog slots, = slot timeout.
Little's Law in one equation.
(items inside = arrival rate × time each stays).
What does the amplification factor measure?
Server cost burned per unit of attacker effort; means a small attacker beats a big victim.
What does mean?
Concatenation — the bytes of followed by the bytes of .
What does prove?
That the message came from someone holding key and was not altered.
Why can't encryption alone stop a replay?
A copied valid ciphertext still decrypts correctly; you need a one-time nonce or timestamp for freshness.
What does a nonce guarantee, and how is it enforced?
That a message is used only once; the receiver keeps a "seen" set and rejects any repeated .
What does accept?
Messages whose timestamp is within seconds of now, in either direction.
What gap in plain Diffie–Hellman does a certificate fill?
Authentication — it binds a public key to an identity, so you know who you agreed the secret with.