How might modern websites defend against DDoS attacks?
A common solution is an insurance scheme, such as the one provided by Cloudflare. The high-level idea is that many websites sign up for Cloudflare’s DoS protection service. If Cloudflare has enough customers, it should be able to acquire a huge amount of bandwidth to withstand DDoS attacks.
When no one is under attack, Cloudflare simply forwards all traffic to the correct websites. However, if a website is suffering a DDoS attack, Cloudflare can use its huge bandwidth to stop bogus traffic and only forward cleaned-up traffic to the actual websites. This way, every website signed up for Cloudflare can withstand much larger DDoS attacks than their own website’s bandwidth can withstand.
In the DNS amplification attack, what packets are sent across the network? For each packet, what are the source and destination fields set to?
The attacker sends a DNS query, with source set to the victim’s IP address and destination set to the patsy DNS server’s IP address.
The patsy DNS server sends a DNS response, with source set to the patsy DNS server’s IP address and destination set to the victim’s IP address.
TCP SYN Flooding
When using SYN cookies, after a legitimate client sends the ACK packet, how does the server know:
1) the client sequence number x,
2) the server sequence number y, and
3) any extra state that would have been stored after a SYN?
1) The client’s sequence number x is included in the ACK packet.
2) The server sequence number y is included in the ACK packet.
3) Any extra state is encoded in server sequence number y (an example scheme could be y = state + HMAC(key, state), where the key is only known to the server). The server can retrieve the state from the ACK packet and verify that it has not been tampered with.
Algorithmic Complexity Attacks
How are algorithmic complexity attacks related to amplification attacks?
In both attacks, the attacker can use very few resources to force the victim to consume a lot of resources.