You understand what the internet is and know the protocols. Now let's trace exactly how data gets from point A to point B. Understanding this journey is crucial for securityβattackers exploit every step along the way.
When you send data over the internet, it doesn't travel as one piece. It's broken into packets, each taking its own route to the destination.
Think of a packet like a letter in an envelope within another envelope:
βββββββββββββββββββββββββββββββββββββββ
β Frame Header (Ethernet) β β Layer 2
βββββββββββββββββββββββββββββββββββββββ€
β IP Header (Source/Dest IP) β β Layer 3
βββββββββββββββββββββββββββββββββββββββ€
β TCP/UDP Header (Ports, Sequence) β β Layer 4
βββββββββββββββββββββββββββββββββββββββ€
β Application Data (HTTP, DNS, etc) β β Layer 7
βββββββββββββββββββββββββββββββββββββββ€
β Frame Trailer (Checksum) β β Layer 2
βββββββββββββββββββββββββββββββββββββββ
Each layer adds its own header with information needed for that layer.
Step 1 - Application Layer: You type "example.com" in browser - Browser creates HTTP GET request
Step 2 - Transport Layer: TCP adds header - Source port: 54321 (random) - Destination port: 443 (HTTPS) - Sequence numbers - Flags (SYN, ACK, etc.)
Step 3 - Network Layer: IP adds header - Source IP: Your IP (e.g., 192.168.1.100) - Destination IP: example.com's IP (93.184.216.34) - TTL: 64 hops - Protocol: TCP
Step 4 - Data Link Layer: Ethernet adds header and trailer - Source MAC: Your computer's MAC - Destination MAC: Gateway's MAC (next hop) - Frame check sequence
Now the packet is ready to travel!
Your computer knows it needs to send packet to 93.184.216.34.
Checks routing table:
ip route show
# Output:
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 scope link
Translation: "For anything not on local network (192.168.1.x), send to gateway at 192.168.1.1"
Computer needs gateway's MAC address.
ARP Request (broadcast):
Ethernet: ff:ff:ff:ff:ff:ff (broadcast)
ARP: Who has 192.168.1.1? Tell 192.168.1.100
Gateway responds:
ARP: 192.168.1.1 is at aa:bb:cc:dd:ee:ff
Computer caches this in ARP table:
arp -a
# 192.168.1.1 (192.168.1.1) at aa:bb:cc:dd:ee:ff [ether] on eth0
Packet sent with: - Destination MAC: Gateway (aa:bb:cc:dd:ee:ff) - Destination IP: example.com (93.184.216.34)
Important distinction: - MAC address changes at each hop (Layer 2) - IP address stays same throughout journey (Layer 3)
Gateway (your router) forwards to ISP: 1. Receives packet from your computer 2. Performs NAT (Network Address Translation) - Replaces your private IP (192.168.1.100) - With public IP assigned by ISP (e.g., 203.0.113.45) - Tracks this in NAT table to forward responses back 3. Forwards packet to ISP's network
Why NAT? - IPv4 address exhaustion - Private IPs can't be routed on internet - Allows many devices to share one public IP - Adds layer of security (hiding internal network)
Packet travels through multiple routers:
Each router: 1. Receives packet 2. Examines destination IP (93.184.216.34) 3. Consults routing table 4. Forwards to next hop 5. Decrements TTL by 1
TTL (Time To Live): - Prevents packets from looping forever - Starts at 64 (typical) - Each router decrements by 1 - If TTL reaches 0, packet dropped - Router sends ICMP "Time Exceeded" back to source
Routing decisions based on: - Shortest path (fewest hops) - Fastest path (lowest latency) - Available bandwidth - Cost (some routes more expensive) - Current network conditions
IXPs are where networks meet: - Physical locations - ISPs, content providers, and networks interconnect - Exchange traffic directly (peering) - Reduce latency and cost
Major IXPs: - DE-CIX (Frankfurt) - AMS-IX (Amsterdam) - LINX (London) - Various locations worldwide
Peering agreements: - Settlement-free: Exchange traffic at no cost - Paid peering: One party pays the other - Transit: Pay a larger network to reach rest of internet
Packet arrives at example.com's network: 1. Enters through border router 2. Firewall examines packet - Source IP allowed? - Destination port 443 allowed? - Packet looks legitimate? 3. IDS/IPS monitors for threats 4. Load balancer distributes traffic - Multiple web servers behind load balancer - Balancer picks one based on algorithm (round-robin, least connections)
Packet reaches web server: 1. Network interface receives packet 2. De-encapsulation process (reverse of encapsulation) - Remove Ethernet header - Remove IP header - Remove TCP header - Extract HTTP request 3. Web server processes request 4. Generates HTTP response 5. Sends back to source (your computer)
Response takes reverse path: 1. Web server sends to its gateway 2. Through destination's network 3. Through internet backbone 4. Through IXPs 5. To your ISP 6. To your gateway 7. Gateway performs reverse NAT - Looks up original internal IP (192.168.1.100) - Replaces destination IP 8. Forwards to your computer
Asymmetric routing: - Outbound and inbound paths may differ - Internet routing is dynamic - Different paths can have different characteristics
Common causes: - Network congestion (buffers full) - Transmission errors (noise, interference) - Routing loops (rare, but possible) - TTL expiration - Firewall drops - Router failures
TCP ensures delivery:
Sequence numbers:
Client sends:
Seq: 1000, Data: "GET / HTTP/1.1" (15 bytes)
Server acknowledges:
Ack: 1015 (expecting byte 1015 next)
Retransmission: If no ACK received within timeout: 1. TCP assumes packet lost 2. Retransmits same data 3. Exponential backoff (wait longer each retry)
Flow control: - Window size in TCP header - Receiver tells sender how much buffer space available - Prevents sender from overwhelming receiver
Congestion control: - Sender detects network congestion (packet loss) - Slows transmission rate - Gradually increases if packets successfully delivered
UDP doesn't care: - No acknowledgments - No retransmissions - Application handles reliability if needed
DNS example: - Send query via UDP - If no response, application resends - Simple and fast
RTT: Time for packet to destination and back
Measured by ping:
ping example.com
# 64 bytes from example.com: icmp_seq=1 ttl=56 time=15.2 ms
Factors affecting RTT: - Physical distance (speed of light limit) - Number of hops (each router adds delay) - Network congestion - Processing at each hop
Typical RTTs: - Local network: <1 ms - Same city: 1-10 ms - Same country: 10-50 ms - Different continents: 100-300 ms - Satellite: 500-700 ms
Bandwidth: How much data can be sent (highway width) Latency: How fast data travels (speed limit)
Analogy: - Bandwidth = pipe diameter - Latency = water pressure
You need both: - High bandwidth, high latency: Large pipes, slow water (satellite) - Low bandwidth, low latency: Small pipes, fast water (local network)
Traceroute shows the path:
traceroute example.com
1 192.168.1.1 (192.168.1.1) 1.234 ms
2 10.0.0.1 (10.0.0.1) 5.678 ms
3 isp-router.net (203.0.113.1) 10.123 ms
4 backbone.net (198.51.100.1) 15.456 ms
5 ix-router.net (198.51.100.2) 20.789 ms
6 dest-network.com (93.184.216.34) 25.012 ms
Each line shows: - Hop number - Router hostname/IP - Round-trip time
Security note: Traceroute reveals network topology - Attackers use it for reconnaissance - Some networks block ICMP to prevent this
Example: - User in Tokyo visits website hosted in New York - RTT: ~200 ms - Every resource (HTML, CSS, JS, images) requires round trips - Page load: slow
CDN caching: 1. Content replicated to edge servers worldwide 2. User's request routed to nearest edge server 3. Edge server returns cached content 4. Much lower latency
How it works:
# Without CDN
User (Tokyo) β New York server (200 ms RTT)
# With CDN
User (Tokyo) β Tokyo edge server (5 ms RTT)
Major CDNs: - Cloudflare - Akamai - Amazon CloudFront - Fastly - Google Cloud CDN
CDN benefits: - Reduced latency - Reduced origin server load - DDoS protection - Geographic availability
Security implications: - CDN sees all your traffic - Trust model changes - SSL/TLS termination at CDN - Additional attack surface
Not all traffic is equal: - Video call: needs low latency - File download: needs high bandwidth - Web browsing: needs both - Email: neither critical
QoS mechanisms:
Traffic classification:
VoIP packets β High priority queue
Streaming video β Medium priority queue
File transfer β Low priority queue
Implementation: - Routers examine packets - Classify by port, protocol, or application - Queue accordingly - Process high-priority first
DSCP (Differentiated Services Code Point): - Field in IP header - Marks packet priority - Routers respect marking
One sender, one receiver:
Client β Server
One sender, all receivers on network:
Sender β Everyone on 192.168.1.0/24
Example: ARP requests Address: 255.255.255.255 Problem: Doesn't scale, creates noise
One sender, multiple interested receivers:
Video stream β Subscribers only
Example: Live video streaming Addresses: 224.0.0.0 to 239.255.255.255 Protocol: IGMP (Internet Group Management Protocol)
Efficiency: - Send once, received by many - Saves bandwidth - Used for streaming, conferencing
Any device on network segment can capture packets: - Promiscuous mode - See all unencrypted traffic - Passwords, cookies, data
Protection: Encryption (HTTPS, VPN)
Attacker intercepts traffic: 1. ARP spoofing (become gateway) 2. Route traffic through attacker 3. Forward to real destination 4. Victim and server unaware
Protection: - ARP inspection - HTTPS (attacker can't decrypt) - Certificate pinning
Attacker announces false routes: - BGP (Border Gateway Protocol) controls internet routing - Malicious announcements redirect traffic - Traffic flows through attacker - Hard to detect
Examples: - 2008: Pakistan Telecom hijacked YouTube - 2018: Amazon Route 53 DNS hijacked - Ongoing nation-state attacks
Protection: - RPKI (Resource Public Key Infrastructure) - Monitoring BGP announcements - Redundant paths
Attacker amplifies traffic: 1. Sends small requests with spoofed source (victim's IP) 2. Servers send large responses to victim 3. Victim overwhelmed
Protocols vulnerable: - DNS (50x amplification) - NTP (200x amplification) - SSDP (30x amplification) - Memcached (10,000x+ amplification)
Protection: - Rate limiting - Source validation - Filtering spoofed packets - DDoS mitigation services
# Capture packets
sudo tcpdump -i eth0 -w capture.pcap
# Visit a website
curl http://example.com
# Stop capture (Ctrl+C)
# Analyze with Wireshark
wireshark capture.pcap
Observe: - DNS query and response - TCP three-way handshake - HTTP request and response - TCP teardown
# Ping local gateway
ping 192.168.1.1
# Ping Google DNS
ping 8.8.8.8
# Ping international server
ping example.com
# Compare RTTs
traceroute example.com
# Count hops
# Identify ISP transitions
# Note latency increases
# Install iftop
sudo apt install iftop
# Monitor bandwidth usage
sudo iftop -i eth0
Data travels as packets: - Broken into small pieces - Each routed independently - Reassembled at destination
Each layer adds headers: - Encapsulation going out - De-encapsulation coming in
Internet routing is dynamic: - Multiple paths possible - Routers make decisions hop-by-hop - BGP controls large-scale routing
Security at every hop: - Local network (ARP spoofing) - Transit (packet sniffing) - Routing (BGP hijacking) - Destination (DDoS)
Performance factors: - Physical distance - Number of hops - Network congestion - CDNs and caching
Understanding this journey helps you: - Diagnose network issues - Identify attack points - Design secure systems - Optimize performance
Every cybersecurity professional needs to understand how data flowsβit's the foundation for everything else we do.