4.3.31 · D5Computer Networks

Question bank — Network security — DDoS, man-in-the-middle, replay attacks, countermeasures

1,346 words6 min readBack to topic

True or false — justify

Encryption alone is enough to stop a replay attack.
False. A replayed ciphertext is a genuine message, so it decrypts and verifies perfectly; you need freshness (nonce/timestamp/sequence number), which secrecy does not provide. See Message Authentication Codes (MAC) & HMAC.
Plain Diffie–Hellman key exchange gives you a secure, private channel.
False. It gives a shared secret no eavesdropper can read (secrecy) but proves nobody's identity (no authentication), so an active attacker runs two exchanges and sits in the middle.
A DDoS attack always requires the attacker to send more total bytes than the victim can receive.
False. Amplification/reflection attacks make the server or reflector spend far more than the attacker (), so a small attacker can flood a large victim.
Doubling the SYN backlog size makes a SYN flood twice as hard.
False. The collapse condition is ; the attacker simply doubles the SYN rate and the queue fills again. The real fix is allocating no state (SYN cookies).
A MAC on every message stops replay attacks by itself.
False. A MAC proves integrity and authenticity, but a captured message's MAC is still valid on resend — you must also bind a nonce or timestamp into the MACed data.
SYN cookies remove the resource asymmetry of a SYN flood.
True. The server encodes connection state inside the sequence number instead of reserving memory, so no state is held until the client's ACK proves it is real, killing the cheap-attack/expensive-defense gap.
TLS defeats replay attacks even though raw encryption does not.
True. TLS adds internal sequence numbers to every record, so a replayed record is out of order and rejected — freshness is built in, unlike bare encryption.
Ingress filtering (BCP 38) can stop all DDoS attacks.
False. BCP 38 blocks spoofed source IPs at the network edge, which cripples reflection attacks, but a botnet using real IPs still floods you legitimately-looking.
An attacker who can't decrypt your traffic can still perform a replay attack.
True. Replay never touches the plaintext; the attacker copies the valid ciphertext and re-sends it, letting the receiver do the same action twice.

Spot the error

"To stop a DDoS, just block the attacker's single IP address."
A DDoS uses thousands of botnet/spoofed IPs and reflectors; per-IP blocking cannot scale, and blocking reflectors punishes innocent servers.
"ARP spoofing works because switches forward traffic to the wrong port."
The error: it works because hosts cache ARP replies without verification (IP→MAC), so a forged reply redirects traffic at the host, not because the switch misroutes.
"A challenge–response login is safe because the password is encrypted."
Encryption isn't the point — safety comes from the fresh random challenge : an old captured response won't verify against a new , so replay fails even without encryption.
"HSTS encrypts your traffic so a man-in-the-middle can't read it."
HSTS does not encrypt anything; it forces the browser to use HTTPS, preventing an attacker from stripping the connection down to plain HTTP.
"Since the DNS query is only 60 bytes, DNS amplification is a weak attack."
The 60-byte query is the attacker's cost; the ~3000-byte reply hits the victim, so amplification makes it strong precisely because the sent packet is tiny.
"MITM is defeated by encrypting the channel."
Encryption without identity verification still lets an attacker run two encrypted channels (one with each party); you must authenticate the keys via certificates or signatures.
"Using Little's Law requires knowing the exact arrival pattern of SYNs."
Little's Law holds for the long-run average regardless of the arrival pattern; you only need average rate and average hold time .

Why questions

Why does spoofing the source IP make a SYN flood work?
The spoofed owner never sends the final ACK, so the connection stays half-open and the server holds the slot until timeout — that held state is the exhausted resource.
Why does the attacker in a reflection attack spoof the victim's IP, not their own?
So the resolver's large reply is sent to the victim (reflection), hiding the attacker and pointing amplified traffic at the target.
Why does authenticating the DH public values (with a signature) stop MITM?
A signed public value proves it came from the real party; the attacker cannot forge that signature, so they can't substitute their own key into the middle.
Why do we bind the nonce inside the MAC rather than sending it alongside?
If the nonce were outside the MAC, the attacker could change it freely; MACing ties freshness to integrity so a tampered nonce fails verification. See Transport Layer — TCP three-way handshake for where sequence numbers play this role.
Why does raising (via CAPTCHA / proof-of-work) help against DDoS?
The amplification factor is ; making each attack request expensive drives down so one attacker can no longer overwhelm the server.
Why is "encrypt and authenticate" the general rule against MITM?
Encryption alone hides content but not identity; only authentication guarantees the other end is who they claim, closing the relay attack.

Edge cases

If a nonce is chosen randomly but the "seen" set is cleared every hour, is replay fully prevented?
No — a message captured and replayed within the same window before clearing still has an unseen nonce; you need either a persistent set or a timestamp window tighter than reuse.
What happens to timestamp-based freshness if the two clocks drift far apart?
Legitimate messages may fall outside and be wrongly rejected, or must be widened, which enlarges the replay window — clock sync is a real dependency.
In a SYN flood, what is the behaviour exactly at ?
The queue is exactly full on average; any additional legitimate SYN finds no slot, so service degradation begins precisely at this boundary, not strictly above it.
If timeout (instant slot release), does the SYN flood still work?
No — from , as the required attack rate , so the attacker cannot fill the queue; fast timeouts are a genuine mitigation.
Can a replay attack succeed against a stateless server that keeps no "seen" set at all?
Yes, easily — with no memory of past nonces, every replayed message looks new; statelessness must be paired with timestamps or signed sequence numbers to stay safe.
Is a botnet using only legitimate, non-spoofed IPs stopped by SYN cookies?
SYN cookies stop the state-exhaustion half-open trick, but a large enough botnet completing real handshakes can still exhaust bandwidth or CPU — cookies are not a cure for volumetric DDoS.

Recall One-line summary of the three fixes

DDoS → don't allocate state / limit resources; MITM → authenticate identities; Replay → enforce freshness. Every trap above is a case where someone reached for the wrong one of these three.