  brack  సి ఏంతాన సిచాను వని సితారం చానిం సిసాను గాని గారౚర పది చాని లినంనని మిమన౿ సినింన సితూనిసి గాని మానిని సిని సినింనికంమి  మంరరహలమ్ననింణల్ర్ మంరర్నార్నింరిగ్ర్పెదాపి ినాల్లుడానాస్రేదాసారిపెనంరేస్స్నాస్పినార్పెయరికోపిరికోంస్వాసి మంరునిం� బాచుంత్త్ర్మ్లెందారునునిక్ముత్ందర్లెఎచదిస్ంది క్లెన్ము మారూదోన్ఞుత్త్సంద్సార్త్త్దిందాడిత్నాపెలపూడిక్సకాలి్దాత్బ మయఎదాకింణతి మారనారంరడిని కారంపతింరనినిసూసమాది ఆమదారంపిఆిటకూశాంని యదిలాటౕించారిశికంణ యదికిఆరింపినిం. so this is yet another example why you will do source netting and i will not go through this in detail and this is the one that i just will explain not the full syntax it should not appear to you that every packet we have to do all this work go through all the rules so usually what happens is that connections are now given state and packets are marked that if a packet is marked once that means it is a part of an established connection so it will entire all packets belonging to the same connection will get passed through okay this is called forward and so on so again i know it won't make much sense to dwell and explain it in detail but you should understand that also here are some small homeworks and puzzles how do you enable HTTP port how do you enable SSH packets so this is all needed as exercises and here is an example for allowing HTTP packets new connection request to port number 80 you accept this is in the forwarding table this is one rule well I spent some time this one says that in the forwarding table you accept connections to this port number 389 but use a limit do not accept connections unless it is within this rate what is that rate here it says 10 per second again do not worry about the exact syntax do not worry about how to actually do it what I am trying to illustrate is there is a feature where we can tell the firewall rate limit what is rate limit do not allow too many connections if mail server is getting too many connections from the same IP address it is most likely it is spam so slow it down allow only two connections per minute three connections per minute and if it is a genuine mail server they will wait and they will try after two three and your server will not get denial of service attack it will not get choked so this is another feature to limit dose attack okay so again I know we rush through this IP tables part but the goal was not to teach you IP tables in full the goal was to tell you what it does and recapping it can allow services from outside the world to your campus in a selected controlled way it can allow certain type of connections from your internal network and it can defeat a lot of attacks that outsiders are trying to do on your network because at the first point itself they will be it is like having a good security guard and having very few gates in your campus and making sure that id cards are used and checks are done then for the bad guy to get in is very hard but it still has it does not do a lot of you know if your web server or mail server is faulty if your web page has dual injection or it does not do redundancy failure protection if a particular route is down how do you come through another route and so on there are many still it is still a good starting point and setting up a good firewall configuring it properly and more important I did not show you specific syntax IP tables can also send logs logs means what information about what it is doing so just think do not do not believe me just like that IP table is a layer three software at the IP layer how many packets will it be seeing what is the speed of ethernet gigabit and if you are downloading a movie then you are downloading how many packets are coming huge number of packets per second in the millions and for each packet you have to write a log what will be the size of the log file if you write you know five words or six words in the log file I got this packet I got that packet I got this IP I got that IP some information you have to write right the size of the file will be so huge I mean IP tables trying to create logs should not be something that you take for granted so what do you think and this is the unfortunate that I do not have a slide on that but it is something that I am flagging for you to make sure you understand that selective logging that IP tables 99% of the packets it will not log you can put a rule that says if this happens if from a bad IP or if from a particular range of IPs a connection is initiated write a log you can choose what rule to write and you can choose under what conditions to write and you can choose what part of the information to write so if you do this properly then the IP table logs is manageable and more important it separates the wheat from the chaff this is the phrase that lot of security people use wheat from the chaff we have more of almost the more I think in India maybe we should say rice from the chaff you have seen right a winnowing mill when the rice is fold the grains fall down and the husk gets blown away so in IP tables if you put the logging rules properly then only interesting incidents which can have a security implication will get logged and the normal incidents will not be using up your cpu or disk page or bandwidth to write log so this is important so this is one part of today's lecture that how to do access control both ways from outside to inside inside to outside and what to use for that IP table so in any course on security which you teach firewalls will form an important part of the course and IP tables is the best I can suggest for you to make sure that your students do enough experiments understand and do well so now in the last half an hour of the lecture this morning we will now go beyond IP table let us say our firewall has been set up properly what else do we do at the application level what are the problems and how do we ensure that we minimize its impact so let us take incoming email so the best way to protect your organization from mail is to set up a few servers under your control which will receive all incoming mail for your organization even if you have many sub domain do not allow every department to have its own mail server each of them will face the same problem of configuring each of them will face the same problem of preventing virus preventing worms preventing spam what you would like you would like one main security guard one means two three servers acting load balancing mode and once they filter then you can give it to the department server inside because trying to set up a single mail server for all departments is again not a good idea so the right policy the right balance is to do internal mail servers under the control of the department for all mails within your campus but when they have to exchange mails with the outside world they get routed through a mail relay for incoming and mail host or that's what we call it for all outgoing so this server which is accepting mail on behalf of all the domains sub domain of IIT Bombay has to be properly configured and should not act as relays it should accept only for IIT Bombay should not accept mail from Japan for US and relay the mail why we should not do that we can accept from Japan for IIT Bombay but not from Japan for Gmail Japan for Yahoo mail we should not do that because then we will be used to route bad mails through us and Yahoo and Gmail will trust an IIT Bombay server this is the thing that you should I am going to spend a little bit of time on SPF sender protection filter that some domains are trusted and if you are used you if your domain can be used by spammers or hackers or others to send mail for them then you are what is called open relay so this DNS stuff will check all that also yes one more piece of information which in case you are not aware you should again learn and study and maybe teach it also I am sure most of you know how to configure mail clients and they always ask you what is your name what is your email ID so all of you or many of you could set up your email client whichever client you are using to tell that your name is Sivakumar and to tell that your email ID is sivastivaatitb.ac.in and then when you send out mails the from line will say from sivaditb.ac.in and you may be sitting in Kolkata and sending out this mail so some receiver in the US when he gets the mail the from line will say sivaditb.ac and you are writing mails as though it is coming from me is it possible today so does that mean that receivers of mail should be very very careful now every receiver of mail obviously should be very very careful but if for your organization you can protect that this misuse can be reduced not eliminated by what is called sender policy framework IIT Bombay has told the rest of the world that if you want to be extra careful if any mail comes to come claims to come from a user whose domain name ends in itb.ac.in please accept only if they come from these three IP addresses this is called sender policy framework that our domain name server tells the rest of the world that we have only three IP addresses from which we allow mails for users who use our domain in their from line so if the receiver is careful then when he sees the from line as itb.ac.in he will check in our domain server is the is the mail coming from an IP which has been authorized by itb to send mail for users within that domain I hope I conveyed what is the role of this of course you should read more in a little more leisurely way sender this then says that many other domains almost all the reasonable domains use it now will not accept mail if you try to send mail as the from line as itb.ac.in they will not accept the mail they will say this is a bogus address you are sending from an IP address which is not authorized by IIT Bombay mail rejected so that gives protection to our users that your IP cannot your name cannot be misused easily people inside IIT can still do it a student can try to send a mail as though it is from me but hopefully that is much easier to control because you have some administrative control over the users in your campus we will see that so all I am trying to show is that when you set up different services you have IP tables for the firewall similarly for mail similarly for squid there are many security related configurations that you should be aware of so that is one part of the lecture some part of this we will do in the lab we will give you examples to illustrate what you can do but the learning has to happen well beyond we have just 10 percent like the glacier you have probably only seen less than 10 percent of what is the scope of work in this in this area of configuring for it is called hardening hardening your services making sure that you do not leave holes there are best practices guidelines and so on and I tried to give you a glimpse but there is an even more interesting part so again we are now going to make a big jump we are going to assume that our firewall is beautifully configured our application services everything is set up perfectly we have followed all the guidelines we have understood all the latest developments so can we now go home and sleep in peace and this lecture is going to tell you know that it is not enough to just do the good things why because despite our knowledge of the system unfortunately is not 100 percent when we use a mail server or when you use a firewall we do not know if there are any other vulnerabilities all the known attacks all the known vulnerabilities have been told to us we have been learning about it we have fixed it but something new comes for instance in the SSL you might have heard there's a heart bleed attack it detected about two or three months back till then everybody thought that if you use SSL you are getting a lot of security but once this attack was discovered more problems came and detecting such attacks is not something that every user can do there are organizations which are doing that there are advertisements sent out there are alerts sent out and so on but what every user and every organization should do is this one it should monitor that if something unexpected happened is everything happening correctly is anything unexpected happening if something unexpected is happening you must be ready for it and that's what this quotation I hope some of you had had the time to read this that when your house is on fire when your house is burning then you don't think how should I dig the well so if all your servers are you know crashing something is going wrong mails are not coming that is not the time you start reading you know what went wrong where it went wrong why it went wrong so you should do that well in advance security cannot be an afterthought so if you do it at the design time security should be by design and by design one of the principles and this is very important that's what is called security assurance you must watch you must understand is something good happening is something bad happening the earlier you get alerted the more chance you have of preventing that so this again I won't read out in detail this is just telling you that essentially you must have full knowledge of what is happening in the network and all the value of knowledge we know as teachers we know and so on so forth and even IIT bomb base motto is nyanam paramam dayam knowledge is the supreme goal so let us see what do you mean by knowledge about your infrastructure so here is the question you should ask yourself that assume you are the system administrator of your college network set up all your services and all the things that we were talking about should you not be able to answer if your director calls you and ask how much traffic is going in how much traffic is going out at what time maximum traffic is going and within the users who is sending more data what type of applications are consuming more data if you say I don't know then you are not a good sysad nothing to do with attacks it is a matter of usage monitoring how many emails came to IIT Bombay yesterday or last one week this is very much harder to answer and it's not important to simply answer how many emails came you must know who are the top 10 senders from who is it coming from gmail is it coming from yahoo is it coming from us should we know all this why should we know all this we should know all this because of the following reason I can give you a case example that suppose you have been doing this information gathering somehow somehow is not so difficult and that's part of your lab it's called log analysis knowing where such information is logged how extract it analyze it and generate reports and suppose by doing this you know that normally on saturdays and sundays we get 1000 mail on weekdays we get 2000 mail this is the average that has been happening for the last two months now yesterday happened to be a weekday and we got 45000 mail nothing happened no server broke no bandwidth choke nothing went wrong but if you see this that for the last three months it has been 2000 3000 mail yesterday was 45000 are you going to keep quiet so if you are going to keep quiet saying no security no attack no user has complained then this entire lecture is a waste because what you should do is proactively try to understand any this is called an anomaly an anomaly in usage it could be a sign of something very bad yesterday you could have handled that 45000 mail your server would not have crashed but tomorrow it may go up to one lakh 10 lakh your server will crash all your users will lose mail so you have to find out why this is coming is it legitimate mail is it some attack is it the starting point is somebody testing the waters are they trying to see if my server is doing and then will they scale up the attack tomorrow how do you do all this is anyone attacking academic office from the hostel our students are not above board and grades are stored in servers inside it bomb it is not only people in china and pakistan will attack us students may want to change their grade they may not succeed but very fact that they are making attempts what is the meaning of making attempt if some hostel ip is trying to connect repeatedly to the web application or the server which is storing the grades should you not know if they may not have broken it there may be no SQL injection there may no attack nothing might have succeeded but should you not know that last night from hostel 6 for 3 hours somebody was constantly trying to scan look at the ports was trying to log in or should you say that is ok nothing as bad as gone wrong if somebody complains then I will go and see so that is the difference between security assurance and reactive panic firefighting so we do not want to do firefighting so that is the goal of the last 5 10 minutes of my talk that varies all this information how to find out and more important by a very nature of the network and application this information is not available in one place you have to correlate information from traffic which is available in the router interfaces how many packets so log application log so ip table security log in different places of your network different servers different locations and all this information has to be collated and understood holistically analyzed these are buzzwords but I am sure you know what I mean that you cannot look at only one you cannot have what is called blinker division I am in charge of mail server I look only at mail no you need that integrated view and therefore to do that I am going to tell you show you something first very quickly that in IIT Bombay we do have graphs like this most of you may already have seen graphs on you may have graphs for your organization also called MRTG multirate traffic grapher or something like that which tells you the bandwidths used how much bandwidth issues I will explain a little bit about that by showing a more detailed diagram so this is data which is old not yesterday's data but it is giving you the full picture that around 4 in the morning the traffic start reducing the green is the amount of traffic coming into our campus from outside on one of the van links there are three van links but all three van links are showing a similar pattern why at 4 am you know traffic is reducing finally people are sleeping okay so at 8 am they start waking up different people of course at different time but the trend is the same day after day after day and then around noon and 2 o'clock it peaks then again at 8 o'clock after dinner it peaks midnight is another peak then around slowly declines 4 o'clock then and you can see this trend if you map it historically like this one is showing you will see this trend every day sometimes you will observe weekends are different so these are trends which are just seen by looking at the shape now if your director shown this graph he will be reasonably happy that okay this is what I want this is expected behavior but what you will not be happy is there is another line hidden somewhere in the bottom which may be here as a blue line what is that blue line how much data is going out of your network okay that is not having much of a pattern it is having but in fact there is not there is not even much traffic even if you scale it and this is something that if you are you are not in charge of course if very few people want information from you if no information is going out the only information going out is mail then you have to think why why are not people coming to my website this is another type of analysis this is not at the security level but at the utility level okay so we will see that also later your director may ask you questions like that who is sitting my website why are they not downloading my pages why are my faculty pages are not seen who is seeing it how many times they saw which person's page they saw most he may want it for making some other decision promotion this that so but who will give him that information this is sad it is not that you have to set policies but you have to be able to produce this information so that is what this is not going to produce that this is only telling you the overall overall data going out overall data coming in so that is the very first level and even here you can put filters you can write scripts which will alert you if it exceeds this much alert me if it falls below this much alert me this up to you to decide what you want but the tools exist which you will see in the lab on Friday where you can configure the tool to keep watching this data because a human being watching and reacting is definitely not the way a software should be running and watching the output data input data and you should write scripts or triggers if this happens tell me tell me means what email or sms or depending on the priority depending on the alert that is what this part of the lecture is about monitor react intimate react escalate so in the interest of time let us move on this is showing you the monthly graph hourly graph hourly graph hourly graph is good data more more people are using the link and so on so forth and output is always much less than input than nageous is another tool which monitors again i will not explain in detail but probably you will do a similar tool in your in your lab inside my campus are all the servers up or all the services running properly am i able to connect and so on and a red light means something is wrong and it will tell you when it went wrong why it went wrong and so on this is something that you will be doing on the lab on friday i am not deliberately i have put logs from long back ten years back privacy concerns and this and that and so on but here is a type of information which you should be able to generate easily if you do it it will have value it simply says for each date in january one two three four how many males came in 34,000 males 33,000 males weekends are slightly less i do not know who is an expert but my guess is january four and five were weekends can be 11 and 12 were weekends number of males coming in on weekends everybody is taking time off and so on outgoing also is reducing on those days six five so my guess is those are saturday sunday and there is a hyperlink which is telling the top 25 what is the total incoming size of males what is the total outgoing size of males who are the top 25 senders and receivers and this is why i took the old data that a table like this will actually tell you which user is sending out who is receiving maximum number of males who is receiving you have to have a policy who can see this information director yes head of the department no like that so that is a different issue but first you must know what tools are available and what they can do then those who are in charge of the information will make the information policy who can see who cannot see and so on but as a sysad you must be able to generate this on a regular basis here is another important part again i am sure you cannot read this in in the slide on the screen but later on when you download it this is telling the server what was the memory usage what was the cpu usage how many page faults on the server receiving the mail there are many os related performance statistics those statistics also should be monitored why this space may run out slash tmp may become full many other problems may happen on the service so that is something you can again monitor so that is a scanner status how many viruses came how many did i find how many did i quarantine which network it came from just because you are doing your job properly is not enough you must also understand are there more coming less coming and triggers for that then this is the web proxy usage this one is giving you a sample of how many people visited your websites the 10 dot because you are doing this filtering cse website e website how many people came where they came from okay and that will also again i do not look at the table in great detail it will only tell you may be i will show you in the next slide the country domains yeah this one this one is saying that which people from which country and from where which domain visited your website from us educational domains from commercial domain dot com dot edu why would you want to know this okay so suppose from malaysia one day you find that people never visit but that day a lot of people visited then you would want to know why and they visited only chemical engineering department this could then be a information that is flagged and told to the department head this is happening so they may then say yes it is because we have a conference next week and a lot of people registering for that conference so we need to understand what is happening and why and to do that you need to do what is called log analysis so the last important technical point that i want to convey or a name of a tool or a software that i want you to note down is what is called r sis log i already told you that interesting information about what is happening to the network and application is being generated in many places now if you do not consolidate that information it is much harder if the if you have to log into this server to read that if you have to log into that server to read that that is what r sis log is is a centralized logging that all these logs are not only written locally they are also at the time they are generated with suitable filters sent to this centralized server so this centralized log service main job and you will be learning little bit more about this tomorrow in the lecture and in the lab on friday it is called security s i e m security information and event management so a lot of information could keep coming to this server from various places and then we can generate alert identify trends and use open source tools to generate useful reports and that is the part of the lab that is coming up on friday so r sis log can tell who should receive it did not receive logs from everybody it can allow sender udp logs to come from 10.5 kerala tcp logs to come from 10.99 it can tell which ip can send what logs to me and then it can filter similarly on the machine sending the log you can need not send all the log lines to the centralized server you can you can put your own format year month and so on so forth and then you can say if it is tcp denied send it to this server if it is some other message send it to this server or this port so that differently it can be logged it did not be all logged in the same place there is all this like I said wheat from the chap messages which are very normal keep it in some other place which is a very particular so that it is easier to analyze so just again giving you an example that our centralized log server has different directories three or four for different mail servers mail incoming mail outgoing imap three or four for web proxies this a reverse proxy this is quid then some for the imap itself some for eldap the directory server all these logs of which date and this is the last slide with information 2014 may you can see this is the log size gigabyte 53 gigabytes or 500 gigabytes or so per day compressed is stored but it is available and it is a legal requirement also how to mine this logs what is the information in this log what is the useful content in this log that is tomorrow and in your lab tomorrow's lecture will be about the lab it will not be the lab itself but tomorrow morning 9 30 to 11 me and some of the two or three mts will come and explain to you the tools that you are going to use and these tools will allow you to do this collect logs from various places watch the logs set triggers generate alerts and allow you to understand what is happening in your network so this was today's lecture was simply to give you the background and the two parts ip tables is an important part you may not do much about that in the lab but the second important part log analysis monitoring alerts and preventing security incidents is going to be a focus of what you do hands-on in the lab so with that i will stop the rest of course i encourage you to ask questions tomorrow now that you have assimilated a little bit of what i said and you have the slides with you you can also take your time to raise the questions and send it online or offline then in tomorrow's lecture i'll address some of the questions and then in the lab okay rrd is a term used by that mr tg it is a database that it maintains round robin database or something it's a cumulative incremental data only of what changed from last time that is written and it is a terminology used by this particular tool mr tg i don't know the exact expansion but something to do with the round robin data or something like that which which comes in in an incremental form the log file is archived for the graph to be plotted you saw the daily usage monthly usage weekly usage so that that database size does not become too big they have some techniques for storing that data hello good morning sir my question is that what is the spoof attacks and sin attacks how this attack can be blocked so i will respond to that sin attack the other one may be later the tcp is connection oriented protocol so most applications for instance let us say you want to send mail you have to first open a connection on port 25 and tcp has something called a three-way handshake that if i want to send you mail i have to first send a packet saying i want to open a connection to you on port 25 this is called a sin packet and the receiving machine can decide to accept or not if it accepts it will say yes please start sending data which is real data but you start from this sequence number some handshake is done and the third to complete the connection establishment this the initiator has to send the third packet saying yes i got your permission i will start and you use this sequence number so this is three way i send you a request saying i want you say yes and i say okay let's do after that the real data which the application wants for smtp or whatever goes on now a sin attack is an attacker simply says i want to start a connection the other guy says yes go ahead now this fellow doesn't complete the connection he just leaves it like that why does he leave it like that because the other server now has in his kernel allotted some space in the table saying that this guy is going to connect i have sent him this sequence number he's waiting for that handshake to complete and he has used let us say 25 bytes of memory if i do it once there is no problem because then after some time it will time out he'll say this fellow is not replying and he'll throw away the packet what if i do it thousands of times each this called a half open connection each half open connection uses up some resource on the server so if i keep doing this i start the connection but don't complete start the connection keep doing this at the high rate and your firewall is not doing this rate limiting then pretty soon your server will not be able to respond to real call so i will give you a real energy and then stop that let's say you have a helpline in your college for answering real queries for students how to pay fees or how to do the application and you have three lines people are sitting there now if i keep calling those three numbers and saying i want some junk have you heard this song have you heard that song then the speaker is going to hang up saying you are not a real student but if i keep doing this what happens when real students are trying to call the line will be engaged and these three people will be so angry they will not give him a good reply also even if he gets through that's what is called denial of service attack so sin attack is something that ip tables can help you to limit limit the rate and also do not allow this to accumulate hello morning sir good morning go ahead morning sir my name is shoyab and i have a question like can we use image processing you are talking about firewalls first so can we use image processing techniques to filter certain image patterns that yeah and give like more effective to like parental controlling thing because there are so many site is that abuse you side so the spirit of your question so let me answer this in two steps the first one is doing it at the network level ip packet level is hard but if you have a proxy server and then there are many tools available squid only normally they drop bad content only based on ip address and url having some name or keyword okay but content based filtering what you are talking about many tools implement that any image they will scan for how much of the 50 percent is looks like skin they will say this is a bad photograph and they will not allow it how do they know it looks like skin that is your image processing clothes and skin if you are seeing my face now on your screen this part is they will know skin this part is skin they will know this is cloth okay and right now the percentage hopefully is at least 50 50 so they will not think of this is an obscene picture but if there is a picture where the image processing program says 90 percent is with skin then the program will drop it such things are specialized content based filtering it is called an image processing is indeed used for allowing web browsing and not blocking site fully only blocking bad thing now but of course it is a very slow process that server needs to be very fast needs to run many applications and therefore it is a resource consuming activity so I hope that answers part of your question and you can look up more on this good morning sir good morning sir there is one question that you have as told earlier that about how much traffic is in out yes who is a larger center in receiver of emails yes is there any software or simulator by which we can install in our lab and find out that what is happening on the network yes of course that is the goal of your Friday's lab I am very glad you asked that question and it is not simulator it is oh you want to say how to do an experiment okay let me answer two parts first is synthetic data versus live data that is part of your question and you use the word simulation for that that you want to give experiments to students or is it that you want to understand really what is happening the real world real data sir it is for real data for real data the tools that what you are going to do the real data will be in your servers if you have a server receiving mail it will have in the war log mail log it will start adding information the tools that are used to analyze that you will be doing in the lab on Friday the mail log analysis tools but if you want to give students homeworks and experiments you can generate fake data or if you want to what is called mask the privacy reasons the real data you do not want to give the student you do not want to know who received mail from whom and so on the real names then you can do what is called anonymizing you can write scripts that will blank out or replace with dummy names and dummy IDs or dummy values the real log life and you can have tools that generate such patterns so that students can be this is actually may be an interesting question that many of these certification programs on security and so on many of them are of course not trustworthy but the ones that are good they give students scenarios like this they give a sample synthetic log file and say you find out three top problems that happen they give two gb log files and they know you should know which tools to use that is what is part of the training and using those tools you must analyze the logs and find out three or four bad things so if you pass that then you get the certification now to the extent that you want to do it in your course and your lab we will give you guidelines hands on later on but in friday we will be giving you sample data which you can use and from which you can see how the tool works what it can do what type of information reports it can generate last point yeah one point and then yeah see there is a difference between static analysis analyzing data three months back versus real-time analysis that also you must understand that analyzing old data and giving the report tomorrow is easy that can be done there are many tools you can write your own but analyzing data as it comes in i told you know our syslog is receiving data so on the fly every five minutes every six minutes analyzing and telling this is when going wrong that is going wrong is much harder and that will be the goal of friday's lab yes go ahead one participant has one more question last good morning sir yeah sorry you have explained how to prevent d i mean doors denial of services attack by limiting the number of traffic incoming traffic into the firewalls but how to prevent d doors and how to prevent d doors and what the role of zombies how to avoid how to prevent this kind of situation so this is actually uh beyond uh short two minute answer because this is one of the most interesting research topics d doors attacks are the biggest threat and even the top post not that i alone don't know this code doesn't know okay how doesn't know okay IBM doesn't know and the researchers are applying their mind to have effective techniques to prevent this the reason that d doors is hard to prevent is because you do not know in advance what are all the ip's in which these bad things can happen and how to know that you know you know one single ip makes a lot of connection different ip's share part of the load okay and therefore so best of my knowledge there is no simple answer for your question it is something that can become an interesting research project to figure out that a d doors is happening distributed denial before it actually becomes dangerous so i will leave it at that and maybe tomorrow give you some pointers to see more useful material about this thank you sir okay so we'll stop the first lecture today