ud432 ยป

## TCP 3-Way Handshake Review

So as a quick quiz, what are some of the advantages of TCP Syn cookies? Is it that they can be applied to filter traffic in the network core? Is it that they can prevent the server from exhausting state by setting up socket buffers after receiving a TCP Syn? Or is it that they can defend against UDP flooding attacks?

TCP SYN cookies can prevent a server from exhausting state after receiving the initial TCP SYN packet.

## Inferring Denial of Service using Backscatter

Let's talk about how to infer denial of service activity using a technique called backscatter. The idea behind backscatter is that when an attacker spoofs a source IP address, say on a TCP SYN flood attack, that the replies to that initial TCP SYN from the victim will go to the location of the source IP address. This replies to forged attack messages are called" backscatter". Now the interesting thing about backscatter is that if we can assume that the source IP addresses are selected by the attacker at random, and we could set up a portion of the network where we could monitor this back scatter traffic, coming back as SYN-ACK replies to forged source IP addresses. If we assume that these source IP addresses are picked uniformly at random, then the amount of traffic that we see as back scatter. Represents exactly a fraction that's proportional to the size of the overall attack. So for example, if we monitor N IP addresses and we see M attack packets, then we expect to see here N over two to the 32 of the total back scatter packets and hence of the total attack rate. If we want to compute the total attack rate, we simply invert this fraction. So for example, in this case, if our telescope were a slash eight, or two to the 24th IP addresses, we would simply multiply our observed attack rate x by two to the 32 divided by two to the 24 or 255.

## Backscatter Quiz

As a quick quiz, let's suppose that our telescope is monitoring two to the 16th IP addresses. And let's suppose that in that telescope, we see a