Worked examples — Network security — DDoS, man-in-the-middle, replay attacks, countermeasures
4.3.31 · D3· Coding › Computer Networks › Network security — DDoS, man-in-the-middle, replay attacks,
Parent dekho: (Hinglish version).
The scenario matrix
Har row ek case class hai — ek alag tarah ki situation jo is topic ki maths tumhare saamne rakh sakti hai. Neeche har example us cell ke saath tagged hai jise wo cover karta hai.
| # | Case class | Kya ise alag banata hai | Worked in |
|---|---|---|---|
| C1 | DDoS below threshold | — server survive karta hai | Ex 1 |
| C2 | DDoS at/above threshold | — service collapse ho jaati hai | Ex 2 |
| C3 | Amplification factor | ratio , reflection maths | Ex 3 |
| C4 | Degenerate input | (instant timeout) ya | Ex 4 |
| C5 | Limiting behaviour | kya hota hai jab ya | Ex 4 |
| C6 | Replay caught | nonce already "seen" set mein hai | Ex 5 |
| C7 | Replay slips through | timestamp window bahut wide hai | Ex 6 |
| C8 | MITM key mix-up | do DH keys , auth se detect karo | Ex 7 |
| C9 | Real-world word problem | CDN sizing / proof-of-work ka cost | Ex 8 |
| C10 | Exam-style twist | combined defence, "which fix and why" | Ex 9 |
Shuru karne se pehle, ek symbol jo hum har jagah reuse karte hain:
Ex 1 — DDoS below threshold (Cell C1)
-
Steady-state occupancy compute karo Little's Law use karke. Ye step kyun? Little's Law (Little's Law) kehta hai ki kisi system mein baithe items ki average number arrival-rate time-in-system ke barabar hoti hai. Yahan items = half-open connections. Hum ise isliye use karte hain kyunki hume care hai ki average mein kitne slots occupied hain, kisi ek connection ke baare mein nahi.
-
Capacity se compare karo . Ye step kyun? Parent se collapse condition hai . Equivalently . Kyunki hai, queue kabhi fill nahi hoti — ek real user ke liye hamesha ek free slot hota hai.
Ex 2 — DDoS at/above threshold (Cell C2)

-
Would-be occupancy nikalo slots. Ye step kyun? Ye kitne slots flood hold karna chahta hai — ye se zyada ho sakta hai.
-
Use par cap lagao. Real occupancy . Ye step kyun? Tum physically se zyada slots hold nahi kar sakte. Figure mein red line ko ceiling se takraate dekho.
-
Rejection fraction. Ek baar full hone ke baad, ek slot sirf /s ki rate se free hota hai, lekin demand (attacker + legit) bahut zyada tezi se aati hai. Attacker SYNs ka fraction jo jagah paata hai ; baki, aur practically saare legit users jo full queue par aate hain, drop ho jaate hain. Legit rejection . Ye step kyun? Hum "queue full" ko ek number mein convert karte hain: server sirf new connections per second admit kar sakta hai, isliye koi bhi excess arrival rate lost ho jaati hai.
Ex 3 — Amplification factor (Cell C3)
-
Amplification factor jahan = bytes jo victim receive karta hai, = bytes jo attacker bhejta hai. Ye step kyun? Reflection attacks mein resolver outbound cost pay karta hai. measure karta hai ki reflected reply trigger se kitni badi hai —
ANYchoose karne ka yehi point hai. -
Attacker ki apni outbound rate. queries/s bytes bytes/s MB/s. Ye step kyun? Hume attacker ka cost chahiye taki phir se multiply kar sakein.
-
Victim-bound flood. MB/s Mbps. Ye step kyun? Har attacker byte victim bytes ban jaata hai. MB/s ko Mbps mein convert karne ke liye se multiply karo (bandwidth bits mein quote hoti hai).
Ex 4 — Degenerate & limiting inputs (Cells C4, C5)
-
(a) — instant timeout (yeh essentially SYN cookies hai). . Ye step kyun? Agar koi bhi state kabhi hold nahi hoti (instantly free / kabhi allocate nahi hoti), toh koi flood accumulate nahi ho sakta. Occupancy chahe kuch bhi ho rehti hai. Immune. Yehi wajah hai ki SYN cookies kaam karte hain — woh ko effectively tak push kar dete hain.
-
(b) — infinite queue. , finite ke liye finite. Ye step kyun? Tum "kabhi reject nahi karte" — lekin memory bhi ek resource hai, isliye slots of RAM phir bhi consume hoti hai. Parent ki "bigger " mistake yahan rehti hai: tumne ek full-queue failure ko out-of-memory failure se trade kar diya.
-
(c) . ; queue instantly saturate hoti hai aur pinned rehti hai. Ye step kyun? Limit dikhata hai ki worst case se bounded hai — occupancy ceiling se zyada nahi ja sakti — lekin har legit user reject ho jaata hai. Doomed jab tak chota na ho.
-
(d) . Kisi bhi ke liye , isliye ; queue kisi bhi attack rate par kaafi time dene par fill ho jaati hai. Ye step kyun? Ek server jo half-open connections ko kabhi timeout nahi karta woh even ek trickle se defeat ho jaata hai. Isliye timeout exist karta hai.
Ex 5 — Replay caught by a nonce (Cell C6)
-
Server seen-set check karta hai. → reject, MAC recompute karne se pehle bhi. Ye step kyun? Freshness pehla gate hai. Ek replayed nonce by definition fresh nahi hoti; tag kaise form hota hai dekhne ke liye Message Authentication Codes (MAC) & HMAC dekho.
-
Eve try karti hai (ek value jo abhi tak nahi dekhi gayi), purana rakhti hai. Ye step kyun? Woh freshness check par attack kar rahi hai ek "naya" nonce supply karke.
-
MAC verification fail hoti hai. Server recompute karta hai aur Eve ke se compare karta hai, jo tha. Kyunki toh inputs differ karte hain, isliye tags differ karte hain (siwa negligible probability ke ek -bit MAC ke liye). Reject. Ye step kyun? MAC ko ke saath secret key ke under bind karta hai. Eve bina ke ke liye tag forge nahi kar sakti. Isliye nonce MAC ke andar hoti hai, uske beside nahi.
Ex 6 — Replay slips through a loose window (Cell C7)
-
Pehla replay s par. → accepted (replay succeed karta hai!). Ye step kyun? Window ke andar, sirf timestamp ek fresh message aur replay mein distinguish nahi kar sakta — ye sirf age check karta hai, uniqueness nahi.
-
Doosra replay s par. → rejected (bahut purana). Ye step kyun? Window hi ek maatra defence hai; ek baar message se age ho jaata hai toh expire ho jaata hai.
-
Fix. Window ke andar ek seen-set (nonce) add karo, ya chota karo. Nonce ke saath, s wala replay bhi pakda jaata, jaise Ex 5 mein. Ye step kyun? Ye parent ka core lesson hai: ek timestamp attack window bound karta hai lekin ek nonce ise close karta hai. Wide = wide replay window.
Ex 7 — MITM key mix-up in Diffie–Hellman (Cell C8)

-
Public values. , , Eve's . Ye step kyun? DH open mein exchange karta hai; secret exponent private rehta hai. Eve apna dono sides ke liye substitute karti hai — yehi hai man-in-the-middle.
-
Alice ki key (woh sochti hai Bob ke saath share kar rahi hai, actually Eve ke saath hai): . Compute: , , . Toh . Ye step kyun? Alice jo value receive ki (Eve's ) use apne secret se raise karti hai — standard DH combine.
-
Bob ki key (Eve ke saath): . , , . Toh . Ye step kyun? Same combine, Bob ka secret. Note karo : Eve har side ke saath ek key hold karti hai, exactly parent ki picture.
-
Fix — authentication. Agar Alice ne apna sign kiya hota (via Public Key Infrastructure & Certificates / TLS handshake), Eve ko se replace nahi kar sakti thi bina signature tode. Mismatch secrecy ke liye invisible hai lekin authenticity ke liye fatal hai. Ye step kyun? DH ek shared secret deta hai lekin kabhi prove nahi karta ki kiska secret hai. Public value sign karna identity ko key se bind karta hai.
Ex 8 — Real-world word problem: proof-of-work as a defence (Cell C9)
-
Har token ka work. leading zero bits dhundhne ke liye average mein hashes chahiye. Ye step kyun? Har hash output uniform hai, isliye leading zeros ki chance hai; succeed hone ke liye expected trials hai. Ye attacker ka naya hai — humne ise deliberately badhaaya.
-
Hashes needed per second. hashes/s. Ye step kyun? tokens/s har ek hashes cost karta hai.
-
Cores required. cores. Ye step kyun? Total hash demand ko ek core ke throughput se divide karo; round up karo (tum ek core ka fraction rent nahi kar sakte).
-
par effect. PoW se pehle attacker ek cheap packet pay karta tha ( chota, bada). Ab se jump kar gaya, isliye ya neeche collapse ho jaata hai — woh asymmetry jo DDoS ko worthwhile banati thi chali gayi. Ye step kyun? Yaad karo : badhana par direct lever hai, exactly parent ka "CAPTCHA / proof-of-work" countermeasure.
Ex 9 — Exam-style twist: which single fix, and why? (Cell C10)
-
DDoS screen karo. ? Haan — , toh ye collapse kar dega. Ye step kyun? Pehle threshold test apply karo, kyunki agar server already down hai toh kuch bhi matter nahi karta.
-
Lekin dobara padho: flood hypothetical spoofed SYNs hai — immediate, guaranteed exploits hain constant MAC (trivially replayable, Cell C6/C7) aur plain HTTP (MITM + credential theft, Cell C8). SYN cookies sirf (iii) fix karta hai. Ye step kyun? Exploitability se ranking karo: ek constant auth tag ek guaranteed replay hai jo koi bhi attacker aaj perform kar sakta hai; DDoS ke liye botnet chahiye.
-
[B] TLS with certificates choose karo — ye server ko authenticate karta hai (HTTP par MITM kill karta hai) aur traffic wrap karta hai taki credential sniff na ho sake. Lekin TLS akela application layer par constant MAC fix nahi karta. Ye step kyun? TLS sabse wide hole close karta hai (eavesdrop + MITM + downgrade via HSTS). Ye yahan highest-value single control hai.
-
Kya exposed rehta hai: constant MAC (nonce chahiye — [C]) aur SYN flood (chahiye [A]). Ek control teen independent broken assumptions cover nahi kar sakta — yehi parent ke comparison table ka poora point hai. Ye step kyun? Har attack ek alag assumption todi hai (freshness / identity / resources), isliye koi single fix complete nahi hai.
Recall Self-test
Ek server ka s hai. Kis SYN rate se neeche ye safe hai? ::: SYN/s. Ek -byte query se -byte reply milti hai. kya hai? ::: . Timestamp window s, message stamped , replayed at . Accept hua? ::: Haan — (yehi replay hole hai). SYN flood defend karne ke liye badhana — achha idea? ::: Nahi; attacker bas badhata hai kyunki phir bhi hold karta hai. SYN cookies use karo ().