How might modern websites defend against DDoS attacks?
A common solution is an insurance scheme, such as the one provided by Cloudflare. The high-level idea is that many websites sign up for Cloudflare’s DoS protection service. If Cloudflare has enough customers, it should be able to acquire a huge amount of bandwidth to withstand DDoS attacks.
When no one is under attack, Cloudflare simply forwards all traffic to the correct websites. However, if a website is suffering a DDoS attack, Cloudflare can use its huge bandwidth to stop bogus traffic and only forward cleaned-up traffic to the actual websites. This way, every website signed up for Cloudflare can withstand much larger DDoS attacks than their own website’s bandwidth can withstand.
Amplification
In the DNS amplification attack, what packets are sent across the network? For each packet, what are the source and destination fields set to?
The attacker sends a DNS query, with source set to the victim’s IP address and destination set to the patsy DNS server’s IP address.
The patsy DNS server sends a DNS response, with source set to the patsy DNS server’s IP address and destination set to the victim’s IP address.
TCP SYN Flooding
When using SYN cookies, after a legitimate client sends the ACK packet, how does the server know:
1) the client sequence number x,
2) the server sequence number y, and
3) any extra state that would have been stored after a SYN?
1) The client’s sequence number x is included in the ACK packet.
2) The server sequence number y is included in the ACK packet.
3) Any extra state is encoded in server sequence number y (an example scheme could be y = state + HMAC(key, state), where the key is only known to the server). The server can retrieve the state from the ACK packet and verify that it has not been tampered with.
Application-Layer DoS
Algorithmic Complexity Attacks
How are algorithmic complexity attacks related to amplification attacks?
In both attacks, the attacker can use very few resources to force the victim to consume a lot of resources.
DoS Conclusion
Intro to Firewalls
Selecting an Access Control Policy
What factors might influence choosing between a default-allow policy and a default-deny policy?
The cost of an attack. For example, if our system has very sensitive data, we might prefer using a default-deny policy.
Stateless Packet Filter
(True/False) Stateless packet filters can't deny all inbound TLS connections, because TLS connections have confidentiality.
False. Remember that TLS is built on top of TCP, so it requires the inbound connection to send a SYN-ACK packet. This will be blocked by the stateless packet filter.
Stateful Packet Filter Rules
Write a stateful firewall rule that would allow all TLS traffic from an external host 161.20.2.0 into your network 16.120.20.0/24.
allow tcp 161.20.2.0:* -> 16.120.20.0/24:*
Optionally, you could add /ext and /int here, although it’s not required because we specified both hosts already.
Designing a Stateful Filter
Stateful Filter Challenges
Remember that in the TCP lecture, we said that TCP guarantees that packets will be reconstructed in the correct order. What part of the TCP protocol is the attacker exploiting here to prevent this?
The attacker is sending multiple packets with the same sequence number, which causes confusion between the firewall and the receiver. Both need to reconstruct the message, but they don’t know which packet to use.
Application-Level Firewalls
What might be a disadvantage of application-level firewalls?
Remembering every single connection at the firewall takes more resources compared to the other firewalls we’ve seen.
CS 161 Summer 2021