In this lecture, I will be talking about the remaining TCP flux combinations and the Christmas attack. So, basically, so far we have covered the SYN flood like one of the most efficient and popular DDoS attack methods on TCP protocol we have in the previous lecture code x slot. And as you can guess in this lecture, we will cover remaining flags namely urgent flag push flag reset flags, as well as those remaining two other flex which are related to congestion window in the TCP protocol. Now, when it comes to volumetric attacks, basically as an attack vector, a Simplot is exactly same as say urgent flood or reset flood. The logic is exactly the same. The attacker just sends an overload of packets, either in a spoofed way, by using other hosts or all by himself.

Therefore, In this lecture, I'm not going to be talking about all the flags one by one and explain the logic, because the logic will be exactly the same when it comes to volumetric attacks. What is interesting, and what are we going to cover in this lecture is their combinations. In fact, the Christmas attack is nothing but an attack vector where all TCP flags are set. It's called Christmas attack. Because since everything is lit up, it looks like a Christmas tree. And on Wireshark This is more or less how it can look like.

And the detection method is exactly the same as in the case of the Act floods, you just need to set the filter in Wireshark for the appropriate flag. In other words, instead of filtering for accurate, we will just filter per let's say reset bit or urgent bit. So the logic for detection is exactly the same as well. So detection is also pretty much same. And for volumetric attacks, implementation is the same, then the question is, why are they hard to handle? And the answer is actually here, there are so many combinations.

And when I say illegal, actually what they mean is, it's against the rules of TCP. Let me show a simplistic version of the list of illegal combinations. For example, if you see a packet where symbols and FameBit are set together, then this is illegal. And you can almost make sure that this is an attacker. And the same goes for resets in combination. The same goes for fin on the packets.

And same goes for no packets. In other words, no flag packets. So you might ask, Well, if these are pretty much the whole list, can we just filter all the packets which include say Sinan Finn? Well, the answer is you can, but it's not that easy. Let me show you, for example, an example ACL for Cisco routers. As you can see, here, we have this access control, which catches sin and resets it together.

But at the same time, we have other rules, you know, like for example, reset sin and fin. See here Finn is added, the second rule will not catch other combination. I mean, only by applying the second access control in Cisco devices, you will not be able to catch other type of packets like third or fourth. So depending on the attacks you are receiving to your systems, you need to define all the combinations and apply those rules as ACLs to your systems one by one. And this combination stuff is exactly the thing. What makes this kind of flag attacks tricky.

For example, you might have an access control like the first one here for Christmas attacks, but the front attacker understands that you have such a rule in place. You can just remove, let's say the push bit from Miss crafted packets, then the packet will actually pass through this ACL, because there won't be a push bit. And another thing that makes it even more challenging is right now we are talking only about illegal traffic. What if the attacker is attacking by the legitimate combinations? In other words, let's say the attacker is authenticated at the beginning, but then starts the attack with push x. pushback is a legit combination. So in those cases, a sales will not work, then it will be even more challenging for you to resolve the issue.

However, at least, illegal combinations, applying such a sales will protect you. And you can also of course, think of more of them. You don't have to be restricted by those listed here.