YEH KAAM KYUN KARTA HAI: har server ke paas ek finite resource R hoti hai (jaise ki half-open TCP connections ki sankhya). Agar attacker ke requests server ko attacker se zyada kharcha karaate hain, toh attacker asymmetry se jeet jaata hai.
Recall (D)DoS ke liye Countermeasures
SYN cookies: server connection state ko memory allocate karne ki jagah initial sequence number mein encode karta hai → koi state nahi jab tak ACK client ka real hona prove na kare. Asymmetry remove hoti hai.
Rate limiting / traffic shaping, ingress filtering (BCP 38) edge pe spoofed source IPs drop karne ke liye.
TLS with certificates: server apni identity ek CA-signed certificate ke zariye prove karta hai; public key domain name se bound hoti hai. Extra safety ke liye certs pin karo.
HSTS HTTPS force karta hai taaki attacker use HTTP mein strip na kar sake.
Rate limit / verify hone tak koi state nahi (SYN cookies, scrubbing)
MITM
Mein real party se baat kar raha hoon
Authentication (TLS certs, signed DH)
Replay
Ek valid msg ek baar valid hota hai
Freshness (nonce, timestamp, challenge)
Recall Feynman: ek 12-saal ke bachche ko explain karo
Ek dukaan (server) imagine karo. DDoS ek flash mob jaisa hai jo darwaaze par bheed laga deta hai taaki real customers andar na aa sakein — tum isse fix karte ho ek quick ticket check karke pehle kisi ko darwaaza block karne dene se. Man-in-the-middle ek cheater messenger jaisa hai jo tumhare aur tumhare dost ke beech notes le jaata hai, unhe secretly padh aur badal raha hota hai — tum use ek aisi seal se harate ho jo sirf tumhara dost verify kar sakta hai. Replay koi hai jo tumhara "mujhe ek cookie do" wala note photocopy karke kal phir se de deta hai — tum use rok dete ho har note pe aaj ka secret password likhke taaki purani copies kaam na aayein.
λ≥B/T, Little's Law L=λT se jo backlog size B se exceed kare.
SYN cookies SYN floods ko kaise defeat karte hain?
Server connection state ko memory allocate karne ki jagah initial sequence number mein encode karta hai, toh koi state nahi rakhi jaati jab tak ek valid ACK client ka real hona prove na kare.
DNS amplification spoofed source IPs kyun use karta hai?
Taaki bada reply (reflection) victim ke paas jaaye, aur visible source ek innocent resolver ho, attacker nahi.
Plain Diffie–Hellman MITM ke liye vulnerable kyun hai?
Yeh ek shared secret provide karta hai lekin koi identity proof nahi; Eve do DH exchanges run karti hai aur har party ke saath ek key share karti hai. Fix: DH public values sign/authenticate karo.
MITM ek hi kaun si property exploit karta hai aur kya fix karta hai?
Missing authentication; certificates/signatures (TLS) se fix hota hai jo identity ko keys se bind karta hai.
Replay defense mein nonce aur timestamp ka role kya hai?
Nonce: ek once-only value jo ek "seen" set mein track hoti hai taaki repeats reject ho; timestamp: sirf tab accept karo agar window Δ ke andar ho taaki purane captures expire ho jaayein.
Nonce ko MAC ke saath combine kyun karna chahiye?
Warna attacker sirf nonce change kar leta; MAC t=MACK(m∥n) freshness ko integrity se tie karta hai.
Har attack ko uski toodi gayi assumption se map karo.
DDoS: enough resources; MITM: real party se baat ho rahi hai; Replay: ek valid message sirf ek baar valid hota hai.
Challenge–response replay ko kaise prevent karta hai?
Server ek fresh random r issue karta hai; client MACK(r) return karta hai; ek purana response naye challenge ke against verify nahi karega.