Traces how the initial TTL, TCP window size, MSS, and the order of TCP options in a single SYN packet identify the sending operating system, and why that identity is set by the kernel rather than the browser.
How p0f reads a single SYN packet to name the operating system behind it, traced from Michal Zalewski's 2000 release through the v3 rewrite, the signature grammar, and why TTL, window size, and option order still leak OS identity in 2026.
Traces how the order of TCP options in a SYN packet, the window-scale shift count, the SACK-permitted flag, NOP padding, and the timestamp clock identify an operating system, and how per-connection randomization changed what the timestamp leaks.
How tunnels and VPNs shift MTU and MSS, why a non-standard MSS in a SYN packet betrays an encapsulated path, and how path-MTU discovery behavior turns a packet-size value into a signal.
Traces what a CDN really does on a request: how anycast and BGP pick a point of presence, how the edge/shield/origin cache tiers fit together, how cache keys decide what is a hit, and where TLS terminates.
Traces how the same IP prefix advertised from hundreds of locations lets BGP route every user to a nearby instance, how DNS roots and CDNs use it, how failover works, and where TCP state breaks the model.
Traces a single DNS lookup from the stub resolver in your OS through the recursive resolver, root, TLD and authoritative servers, then explains caching, TTLs, negative answers, and the record types that make it work.
Traces how DoT (RFC 7858) and DoH (RFC 8484) encrypt the stub-to-resolver hop, what privacy they actually buy, why DoH inside the browser collided with enterprise filtering and parental controls, and where the deployment debate landed by 2026.
Traces how BGP carries reachability between autonomous systems: prefixes, AS_PATH, eBGP versus iBGP, the route-selection algorithm, and why convergence after a failure can take seconds to minutes.
Traces how the internet's routing protocol came to trust whatever it is told, the incidents that exploited that trust from 1997 to today, and the RPKI, ROV, and MANRS work trying to close the gap.
Traces two targeted BGP hijacks that stole cryptocurrency: the 2018 Amazon Route 53 attack on MyEtherWallet and the 2022 KlaySwap incident, and how a short hijack plus a fraudulent certificate intercepts HTTPS traffic.
Traces what happens when a CDN or load balancer terminates TLS at the edge: which certificate the client validates, what fingerprint the origin actually sees, how traffic is re-encrypted to origin, and who you are trusting with the cleartext.
A reference on the core load-balancing algorithms: round-robin and weighted variants, least-connections, least-response-time, power-of-two-choices, and IP/consistent hashing, with the math and production tradeoffs of each.
Traces the three proxy roles defined in RFC 9110 — forward proxy, gateway (reverse proxy), and intercepting proxy — and places CDNs, API gateways, and corporate SSL-inspection boxes inside that taxonomy by the direction of trust.
A reference on application-layer DDoS: why HTTP floods are measured in requests per second, how they diverge from L3/L4 volumetric attacks, why they are cheap to mount and hard to filter, and what actually stops them.
Traces how large networks soak up terabit floods: anycast catchment that splits attack load across hundreds of sites, scrubbing-center diversion via BGP, RTBH and flowspec, and the capacity headroom that makes it pay.
Traces the SYN flood from the 1996 Panix attack and the Phrack code that armed it, through the half-open backlog mechanism it exhausts, to SYN cookies and the modern variants that still rank near the top of Layer 3/4 attack vectors.
How spoofed-source UDP queries turn open DNS resolvers into reflectors, why a 64-byte question returns a 3,000-byte answer, what happened to Spamhaus in 2013, and why BCP 38 and RRL still matter in 2026.
Traces the February 2018 memcached reflection attack that hit GitHub at 1.35 Tbps: UDP port 11211, the 51,000x amplification claim, Akamai's ten-minute mitigation, and why disabling UDP fixed it.
Traces distributed denial of service from the 1996 Panix SYN flood and the 1999 Trinoo tools through Mafiaboy, Spamhaus, Mirai, HTTP/2 Rapid Reset, and the 31.4 Tbps records of 2025.
Traces DNS from the ARPANET's single HOSTS.TXT file through Mockapetris's 1983 design (RFC 882/883, then 1034/1035), BIND, DNSSEC, the 2008 Kaminsky cache-poisoning crisis, and the move to encrypted DoT and DoH.
How BGP went from a 1989 lunch sketch to the protocol every network on Earth depends on: EGP's replacement, BGP-4 and CIDR, the routing table's relentless growth, and the security retrofits that came decades too late.
Traces the proxy from CERN httpd's 1994 caching gateway through corporate forward proxies, web anonymizers, the open-proxy spam era, Tor, and today's residential and mobile proxy economy built on consumer devices.
Tracing Tor from the 1995 Naval Research Lab onion-routing prototype through the 2002 release, the 2006 nonprofit, the v3 onion-service rewrite, and the Tor Browser's uniform-fingerprint defense against tracking.