4.3.31 · D5 · HinglishComputer Networks

Question bankNetwork security — DDoS, man-in-the-middle, replay attacks, countermeasures

1,545 words7 min read↑ Read in English

4.3.31 · D5 · Coding › Computer Networks › Network security — DDoS, man-in-the-middle, replay attacks,


True or false — justify

Encryption akela replay attack rokne ke liye kaafi hai.
False. Ek replayed ciphertext ek genuine message hota hai, isliye wo perfectly decrypt aur verify ho jaata hai; tumhe freshness chahiye (nonce/timestamp/sequence number), jo secrecy provide nahi karti. Dekho Message Authentication Codes (MAC) & HMAC.
Plain Diffie–Hellman key exchange tumhe ek secure, private channel deta hai.
False. Ye ek aisa shared secret deta hai jo koi eavesdropper nahi padh sakta (secrecy), lekin kisi ki bhi identity prove nahi karta (no authentication), isliye ek active attacker do exchanges run kar ke beech mein baith sakta hai.
Ek DDoS attack ke liye hamesha attacker ko victim se zyada total bytes bhejna padta hai.
False. Amplification/reflection attacks mein server ya reflector attacker se bahut zyada spend karta hai (), isliye ek chota attacker ek bade victim ko flood kar sakta hai.
SYN backlog size ko double karne se SYN flood do guna mushkil ho jaata hai.
False. Collapse condition hai ; attacker simply SYN rate double kar deta hai aur queue phir bhar jaati hai. Asli fix hai no state allocate karna (SYN cookies).
Har message par MAC replay attacks ko akele rok deta hai.
False. MAC integrity aur authenticity prove karta hai, lekin ek captured message ka MAC resend par bhi valid rehta hai — tumhe MACed data mein ek nonce ya timestamp bhi bind karna hoga.
SYN cookies ek SYN flood ki resource asymmetry ko khatam kar dete hain.
True. Server connection state ko sequence number ke andar encode karta hai memory reserve karne ki jagah, isliye client ka ACK prove hone tak koi state hold nahi hoti — iska matlab cheap-attack/expensive-defense gap khatam ho jaata hai.
TLS replay attacks ko defeat karta hai jabki raw encryption nahi karta.
True. TLS har record mein internal sequence numbers add karta hai, isliye ek replayed record out of order hota hai aur reject ho jaata hai — bare encryption ke unlike, freshness built-in hai.
Ingress filtering (BCP 38) saare DDoS attacks rok sakti hai.
False. BCP 38 network edge par spoofed source IPs block karta hai, jo reflection attacks ko kamzor karta hai, lekin real IPs use karne wala botnet abhi bhi legitimately-looking flood kar sakta hai.
Ek attacker jo tumhara traffic decrypt nahi kar sakta, phir bhi replay attack kar sakta hai.
True. Replay plaintext ko kabhi nahi chhoota; attacker valid ciphertext copy karta hai aur re-send karta hai, receiver ko same action do baar karne deta hai.

Spot the error

"DDoS rokne ke liye, bas attacker ki single IP address block kar do."
Ek DDoS hazaaron botnet/spoofed IPs aur reflectors use karta hai; per-IP blocking scale nahi ho sakti, aur reflectors block karna innocent servers ko punish karta hai.
"ARP spoofing kaam karta hai kyunki switches traffic ko galat port par forward karte hain."
Error ye hai: ye kaam karta hai kyunki hosts ARP replies ko bina verification ke cache karte hain (IP→MAC), isliye ek forged reply traffic ko host level par redirect karta hai, switch ke galat route karne ki wajah se nahi.
"Ek challenge–response login safe hai kyunki password encrypted hai."
Encryption point nahi hai — safety fresh random challenge se aati hai: ek purana captured response ek naye ke against verify nahi hoga, isliye encryption ke bina bhi replay fail hoti hai.
"HSTS tumhara traffic encrypt karta hai isliye man-in-the-middle use nahi padh sakta."
HSTS kuch bhi encrypt nahi karta; ye browser ko HTTPS use karne par force karta hai, attacker ko connection ko plain HTTP par strip karne se rokta hai.
"Kyunki DNS query sirf 60 bytes hai, DNS amplification ek weak attack hai."
60-byte query attacker ki cost hai; ~3000-byte reply victim ko hit karti hai, isliye amplification ise strong banata hai precisely kyunki bheja gaya packet chota hai.
"MITM channel ko encrypt karke defeat hota hai."
Identity verification ke bina encryption abhi bhi attacker ko do encrypted channels run karne deta hai (ek har party ke saath); tumhe certificates ya signatures ke zariye keys ko authenticate karna hoga.
"Little's Law use karne ke liye SYNs ke exact arrival pattern ka pata hona zaroori hai."
Little's Law arrival pattern se independent long-run average ke liye hold karta hai; tumhe sirf average rate aur average hold time chahiye.

Why questions

Source IP spoof karna SYN flood ko kyon kaam karne deta hai?
Spoofed owner kabhi final ACK nahi bhejta, isliye connection half-open rehta hai aur server timeout tak slot hold karta hai — wo held state hi exhausted resource hai.
Reflection attack mein attacker victim ka IP spoof kyun karta hai, apna kyun nahi?
Taaki resolver ka bada reply victim ko bheja jaaye (reflection), attacker chhupta rahe aur amplified traffic target par point ho.
DH public values ko authenticate karna (signature ke saath) MITM kyun rok deta hai?
Ek signed public value prove karta hai ki wo real party se aaya; attacker wo signature forge nahi kar sakta, isliye wo apni khud ki key beech mein substitute nahi kar sakta.
Nonce ko MAC ke andar bind karna MAC ke saath bhejna kyun zaroori hai?
Agar nonce MAC ke bahar hota, attacker use freely change kar sakta; ko MACing karna freshness ko integrity se tie karta hai isliye ek tampered nonce verification fail kar deta hai. Dekho Transport Layer — TCP three-way handshake jahan sequence numbers ye role play karte hain.
badhana (CAPTCHA / proof-of-work ke zariye) DDoS ke against kyun help karta hai?
Amplification factor hai ; har attack request ko expensive banana ko neeche drive karta hai isliye ek attacker akele server ko overwhelm nahi kar sakta.
"encrypt aur authenticate" MITM ke against general rule kyun hai?
Encryption akele content chhupaata hai lekin identity nahi; sirf authentication guarantee deta hai ki doosra end wohi hai jo claim karta hai, relay attack close karta hai.

Edge cases

Agar ek nonce randomly choose kiya gaya lekin "seen" set har ghante clear ho jaata hai, toh kya replay fully prevent hota hai?
Nahi — ek message jo capture karke same window mein clearing se pehle replay kiya gaya, abhi bhi unseen nonce hai; tumhe ya toh ek persistent set chahiye ya ek timestamp window jo reuse se tighter ho.
Agar do clocks bahut door drift ho jayein toh timestamp-based freshness ka kya hoga?
Legitimate messages ke bahar fall ho sakte hain aur galti se reject ho sakte hain, ya ko wide karna padega, jo replay window ko bada karta hai — clock sync ek real dependency hai.
SYN flood mein, exactly par kya behaviour hota hai?
Queue average par exactly full hoti hai; koi bhi additional legitimate SYN koi slot nahi paata, isliye service degradation precisely is boundary par shuru hoti hai, strictly iske upar nahi.
Agar timeout ho (instant slot release), kya SYN flood tab bhi kaam karega?
Nahi — se, jaise required attack rate hoti hai, isliye attacker queue nahi bhar sakta; fast timeouts ek genuine mitigation hain.
Kya ek stateless server jo koi "seen" set maintain nahi karta, ke against replay attack succeed kar sakta hai?
Haan, aasaani se — past nonces ki koi memory nahi hone se, har replayed message naya lagta hai; statelessness ko safe rehne ke liye timestamps ya signed sequence numbers ke saath pair karna zaroori hai.
Kya sirf legitimate, non-spoofed IPs use karne wala botnet SYN cookies se ruk jaata hai?
SYN cookies state-exhaustion half-open trick ko rokti hain, lekin real handshakes complete karne wala ek bada botnet abhi bhi bandwidth ya CPU exhaust kar sakta hai — cookies volumetric DDoS ka ilaaj nahi hain.

Recall Teen fixes ka one-line summary

DDoS → state allocate mat karo / resources limit karo; MITM → identities authenticate karo; Replay → freshness enforce karo. Upar har ek trap ek aisa case hai jahan kisine in teeno mein se galat wala choose kiya.