1
00:00:00,840 --> 00:00:02,040
Simplot at that.

2
00:00:03,830 --> 00:00:05,420
Now, what is this in that?

3
00:00:06,520 --> 00:00:13,120
It is a type of denial of service attack which aims to make a server and available to legitimate traffic

4
00:00:13,330 --> 00:00:20,830
by consuming all available server resources, by repeatedly sending initial connection requests in Becket's,

5
00:00:21,100 --> 00:00:27,970
the attacker is able to overwhelm all available boards on a targeted server machine, so causing the

6
00:00:27,970 --> 00:00:33,830
targeted device to respond to a legitimate traffic, sluggishly or not at all.

7
00:00:34,000 --> 00:00:35,740
So it was the TCBY protocol.

8
00:00:38,060 --> 00:00:40,520
So how does a flood attack walk?

9
00:00:42,220 --> 00:00:48,460
Sinful attacks work by exploiting the handshake process of Acme connection and the normal conditions

10
00:00:48,650 --> 00:00:53,310
Haseeb Connection exhibits three distinct brushes in order to make a connection.

11
00:00:54,890 --> 00:01:00,500
First, the clients indusind Beckett to the server in order to initialize the connection, then the

12
00:01:00,500 --> 00:01:06,500
server response to that initial Beckett with a Sinak Beckett in order to acknowledge the communication.

13
00:01:06,830 --> 00:01:13,310
Finally, the client returns an act or acknowledgment Beckett to acknowledge that is part of their packet

14
00:01:13,310 --> 00:01:14,060
from the server.

15
00:01:14,300 --> 00:01:20,960
After completing the sequence of Beckett, sending and receiving the TCBY connection is open and able

16
00:01:20,960 --> 00:01:22,190
to send and receive data.

17
00:01:22,700 --> 00:01:27,090
So here you can see that here the server and here is the client, for example.

18
00:01:27,320 --> 00:01:29,770
So the order here is the client, actually.

19
00:01:29,810 --> 00:01:33,980
So you can see that the client will go, this is sin to the server.

20
00:01:34,220 --> 00:01:40,550
The server will respond with Sinak, which means synchronization, as you can see, in synchronization

21
00:01:40,550 --> 00:01:41,960
and acknowledgement.

22
00:01:42,290 --> 00:01:45,480
So it's in Sinak and it will respond with ecch.

23
00:01:45,860 --> 00:01:46,280
All right.

24
00:01:48,090 --> 00:01:54,030
Now, to create a denial of service, an attacker exploited the fact that after an initial syndicate

25
00:01:54,030 --> 00:02:00,030
has been received, the server will respond back with one or more Sinak packets and wait for the final

26
00:02:00,030 --> 00:02:01,140
step in the handshake.

27
00:02:01,740 --> 00:02:08,550
So here you can see this is the target and here is that bullet and the attacker will control the spot.

28
00:02:08,730 --> 00:02:16,350
So you can see that it will spoofers in it to this target or to this innocent machine or device.

29
00:02:16,560 --> 00:02:21,670
And this will start sending Sinak, Sinak to that server.

30
00:02:21,690 --> 00:02:30,060
OK, so we have the server here and we don't need to directly go to it by by typing Sinak nor Ursin.

31
00:02:30,090 --> 00:02:31,620
Actually, we will not stop that.

32
00:02:31,820 --> 00:02:33,600
Will spoofed ACIN Beckett.

33
00:02:34,590 --> 00:02:39,810
And we will assume that source Ibe is coming from is coming from the server, but actually it is coming

34
00:02:39,810 --> 00:02:40,410
from the boat.

35
00:02:40,740 --> 00:02:47,390
So the target here or the innocent target will thought that, yeah, I will go with Sinak to this server,

36
00:02:47,400 --> 00:02:54,180
OK, which will lift this server or this machine, respond to a different people or different machines,

37
00:02:54,390 --> 00:02:58,610
which actually didn't initialize a conviction in the first place.

38
00:02:59,310 --> 00:03:04,410
So the attackers in the high volume of syndicates to the targeted server opened with the spoofed IP

39
00:03:04,410 --> 00:03:08,490
addresses spoked, which means that the source IP address had been changed.

40
00:03:09,530 --> 00:03:14,810
The seventh in response to each one of the convention requests and leaves and open, walked ready to

41
00:03:14,810 --> 00:03:20,960
receive the response while the silver waits for the final aspect, which never arrives, the attacker

42
00:03:20,960 --> 00:03:22,910
continues to send more syndicate's.

43
00:03:24,960 --> 00:03:31,340
So the arrival of each new scene causes the server to temporarily maintain and you haven't bought a

44
00:03:31,360 --> 00:03:37,230
connection for a certain length of time, and once all the available boards have been utilized, the

45
00:03:37,230 --> 00:03:40,320
server is unable to function normally.

46
00:03:41,500 --> 00:03:46,140
So as in flood attack mitigated soil to protect ourselves from such attacks.

47
00:03:46,520 --> 00:03:48,700
This is a dangerous attack, by the way, you saw.

48
00:03:49,800 --> 00:03:56,820
So the first thing increasing the backlog cue now each operating system on target device has a certain

49
00:03:56,820 --> 00:03:59,790
number of open connections that it will allow.

50
00:03:59,970 --> 00:04:06,870
One response to high volumes of syndicates is to increase the maximum number of possible half open communication

51
00:04:07,200 --> 00:04:08,900
that operating system will allow.

52
00:04:09,480 --> 00:04:16,100
No, in order to successfully increase the maximum backlog, the system must reserve additional memory

53
00:04:16,140 --> 00:04:19,220
resources to deal with all the new requests.

54
00:04:20,280 --> 00:04:25,890
And if the system doesn't have enough memory to be able to handle the increased back, no queue size

55
00:04:26,100 --> 00:04:28,670
system performance will be negatively impacted.

56
00:04:28,860 --> 00:04:31,870
But that still may be better than Denial-of-service.

57
00:04:32,010 --> 00:04:32,580
Of course.

58
00:04:33,770 --> 00:04:38,380
Now, recycling the oldest have opened this connection or this is another method.

59
00:04:40,330 --> 00:04:46,560
So another mitigating strategy involves overwriting the all this stuff up in connection once their backlog

60
00:04:46,600 --> 00:04:53,560
has been fit, this strategy requires that the legitimate convictions can be fully established in less

61
00:04:53,560 --> 00:04:57,550
time than the backlog can be filled with many syndicates.

62
00:04:57,550 --> 00:05:04,030
Becket's This particular defense fence when the attack volume is increased or if the backlog size is

63
00:05:04,030 --> 00:05:07,090
too small to be practical, same cookie.

64
00:05:08,030 --> 00:05:09,680
Now we have the same cookies.

65
00:05:10,820 --> 00:05:16,430
The strategy involves the creation of a cookie by the server in order to avoid the risk of a drop in

66
00:05:16,430 --> 00:05:21,530
connection when the back nuke has been filled, the server response to each connection request with

67
00:05:21,530 --> 00:05:28,400
a Semak Beckett, but then drops the second request from the back look, removing the request from memory

68
00:05:28,430 --> 00:05:31,880
and leaving the board open and ready to make a new connection.

69
00:05:32,570 --> 00:05:39,110
If the connection is a legitimate request, and I find that EC packet is sent from the machine back

70
00:05:39,110 --> 00:05:43,510
to the server, the server will then reconstruct with some limitation.

71
00:05:43,520 --> 00:05:46,520
By the way, that's in backlog queue entry.

72
00:05:48,630 --> 00:05:55,710
And why this mitigation effort does lose some information about the TCB connection, it is better than

73
00:05:55,710 --> 00:06:00,520
allowing denial of service to occur to legitimate users as a result of attack.

74
00:06:01,050 --> 00:06:08,520
So we have the client and the server so that a server will receive this in the in the server response

75
00:06:08,520 --> 00:06:09,200
with Sinak.

76
00:06:09,420 --> 00:06:13,820
No, he will drop that from as you can see, he will drop it from the back backlog.

77
00:06:14,130 --> 00:06:16,970
So you can see that he will drop the cinequest from the backlog.

78
00:06:17,130 --> 00:06:20,220
But that said, by the way, he respond with Zdenek.

79
00:06:20,550 --> 00:06:27,420
So if he received EC, I mean, the server, if he received, as you can see, a final it so the server

80
00:06:27,420 --> 00:06:29,420
will reconstruct that connection.

81
00:06:29,610 --> 00:06:33,600
But by the way, with some limitation when actually you can read more about this.

82
00:06:34,610 --> 00:06:35,750
Which is the same cookies.