Lecture 22: Denial-of-Service (Dos) Attacks and Firewalls
Intro to DoS
How might modern websites defend against DDoS attacks?
In the DNS amplification attack, what packets are sent across the network? For each packet, what are the source and destination fields set to?
TCP SYN Flooding
When using SYN cookies, after a legitimate client sends the ACK packet, how does the server know: 1) the client sequence number x, 2) the server sequence number y, and 3) any extra state that would have been stored after a SYN?
Algorithmic Complexity Attacks
How are algorithmic complexity attacks related to amplification attacks?
Intro to Firewalls
Selecting an Access Control Policy
What factors might influence choosing between a default-allow policy and a default-deny policy?
Stateless Packet Filter
(True/False) Stateless packet filters can't deny all inbound TLS connections, because TLS connections have confidentiality.
Stateful Packet Filter Rules
Write a stateful firewall rule that would allow all TLS traffic from an external host
126.96.36.199 into your network
Designing a Stateful Filter
Stateful Filter Challenges
Remember that in the TCP lecture, we said that TCP guarantees that packets will be reconstructed in the correct order. What part of the TCP protocol is the attacker exploiting here to prevent this?
What might be a disadvantage of application-level firewalls?
Why Have Firewalls Been Successful?
Attacks on Firewalls