4.3.31 · D2 · HinglishComputer Networks

Visual walkthroughNetwork security — DDoS, man-in-the-middle, replay attacks, countermeasures

2,523 words11 min read↑ Read in English

4.3.31 · D2 · Coding › Computer Networks › Network security — DDoS, man-in-the-middle, replay attacks,

Yeh 4.3.31 Network security — DDoS, man-in-the-middle, replay attacks, countermeasures ka visual companion hai. Yeh TCP three-way handshake aur Little's Law pe rely karta hai.


Step 1 — Honest handshake, taaki hum jaanein "normal" kaisa dikhta hai

KYA HAI. Do computers jo TCP pe baat karna chahte hain, koi bhi real data flow hone se pehle ek choti teen-message ki greeting karte hain: SYNSYN-ACKACK.

KYUN. Hume pehle normal case draw karna hai, kyunki attack kuch nahi balki yahi greeting hai jo jaanbujhkar adhoori chhodi gayi hai. Trap tab tak nahi dikhaai deta jab tak darwaza sahi kaam karta nahi dekha.

PICTURE. Neeche, time neeche ki taraf chalta hai. Client (left) kehta hai "main baat karna chahta hoon" (SYN). Server (right) jawab deta hai "theek hai, aur main bhi baat karna chahta hoon" (SYN-ACK) — aur usi pal use likh lena padhta hai ki yeh adhi-adhoori connection kiske liye hai, taaki baad mein pata chale ki final message kiske baare mein hai. Client ACK se complete karta hai. Connection tab hi real hai jab ACK aa jaaye.


Step 2 — Notebook finite hai: backlog queue se miliye

KYA HAI. Woh "notebook" jahan server har adhi-adhoori handshake store karta hai, usmein fixed number of lines hoti hain. Hum us number ko (backlog) kehte hain.

KYUN. Har real resource finite hota hai. Agar notebook infinite hoti toh koi attack nahi hota. Limit ko naam dena hi ek vague darr ko ek number mein badal deta hai jise hum challenge kar sakte hain.

PICTURE. Backlog ko slots ki ek rack ki tarah draw kiya gaya hai. Ek half-open connection ek slot tab se occupy karta hai jab server SYN-ACK bhejta hai, jab tak ya toh connection complete ho jaaye (ACK aa jaaye) ya give up ho jaaye.


Step 3 — Slot instantly free nahi hota: timeout se miliye

KYA HAI. Agar final ACK kabhi nahi aata, toh server slot ko hamesha ke liye hold nahi karta. Woh time wait karta hai, phir give up karke slot free karta hai.

KYUN. Hume jaanna hai ki ek buri connection slot mein kitni der baithe rehti hai, kyunki lamba time hold kiya gaya slot ek briefly hold kiye gaye slot se kaafi zyada damaging hota hai. us "squat" ki length hai.

PICTURE. Ek slot ki zindagi: SYN-ACK pe fill hoti hai, phir length ka countdown. Agar ACK aa jaaye, toh pehle hi khaali ho jaata hai (green). Agar ACK kabhi na aaye — attacker ka poora plan yahi hai — toh poore tak full rehta hai (amber) aur tabhi khaali hota hai.


Step 4 — Attack: source spoof karo taaki ACK kabhi na aa sake

KYA HAI. Attacker SYN packets bhejta hai jo fake (spoofed) return address carry karte hain. Woh inhe us rate se bhejta hai jise hum kehte hain — Greek letter "lambda," bas "kitne SYNs per second" ka naam.

KYUN spoof? Ek saath do fayde. (1) Server ka SYN-ACK fake address pe chala jaata hai, jo kabhi finishing ACK nahi bhejta — isliye slot poore tak squat karna guaranteed hai. (2) Attacker ko uske source IP se trace nahi kiya ja sakta. Yahi attack ka poora engine hai.

PICTURE. Attacker SYNs ki ek stream fire karta hai, har ek pe alag innocent-dikhne waala fake source lagaaya gaya hai. Har ek SYN-ACK ko void mein force karta hai aur ek slot pin karta hai.


Step 5 — Squatters count karna: Little's Law arithmetic karta hai

KYA HAI. Hum woh average number of slots jaane chahte hain jo attack chalne ke dauran kisi bhi instant pe occupied hain. Isse kehte hain. Hum dikhayenge .

KYUN yeh tool — kyun Little's Law aur sirf "andaza" kyun nahi? Hamare paas cheezein aane ki rate hai (, slots per second create hote hain) aur har cheez ke rukne ka time (, seconds per slot). "Average mein kitne andar hain?" — yeh exactly woh sawaal hai jo Little's Law answer karta hai, kisi bhi system ke liye, randomness ke baare mein koi assumption ki zaroorat nahi. Yeh sahi tool hai kyunki yeh (rate × stay-time) ko (population) mein convert karta hai — precisely hamare do known quantities ko hamare ek unknown mein.

PICTURE. Ek bathtub socho. Paani litres/sec se andar aata hai aur har litre seconds ruk ke drain ho jaata hai. Steady water level hai. Slots litres hain; tub level hai.


Step 6 — Collapse condition: jab tub overflow karta hai

KYA HAI. Server real users ke liye tab mar jaata hai jab demanded occupancy physical capacity tak pahunch jaati hai: . substitute karne se headline result milta hai.

KYUN. kitne slots attack chahta hai occupy karna; kitne exist karte hain. Existing se zyada chahna matlab rack full hai — naye genuine SYNs bounce karte hain. set karke solve karna humein woh exact attack rate batata hai jo server ko "theek" se "down" pe flip karta hai.

  • — isse padho "available slots, us time mein spread out jinhe har ek hold karta hai" = woh SYN rate jo server bas sustain kar sakta hai.
  • Koi bhi is line pe ya iske upar backlog saturate kar deta hai.

PICTURE. axis mein ek phase line: ke neeche server survive karta hai (cyan zone), pe ya uske upar denied hai (amber zone). Boundary derived threshold hai.


Step 7 — Edge cases: kya formula ab bhi sensibly bolta hai?

KYA HAI. Ek formula tab hi trustworthy hota hai jab woh apni extremes pe theek behave kare. Hum teen degenerate dials check karte hain.

KYUN. Contract yeh hai: reader kabhi aise scenario se na mile jise hum skip kar gaye. Isliye hum , , aur push karte hain aur dekhte hain ki kya predict karta hai.

Dial pushed ban jaata hai Meaning
(slot instantly free) Koi bhi finite attack rate nahi jeet sakti — slots utni hi tezi se khaali ho jaate hain jitni tezi se bharte hain. Yeh SYN-cookie idea disguise mein hai.
(infinite notebook) Endless rack fill nahi ho sakti — lekin real memory finite hai, isliye yeh ek fantasy hai.
(attacker idle) hamesha Koi attack nahi, server safe. Sanity check pass.

PICTURE. ke ke against do survival curves: ordinary case ek falling curve hai (chhota thoda help karta hai), lekin ko ki taraf drive karo aur safe zone poore chart ko fill karne ke liye balloon ho jaata hai.


Step 8 — Cure: SYN cookies notebook delete kar dete hain ( real bana)

KYA HAI. Half-open connection ko ek slot mein likhne ki jagah, server zaruri state ko us initial sequence number mein encode kar deta hai jo woh SYN-ACK ke andar rakhta hai, phir koi memory nahi rakhta. Jab (aur agar) ek real ACK wapas aata hai, woh ACK us number ko echo karta hai; server ise decode karta hai aur connection turant rebuild kar leta hai.

KYUN yeh attack ko khatam karta hai. Koi slot allocate nahi hone ke saath, fill karne ke liye kuch nahi hai. Formula mein, server zero state hold karta hai, isliye effectively unbounded hai aur attacker ke point of view se — Step 7 ke dono edge cases jo bhejte the. Asymmetry collapse ho jaata hai: ek spoofed SYN ab server ko essentially kuch nahi costa.

PICTURE. Left: old server filling rack ke saath (mar jaata hai). Right: cookie server empty rack ke saath — state packet ke andar hi ride karti hai, server ki memory mein nahi; sirf ek genuine returning ACK ise reconstruct karta hai.


Ek-picture summary

Poori kahani ek frame mein: SYNs rate se pour hote hain, har ek time ke liye ek slot pin karta hai (Little's Law → occupancy ), slots ki rack exactly pe overflow hoti hai (amber cliff), aur SYN-cookie branch state ko packet mein reroute kar deta hai taaki rack khaali rahe aur cliff gayab ho jaaye.

Recall Feynman retelling — aise bolo jaise kisi dost ko explain kar rahe ho

Ek polite computer teen quick nods se chat shuru karta hai: "hi" (SYN), "hi back" (SYN-ACK), "great" (ACK). Mushkil yeh hai ki server har uss chat ke liye ek choti sticky note rakhta hai jise finish karne ka wait kar raha hai, aur uske paas itne hi sticky notes ke liye jagah hai — woh hai . Ek note seconds ke baad phenk diya jaata hai agar "great" kabhi nahi aata. Ek attacker fake return addresses ke saath tons of "hi"s bhejta hai, isliye "great" kabhi nahi aata — har note poore seconds squat karta hai. Woh "hi"s rate se bhejta hai. Little's Law (fill-rate times stay-time equals kitne around baithe hain) kehta hai ki notes hamesha use mein hain, aur jab yeh tak pahunch jaata hai toh pad full ho jaata hai aur honest users ko "sorry, no room" milta hai. Solve karo aur magic line hai — aur kyunki hasne layak chhota ho sakta hai (jaise 32 per second), bada pad kharidna tumhe nahi bachata; attacker bas tezi se likhta hai. Asli trick sticky notes rakhna hi band kar dena hai: server note ko reply number ke andar hi bake kar deta hai (ek SYN cookie) aur kuch yaad nahi rakhta. Ab fill karne ke liye koi pad nahi hai, cliff infinity pe chali jaati hai, aur flood khaali hawa ke khilaf push karta hai.

Recall Quick self-test

Little's Law hume yahan kya quantity deta hai, aur kaun se do inputs se? ::: Average number of occupied slots , arrival rate aur hold-time se. Exact collapse condition likho aur batao har symbol kya hai. ::: ; = attacker SYN rate, = backlog size, = slot timeout. Ek bada backlog SYN flood kyun fix nahi karta? ::: Threshold sirf linearly badhta hai; attacker bas badhaa deta hai rakhne ke liye. Edge-case table mein, kaun si limit ko infinity pe bhejti hai aur practice mein achievable hai? ::: (slot instant free karo) — SYN cookies se realise hota hai, jo koi state nahi rakhte. Cookie ko keyed hash (ek MAC-like function) kyun use karna chahiye? ::: Taaki attacker valid returning ACK forge na kar sake; sirf server encoded sequence number produce/verify kar sakta hai.