A complete technical deep-dive into how the internet actually works, from physical signals on a wire to encrypted HTTPS packets crossing continents. Firewalls, DNS, IP addressing, network adapters, security protocols, and everything in between.
When you type https://google.com and press Enter, roughly 47 distinct technical systems fire in sequence before a single pixel renders. Most developers interact with the internet every day but have never traced that full journey. This deep-dive maps it completely.
The internet is not one thing. It is a layered stack of protocols, hardware, and agreements , an emergent global system where no single entity owns or controls the whole. Understanding its architecture means understanding each layer independently, then seeing how they compose.
The OSI model decomposes networking into 7 abstraction layers. Each layer serves the one above it and is served by the one below. Separation of concerns at planetary scale.
Data is broken into discrete packets, each routed independently. Packets from one request may travel different physical paths and arrive out of order, TCP reassembles them.
No central authority routes traffic. BGP (Border Gateway Protocol) lets thousands of autonomous networks negotiate paths cooperatively, the internet's routing brain.
Security is not a single layer, it's woven through every level. TLS encrypts transport, firewalls filter at network/application layers, DNS has DNSSEC, and more.
Every device needs an address. IPv4 offers ~4.3 billion. IPv6 offers 340 undecillion. MAC addresses identify hardware. Ports identify services within a host.
Latency has a physical floor. Light travels 200,000 km/s through fiber. New York to London is ~70ms minimum round-trip, no optimization can beat physics.
The Open Systems Interconnection (OSI) model is the conceptual framework for how network communication is structured. Published in 1984 by ISO, it partitions the communication system into seven abstraction layers. Real implementations (TCP/IP) collapse some of these, but understanding OSI is essential for diagnosing, designing, and reasoning about networks.
Remember the mnemonic: All People Seem To Need Data Processing (Application → Physical, top-down) or Please Do Not Throw Sausage Pizza Away (bottom-up).
When data travels from your app to the network, each layer encapsulates the data from the layer above, wrapping it with its own header. On arrival, each layer de-encapsulates (strips its header) before passing the payload up. This is why a network engineer can capture and analyze traffic at any layer independently.
In practice, the internet runs on the TCP/IP model, which collapses OSI's 7 layers into 4:
| TCP/IP Layer | OSI Equivalent | Protocols | Function |
|---|---|---|---|
| Application | Layers 5, 6, 7 | HTTP, DNS, SMTP, SSH, TLS | All user-facing protocols, encoding, sessions |
| Transport | Layer 4 | TCP, UDP, QUIC | Port-based delivery, reliability, flow control |
| Internet | Layer 3 | IPv4, IPv6, ICMP, BGP | Logical addressing, routing between networks |
| Network Access | Layers 1, 2 | Ethernet, WiFi, ARP | Physical transmission, local link addressing |
Every device connected to the internet needs an address. The Internet Protocol (IP) defines how addresses are structured, assigned, and routed. Understanding IP addressing means understanding the difference between public and private, static and dynamic, IPv4 and IPv6, and how subnetting carves address space into manageable chunks.
IPv4 addresses are 32-bit integers expressed as four 8-bit octets separated by dots. Each octet ranges from 0–255.
Subnet mask /24 (255.255.255.0) → Network: 192.168.1.0 | Hosts: 192.168.1.1–254 | Broadcast: 192.168.1.255
| Range | Class | Purpose | Size |
|---|---|---|---|
| 10.0.0.0/8 | Class A Private | Large private networks (AWS VPCs, enterprise) | 16.7M addresses |
| 172.16.0.0/12 | Class B Private | Medium private networks | 1.05M addresses |
| 192.168.0.0/16 | Class C Private | Home/small office networks (your router) | 65,536 addresses |
| 127.0.0.0/8 | Loopback | Localhost, traffic never leaves the machine | 16.7M (all map to self) |
| 169.254.0.0/16 | Link-Local | APIPA, assigned when DHCP fails | 65,536 addresses |
| 0.0.0.0/0 | Default Route | "All traffic" catch-all in routing tables | Full IPv4 space |
CIDR (Classless Inter-Domain Routing) notation expresses a network as address/prefix_length.
The prefix length indicates how many bits are the network portion. The remaining bits are available for hosts.
# /prefix | hosts available | typical use /32 → 1 host (single IP, firewall rule, loopback) /31 → 2 hosts (point-to-point links) /30 → 2 usable (small p2p with network + broadcast) /29 → 6 usable (tiny subnet) /28 → 14 usable (very small network) /24 → 254 hosts (typical home/small office, 192.168.1.0/24) /16 → 65,534 hosts (large enterprise or VPC) /8 → 16.7M hosts (massive networks, entire Class A) # Formula: usable hosts = 2^(32-prefix) minus 2 # Subtract 2: network address + broadcast address
IPv4's ~4.3 billion addresses ran out (IANA exhausted its pool in 2011). IPv6 uses 128-bit addresses, expressed as 8 groups of 4 hex digits. The address space: 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses , enough to assign trillions to every atom on Earth.
# Full IPv6 2001:0db8:85a3:0000:0000:8a2e:0370:7334 # Leading zeros suppressed 2001:db8:85a3:0:0:8a2e:370:7334 # Consecutive zero groups compressed with :: 2001:db8:85a3::8a2e:370:7334 # Special addresses ::1 → Loopback (equivalent to 127.0.0.1) fe80::/10 → Link-local (auto-configured, not routable) fc00::/7 → Unique local (private, like 192.168.x.x) 2000::/3 → Global unicast (public internet)
Network Address Translation (NAT) is how billions of devices share a handful of public IPs. Your router has one public IP. Every device behind it gets a private IP. When you make a request, the router rewrites the source IP/port and maintains a translation table to route responses back. It's an elegant hack that extended IPv4's life by decades, at the cost of breaking true end-to-end connectivity.
The Domain Name System (DNS) translates human-readable names (google.com) into IP addresses (142.250.185.46). Without DNS, you'd memorize IPs. DNS is a globally distributed, hierarchically organized database, one of the internet's most critical and most attacked systems.
DNS handles over 1 trillion queries per day globally. The root servers alone (13 logical servers, actually hundreds of physical machines via anycast) answer billions of queries without a single central database.
When you type api.github.com, here's the exact resolution path, assuming nothing is cached:
| Record | Full Name | Purpose | Example |
|---|---|---|---|
| A | Address | Domain → IPv4 | github.com → 140.82.113.4 |
| AAAA | IPv6 Address | Domain → IPv6 | github.com → 2606:50c0::6814:71 |
| CNAME | Canonical Name | Alias for another domain | www.github.com → github.com |
| MX | Mail Exchange | Email routing | github.com → aspmx.l.google.com |
| TXT | Text | Arbitrary text (SPF, DKIM, verification) | v=spf1 include:github.com |
| NS | Nameserver | Authoritative servers for zone | github.com → ns1.p16.dynect.net |
| PTR | Pointer | Reverse DNS: IP → domain | 140.82.113.4 → github.com |
| SOA | Start of Authority | Zone metadata, primary NS, serial | Primary NS, refresh intervals |
| SRV | Service | Locate specific services | _https._tcp.example.com |
| CAA | CA Authorization | Which CAs can issue certs for domain | 0 issue "letsencrypt.org" |
Standard DNS is completely unencrypted and unauthenticated. Anyone between you and your resolver can see (and forge) DNS queries. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS traffic. DNSSEC adds cryptographic signatures to DNS records, preventing spoofing, but not encrypting content.
HTTPS is HTTP running over TLS (Transport Layer Security). TLS provides three guarantees: confidentiality (nobody can read your data), integrity (nobody can tamper with it), and authentication (you're talking to who you think you are). Every HTTPS connection begins with a TLS handshake.
TLS 1.3 (2018) reduced the handshake from 2 round-trips to 1, cutting latency significantly. Here's the choreography:
Elliptic Curve Diffie-Hellman Ephemeral, both parties generate key pairs, exchange public keys, compute a shared secret without ever transmitting it. Forward secrecy: each session has unique keys. Past sessions can't be decrypted even if server's private key is later compromised.
X.509 certificates bind a public key to a domain name, signed by a trusted Certificate Authority (CA). Your browser trusts ~150 root CAs. The CA hierarchy: Root CA → Intermediate CA → End-Entity cert. Let's Encrypt issues free DV certs automatically via ACME protocol.
Once keys are exchanged, data is encrypted with AES-GCM or ChaCha20-Poly1305 (symmetric). Asymmetric crypto only for key exchange, it's too slow for bulk data. AES-256-GCM is authenticated encryption: confidentiality + integrity in one pass.
HMAC (Hash-based MAC) appended to every record. If a single bit changes in transit, MAC verification fails, connection drops. AES-GCM integrates authentication, making tampering cryptographically impossible without the session key.
A Network Interface Card (NIC) is the hardware that physically connects a device to a network. Every NIC has a MAC address, a 48-bit hardware identifier burned into the card at manufacture. Modern systems often have multiple NICs: ethernet, WiFi, virtual adapters for VMs/containers, loopback.
A MAC address is a 48-bit (6-byte) identifier, expressed as 6 hex pairs. The first 3 bytes are the OUI (Organizationally Unique Identifier), assigned to manufacturers. The last 3 bytes are device-specific.
# Example: AC:DE:48:00:11:22 AC:DE:48 → OUI, Apple Inc. (registered with IEEE) 00:11:22 → Device-specific serial number # Special bit flags in first octet: Bit 0 = 0 → Unicast (specific device) Bit 0 = 1 → Multicast (group of devices) Bit 1 = 0 → Globally Unique (burned-in address) Bit 1 = 1 → Locally Administered (random/virtual) # MAC randomization (modern WiFi): # iOS, Android, Linux now randomize MAC per-network # to prevent location tracking across APs
IP addresses (Layer 3) must be resolved to MAC addresses (Layer 2) for local delivery. ARP (Address Resolution Protocol) does this resolution on local networks.
ARP has no authentication. An attacker can broadcast fake ARP replies, poisoning the ARP cache of victims, redirecting their traffic through the attacker's machine (Man-in-the-Middle). Dynamic ARP Inspection (DAI) on managed switches mitigates this on enterprise networks.
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls operate at different OSI layers, with higher-layer firewalls offering more context, and more processing overhead.
| Generation | OSI Layer | Inspects | Strengths | Weaknesses |
|---|---|---|---|---|
| Packet Filter | Layer 3–4 | IP, port, protocol | Fast, simple, stateless | No connection context, spoofable |
| Stateful Inspection | Layer 3–4 | Connection state table | Tracks sessions, blocks spoofed responses | No application-layer visibility |
| Application Layer (L7) | Layer 7 | Payload, HTTP headers, DNS queries | Deep inspection, block specific apps | Slower, SSL inspection complexity |
| Next-Gen (NGFW) | All layers | Identity, threats, IPS, App-ID | Full visibility, threat prevention | Expensive, complex, latency |
| WAF (Web App) | Layer 7 (HTTP) | SQL injection, XSS, OWASP Top 10 | App-specific protection | HTTP/HTTPS only, bypass possible |
# View all rules iptables -L -n -v --line-numbers # Allow established/related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow SSH from specific IP only iptables -A INPUT -p tcp --dport 22 -s 10.0.0.5 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP # Allow HTTPS in iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Rate limit: prevent brute force iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT # Log and drop everything else iptables -A INPUT -j LOG --log-prefix "DROPPED: " iptables -A INPUT -j DROP # Modern systems: nftables replaces iptables
Modern firewalls maintain a connection state table. When a TCP connection is established (SYN → SYN-ACK → ACK), the firewall records it. Subsequent packets matching an established connection bypass rule evaluation, only new connections get full inspection. This enables "allow out, allow related back in" policies without explicitly permitting inbound on every ephemeral port.
The internet is a network of networks, tens of thousands of Autonomous Systems (ASes), each operated by ISPs, cloud providers, universities, and enterprises. BGP (Border Gateway Protocol) is the protocol that ties them together, the "routing protocol of the internet."
OSPF and IS-IS route traffic within an AS. They build a complete topology map and compute shortest paths. OSPF uses Dijkstra's algorithm. Scale: hundreds to thousands of routers.
BGP routes between ASes. It's a path-vector protocol, routers advertise which AS paths they can reach. Routing decisions consider AS path length, local preference, MED, community attributes, not just shortest path.
IXPs are physical locations where networks interconnect and exchange traffic directly (peering) instead of through transit providers. DE-CIX Frankfurt exchanges 12+ Tbps. Massive latency and cost savings.
The same IP address announced from multiple locations. BGP routes you to the nearest instance. Used by DNS root servers, CDNs (Cloudflare announces 1.1.1.1 from 285+ cities). Automatic failover and geographic load balancing.
# Destination Gateway Interface Metric default via 10.0.0.1 eth0 100 # 0.0.0.0/0, send unknown traffic to gateway 10.0.0.0/24 directly eth0 0 # local subnet, deliver directly 172.16.0.0/12 via 10.0.0.254 eth0 10 # route to another network via router 192.168.100.0/24 via 10.0.0.10 eth1 5 # specific /24 wins over broader routes # Longest prefix match wins: # Packet to 192.168.100.55 matches /24 (more specific) over default /0 # This is the fundamental routing rule.
BGP has no built-in authentication. Any AS can announce any prefix, intentionally or accidentally. BGP hijacks have redirected internet traffic through hostile nations. RPKI (Resource Public Key Infrastructure) adds cryptographic validation to route origins, gradually hardening BGP against prefix hijacking.
Every layer of the network stack is a potential attack surface. Understanding network security means knowing the attack patterns at each layer and the defenses that counter them.
Malicious AS announces legitimate IP prefixes, redirecting global traffic. 2008: Pakistan Telecom took YouTube offline for 2 hours by accident.
Injecting forged DNS responses into resolver caches. Redirects users to attacker-controlled IPs. Mitigated by DNSSEC, randomized ports (Kaminsky fix).
Abusing DNS/NTP/memcached to amplify bandwidth. Spoofed source IP targets victim. DNS amplification achieves 50x traffic multiplication. Mitigate with BCP38 (ingress filtering).
MITM forces negotiation to weak cipher suites or older TLS versions. Mitigated by HSTS (HTTP Strict Transport Security) and disabling TLS 1.0/1.1.
Poison ARP tables on local network to intercept traffic. Classic LAN attack. Mitigated by Dynamic ARP Inspection, 802.1X port auth, VPNs.
Attacker sends SYN packets with spoofed source IPs, exhausting server's half-open connection table. Mitigated by SYN cookies, rate limiting, DDoS scrubbing.
Attacker's DHCP server hands out malicious gateway/DNS configs to network clients. Mitigated by DHCP snooping on managed switches.
Discovery phase attack (nmap). Reveals open services for further exploitation. Mitigated by firewalls, IDS/IPS, minimal exposed surface area.
| Protocol | Layer | Purpose | Replaces |
|---|---|---|---|
| TLS 1.3 | L5-6 | Transport encryption, auth, integrity | SSL, TLS 1.0/1.1/1.2 |
| IPSec | L3 | IP-layer encryption tunnel (VPN) | Cleartext IP |
| WireGuard | L3 | Modern VPN, minimal codebase (~4000 lines) | OpenVPN, IPSec |
| DNSSEC | L7 | Cryptographic signatures on DNS records | Unsigned DNS |
| DoH/DoT | L7 | Encrypted DNS queries | Plaintext DNS (port 53) |
| 802.1X | L2 | Port-based network access control | Open switch ports |
| RPKI | Routing | Cryptographic BGP route origin validation | Unsigned BGP announcements |
| HSTS | L7 | Force HTTPS, prevent downgrade | Optional HTTPS redirect |
Let's trace a single HTTP request from start to finish, your browser requesting https://api.example.com/data. This is everything that happens, in order, from keystroke to response.
Each layer wraps the payload from above with its own header, this is encapsulation. Here's what a single HTTPS packet looks like at every layer:
| Port | Protocol | Service | Notes |
|---|---|---|---|
| 20/21 | TCP | FTP | File transfer (unencrypted, use SFTP instead) |
| 22 | TCP | SSH / SFTP / SCP | Encrypted shell access and file transfer |
| 25 | TCP | SMTP | Email submission (often blocked by ISPs) |
| 53 | TCP/UDP | DNS | UDP for queries, TCP for zone transfers |
| 80 | TCP | HTTP | Unencrypted web, should redirect to 443 |
| 123 | UDP | NTP | Network time sync (used in amplification attacks) |
| 143 / 993 | TCP | IMAP / IMAPS | Email retrieval (plain / SSL) |
| 443 | TCP | HTTPS | Encrypted web, TLS 1.3 |
| 465 / 587 | TCP | SMTPS / Submission | Encrypted email sending |
| 853 | TCP | DNS over TLS | Encrypted DNS queries |
| 3306 | TCP | MySQL | Should NEVER be publicly exposed |
| 5432 | TCP | PostgreSQL | Same, internal use only |
| 6443 | TCP | Kubernetes API | K8s control plane |
| 51820 | UDP | WireGuard VPN | Modern VPN protocol |
The internet's resilience comes from its design philosophy: no single point of control, no single point of failure. Packets route around damage. DNS distributes across thousands of servers. BGP self-heals. But this same decentralization makes security hard, there's no central authority to enforce rules. Every layer's security must be independently justified, layered, and maintained. Defense in depth is not a strategy; it's a necessity.