4.3.31 · D1 · Coding › Computer Networks › Network security — DDoS, man-in-the-middle, replay attacks,
Network security ka matlab hai un messages ko protect karna jo do trusting parties ke beech ek aise wire par travel karte hain jise koi stranger touch kar sakta hai . Is page par jo kuch bhi hai woh sirf teen sawaalon ka jawab dene ke liye tools hain: kisne bheja? (authentication), kya yeh naya hai? (freshness), aur kya main fake kaam mein duba diya ja raha hoon? (resource limits).
Parent note Network security — DDoS, MITM, replay & countermeasures padhne se pehle, tumhe uske symbols ek nazar mein padhne aane chahiye. Yeh page har ek symbol ko scratch se build karta hai, ek aisi order mein jahan har idea sirf upar wale ideas par tika ho.
Ek simple drawing socho. Left side par ek insaan — uska naam Alice hai. Right side par Bob hai. Dono ke beech mein ek line — yeh network wire hai. Us wire par baitha hua , har cheez dekhne aur chhoone ke saath, hai Eve — attacker.
Alice / Bob — do honest parties jo baat karna chahte hain. Picture mein, dono ends par khade do log.
Eve — attacker jo wire par messages ko read, copy, delete, ya inject kar sakti hai. Line par baitha dikhayi jaati hai, kyunki woh literally medium ke middle mein hai.
Message m — wire par cross karne wala koi bhi data chunk (ek login, ek bank transfer, ek SYN packet). Arrow par ek chhota sa envelope bana kar dikhaate hain.
Parent note mein jo bhi attack hai woh sirf Eve ka usi kaam karna hai jo uski position allow karti hai. Humein symbols chahiye jo yeh describe karein ki woh kya karti hai aur hum use kaise rokte hain — yeh hi is page ka baaki hissa hai.
Parent note SYN, SYN-ACK, ACK, "half-open", "backlog" baar baar use karta hai. Yeh wahan se aate hain.
Packet ek chhota labelled data ka envelope hai. Uske label par hamesha ek source address hota hai ("main kahan se claim karta hoon") aur ek destination address ("main kahan ja raha hoon"). Bas — ek envelope jisme from-line aur to-line hai.
From-line bahut important hai: basic network par koi bhi check nahi karta ki from-line sach hai. Jhoothi from-line likhna spoofing kehlata hai — SYN floods aur reflection ke peeche yahi ek trick hai.
Definition TCP three-way handshake
Do computers TCP par data exchange karne se pehle ek teen-step greeting karte hain:
Client → Server: SYN ("mujhe baat karni hai", SYN = synchronize ).
Server → Client: SYN-ACK ("suna tumhe, aur mujhe bhi baat karni hai").
Client → Server: ACK ("badhiya, ab hum connected hain"; ACK = acknowledge ).
Poori detail yahan hai: Transport Layer — TCP three-way handshake .
Topic ko yeh kyun chahiye: step 2 ke baad server ne likh liya hai ki yeh half-finished connection kiske saath hai, taaki woh ACK aane par pehchaan sake. Yeh likh-rakha note half-open connection kehlata hai, aur jis shelf par yeh rakhta hai woh hai backlog queue . Poora SYN-flood attack yahi hai ki Eve us shelf ko aise greetings se bhara de jo woh kabhi khatam nahi karti.
B aur timeout T
B — server ki shelf par half-open connections ke liye slots ki sankhya . Ek fixed, limited number (jaise 128).
T — kitni der (T seconds) server ek slot ko ==missing ACK ka intezaar karte hue rakhta hai==.
B pigeonholes socho; har naya greeting ek slot leta hai; T seconds baad unfinished wala bahar phek diya jaata hai.
SYN-flood formula hai λ ≥ B / T . Teen Greek/Latin letters — inhe ek ek samjhein.
λ
λ (Greek "lambda") ek rate hai: kitni cheezein per second hoti hain. Attacker har second 5000 SYNs bhej raha hai matlab λ = 5000 s − 1 . Ek tap socho: λ yeh hai ki boondein kitni tezi se girti hain.
L aur wait W
L — abhi system ke andar baithe items ki average sankhya (currently held slots).
W — har item kitni der tak andar rehta hai ka average (yahan W = T , ek hold-time).
c a , c s
c a — attacker ko ek attack packet ki kitni cost aati hai (effort, bytes, memory).
c s — wahi packet server ko kitna kharch karwa deta hai .
Ek see-saw socho: attacker ka chhota weight ek taraf, server ka bada forced weight doosri taraf.
≫ aur ∥
≫ ka matlab sirf "bahut zyada greater than" hai — koi naya operation nahi, ek feeling hai.
∥ (double bar) matlab concatenation : do data pieces ko end se end se jodhna. m ∥ n matlab "pehle m ke bytes, phir n ke bytes." Socho do paper strips ko tape se jodhna.
MITM aur replay dono keys par depend karte hain. Yeh minimum vocabulary hai.
Definition Shared secret / key
K
Key K ek aisa number hai jo sirf dono honest parties jaante hain, Eve nahi . Socho ek identical physical key jo sirf Alice aur Bob ke paas hai. Isse woh messages lock (encrypt) kar sakte hain aur authorship prove kar sakte hain (MAC).
Definition Diffie–Hellman shared key
K 1 , K 2
Diffie–Hellman key exchange ek aisi recipe hai jisse do anjaan log ek public room mein chillate hue bhi ek shared secret par agree kar sakte hain — sunne wala eavesdropper sab kuch sunke bhi use compute nahi kar sakta. Parent note likhta hai
Alice K 1 Eve K 2 Bob ,
matlab "Alice aur Eve secret K 1 share karte hain; Eve aur Bob secret K 2 share karte hain." Double arrow ka matlab hai "yeh key share karo". YEH KYUN MATTER KARTA HAI: DH secrecy deta hai lekin yeh nahi batata ki tumne kiske saath agree kiya — toh Eve beech mein baith ke do agreements chala sakti hai. Yahi gap poore MITM section ka aadhar hai.
Definition MAC aur notation
MAC K ( m )
Message Authentication Code ek chhota ==tag hai jo message m aur key K se compute hota hai==. Likha jaata hai MAC K ( m ) , padho "key K ke under, message m ka MAC." Jiske paas K hai woh ise recalculate kar ke check kar sakta hai; jiske paas K nahi woh ise forge nahi kar sakta. Socho ek wax seal jo sirf tumhari ring stamp kar sakti hai. Poori detail: Message Authentication Codes (MAC) & HMAC .
Yeh ek saath do sawaalon ka jawab deta hai: kya yeh sach mein K rakhne wale ne bheja? aur kya isme koi badlaav hua? — kyunki m ka ek bit bhi badlne se tag badal jaata hai.
n aur timestamp T s
Nonce n — ek baar use hone wala number ("n umber used once "). Har fresh message naya n le ke aata hai; receiver ek "dekha hua" list rakhta hai aur koi bhi pehle dekha hua n reject kar deta hai. Socho ek raffle ticket: har ek sirf ek baar valid.
Timestamp T s — message banane ka clock time . Tabhi accept karo jab yeh recent ho, yaani window Δ ke andar.
Δ aur condition ∣ T now − T s ∣ ≤ Δ
Δ (Greek "delta") ek tolerance hai — hum message ko kitna stale hone denge. Bars ∣ ⋅ ∣ ka matlab absolute value hai: gap ka size , sign ignore karke, toh future ya past ka message dono hi distance se judge hote hain. Socho ek sliding time-window; sirf andar ke messages andar aane dete hain.
Topic ko yeh sab kyun chahiye: ek replay attack ek genuine, valid message dobara bhejta hai. Encryption ise rok nahi sakta — copy abhi bhi theek se decrypt hogi. Sirf ek one-time ingredient (n ya T s ) kal ki copy ko aaj fail karata hai. MAC us ingredient ko message se glue karta hai taaki Eve khud naya n swap na kar sake: t = MAC K ( m ∥ n ) .
Definition Certificate & CA
Certificate ek signed statement hai "yeh public key is naam se belong karti hai" jo ek trusted Certificate Authority (CA) issue karta hai. Socho ek passport: ek trusted office vouches karta hai ki photo (key) us insaan (domain) se match karti hai. Yahi unauthenticated DH ko safe TLS handshake banata hai; trust chain hai Public Key Infrastructure & Certificates .
r aur response
Challenge r ek fresh random number hai jo verifier bhejta hai ("prove karo tum abhi zinda ho"). Response MAC K ( r ) prove karta hai ki responder K jaanta hai abhi, is r ke liye . Agली baar naya r koi bhi stored purana jawab useless bana deta hai — yahan se bhi freshness, doosri direction se.
Packet with spoofable source
TCP handshake SYN SYN-ACK ACK
Little's Law L equals lambda W
Nonce n and timestamp T_s
Har cue padho, aawaaz mein jawab do, phir reveal karo.
Spoofed source address se attacker kya kar sakta hai?Aisi packets bhej sakta hai jo kisi aur ki taraf se aati lagin, taaki replies (ya blame) ek victim ko jayein aur asli bhejna wala chhupa rahe.
TCP handshake teen shabdon mein batao. SYN, SYN-ACK, ACK.
λ ≥ B / T mein λ , B , T kya hain?λ = SYN arrival rate, B = backlog slots, T = slot timeout.
Little's Law ek equation mein. L = λW (andar items = arrival rate × har ek kitni der rehta hai).
Amplification factor A = c s / c a kya measure karta hai? Attacker ki ek unit effort par server ka kitna cost jalta hai; A ≫ 1 matlab ek chhhota attacker bade victim ko haara sakta hai.
m ∥ n ka matlab kya hai?Concatenation — pehle m ke bytes phir n ke bytes.
MAC K ( m ) kya prove karta hai?Ki message key K rakhne wale ne bheja aur isme badlaav nahi hua.
Encryption akele replay kyun nahi rok sakti? Ek copied valid ciphertext abhi bhi sahi se decrypt hogi; freshness ke liye ek one-time nonce ya timestamp chahiye.
Nonce n kya guarantee karta hai, aur ise enforce kaise kiya jaata hai? Ki message sirf ek baar use ho; receiver ek "dekha hua" set rakhta hai aur koi bhi repeated n reject kar deta hai.
∣ T now − T s ∣ ≤ Δ kya accept karta hai?Aisi messages jinka timestamp abhi se Δ seconds ke andar ho, kisi bhi direction mein.
Plain Diffie–Hellman mein jo gap hai usse certificate kaise fill karta hai? Authentication — yeh ek public key ko ek identity se bind karta hai, taaki tum jaano kiske saath tumne secret agree kiya.