Skip to content
Breachfolio
Hero illustration for: How networks actually work (without the OSI poster).
LEVEL 1 CYBERSECURITY

How networks actually work (without the OSI poster).

IP, TCP, DNS, TLS — traced through a single curl request. What each layer adds, and which ones an attacker can lie at.

11 min read Breachfolio Research

The standard introduction to networking is a layered cake — seven of them, in the OSI model — followed by a poster on the wall and a quiz. We will skip the poster. The most useful way to learn what is going on is to trace a single curl request and stop to explain everything that happens to it.

The request

This is what you type:

$ curl -v https://example.com/

From the moment you press Enter to the moment you see HTML, the bytes pass through five conversations. Each one adds something, and at each one an attacker can do something hostile.

1. DNS — turning a name into an address

Your computer does not know what example.com is. It asks a resolver (often your router; the router often asks your ISP). The resolver, in turn, asks one of the root servers, then the .com server, then example.com's own server. The answer is an IP address, typically 4 bytes for IPv4 or 16 bytes for IPv6.

$ dig +short example.com
93.184.216.34

What an attacker can do here: if they sit between you and the resolver, they can lie and send you to their server instead. This is "DNS spoofing". DNS-over-HTTPS (DoH) and DNSSEC exist to make this harder.

2. TCP — opening a reliable pipe

Now your computer has an IP. It opens a TCP connection to port 443 on that IP. TCP is the layer that turns the lossy, out-of-order chaos of the internet into something that feels like a phone line: bytes arrive, in order, exactly once.

The handshake is three packets, often visualised as SYN, SYN-ACK, ACK.

  you → them  SYN     seq=x
them → you   SYN-ACK seq=y ack=x+1
  you → them  ACK     ack=y+1

Once that is done, both sides have a session and can stream bytes.

What an attacker can do here: the classic SYN flood is to send millions of SYNs and never reply, exhausting the server's connection table. On a LAN, ARP spoofing redirects the IP layer below so the TCP connection terminates on the wrong machine — a real "machine in the middle" attack.

3. TLS — making the pipe confidential

You used https://, so TCP alone is not enough. TLS now layers on top, doing three things in roughly one round-trip:

  1. Authentication: the server proves it is example.com by presenting a certificate signed by a CA your computer already trusts.
  2. Key exchange: the two sides agree on a shared symmetric key, using a public-key handshake (ECDHE). Your computer never sends the key directly — it derives it from a public exchange that an eavesdropper cannot reverse.
  3. Cipher selection: they pick a symmetric cipher (AES-GCM or ChaCha20-Poly1305) and start encrypting and authenticating each record.
Pin the cert chain

If you want to see this happen, run openssl s_client -connect example.com:443 -showcerts. The chain you see is the trust path your browser is validating before it sends a single byte of HTTP.

What an attacker can do here: mostly nothing — that is the point. But if they have tricked you at the DNS layer into resolving to their server, and they have somehow gotten a valid certificate for example.com (rare), they can read everything. This is why certificate transparency logs exist.

4. HTTP — the application speaks

Inside the encrypted pipe, your computer now sends an HTTP request. The whole thing is text:

GET / HTTP/1.1
Host: example.com
User-Agent: curl/8.0
Accept: */*

The server replies with a status line, headers, a blank line, and the body. HTTP/2 and HTTP/3 frame this differently for performance but the semantics are the same.

What an attacker can do here: almost everything interesting in web security is at this layer. Header injection, smuggling, session fixation, CSRF, the entire OWASP Top 10 — they all live in the request and the response, not in TCP or TLS.

5. The reply, all the way back

The response goes back through TLS (encrypted and authenticated), through TCP (split into segments, acknowledged, reassembled), through IP (routed hop by hop), and is finally handed to curl, which prints it.

The mental model

If you keep one diagram in your head, make it this one:

LayerIdentifies whoWhat an attacker can lie at
HTTPBy URL / cookie / headerForge requests, steal tokens
TLSBy certificateAlmost nothing if certs are honest
TCPBy portExhaust state, hijack sessions
IPBy addressSpoof source, ARP-poison neighbours
DNSBy nameSend you to the wrong IP

Every attack you will ever read about lives in one of these rows. Once you can place a new attack on the table, you already know half of how to defend against it.