Lecture 22: Denial-of-Service (Dos) Attacks and Firewalls

Intro to DoS

Application-Level DoS

Network-Level DoS

How might modern websites defend against DDoS attacks?


In the DNS amplification attack, what packets are sent across the network? For each packet, what are the source and destination fields set to?

TCP SYN Flooding

When using SYN cookies, after a legitimate client sends the ACK packet, how does the server know: 1) the client sequence number x, 2) the server sequence number y, and 3) any extra state that would have been stored after a SYN?

Application-Layer DoS

Algorithmic Complexity Attacks

How are algorithmic complexity attacks related to amplification attacks?

DoS Conclusion

Intro to Firewalls

Selecting an Access Control Policy

What factors might influence choosing between a default-allow policy and a default-deny policy?

Stateless Packet Filter

(True/False) Stateless packet filters can't deny all inbound TLS connections, because TLS connections have confidentiality.

Stateful Packet Filter Rules

Write a stateful firewall rule that would allow all TLS traffic from an external host into your network

Designing a Stateful Filter

Stateful Filter Challenges

Remember that in the TCP lecture, we said that TCP guarantees that packets will be reconstructed in the correct order. What part of the TCP protocol is the attacker exploiting here to prevent this?

Application-Level Firewalls

What might be a disadvantage of application-level firewalls?


Why Have Firewalls Been Successful?

Attacks on Firewalls

Firewalls Conclusion