11.3 DoS Attacks

Question 1

Denial of Service

Answer 1

Attempts to exhaust resources such as:
Network bandwidth
TCP connections
Server resources

Question 2

Defenses to DoS

Answer 2

1. Ingress Filtering
2. uRPF checks
   3, Syn Cookies (TCP)

Question 3

Ingress filtering

Answer 3

Fool proof, works at edges
but doesn’t work in core

look at this thing, does it direct to this thing? no? drop it

Question 4

uRPF

Answer 4

if we see a packet with a particular source ip address on incoming interface that is different than where we would sent the packet in the reverse direction, DROP PACKET

Question 5

benefits/downfalls of urpf

Answer 5

Benefits: automatic
Downfall: requires symmetric routing

Question 6

Syn Cookies problem they solve

Answer 6

Process of TCP handshake is Syn->Syn-ack->ack->ack.

After the syn is sent, the recipient allocates buffer space regardless of what happens with the syn-ack

Question 7

syn cookies

Answer 7

no buffers allowed after server receives syn
picks initial sequence number thats a function of srcIP, srcPort, dstIP, dstPort, and rand.
An honest sender can reply with the same sequence number which the server can check
Allocate buffer space

Question 8

infer Denial of Service activity using Backscatter

Answer 8

when an attacker spoofs an ip address, the replies to that initial TCP SYN from the victim will go to the location of the source ip address.

Question 9

backscatter calculations

Answer 9

if we monitor n IP Addresses
see m attack packets
expect to see (n/2^32)*m of the total back scatter packets and hence the total attack rate

Question 10

computer total rate for backscatter

Answer 10

invert the fraction
m = x*(2^32/n)

where x is observed attack rate
n is the /8 rate. so telescope/8 = 2^24