Listen to this Post
Introduction:
Before a firewall blocks a packet or a SIEM correlates an alert, data must travel across wires, radios, and fiber. Understanding how devices discover each other, negotiate delivery, and encrypt traffic is the difference between spotting an intrusion and drowning in logs. This article transforms abstract networking concepts into actionable commands, configuration checks, and troubleshooting workflows for blue teams, pentesters, and IT engineers.
Learning Objectives:
– Map real-world attacks (ARP spoofing, DNS tunneling, port scanning) to the OSI model layers they exploit.
– Use native Linux and Windows commands to diagnose IP conflicts, TCP handshake anomalies, and DHCP misconfigurations.
– Apply firewall rules and packet captures to enforce HTTPS, filter UDP floods, and lock down open sockets.
You Should Know
1. OSI Model in Action – Walk a Packet from Browser to Server
The OSI model isn’t a certification checkbox. Each layer corresponds to a specific attack surface. Let’s trace an HTTPS request from your terminal.
Step‑by‑step guide (Linux & Windows):
1. Application Layer (Layer 7) – Your browser generates an HTTP GET. Simulate it with `curl -v https://example.com`.
2. Presentation/ Session (Layers 5‑6) – TLS handshake occurs. Capture it with `tcpdump -i eth0 -1n -S tcp port 443 and host example.com`.
3. Transport Layer (Layer 4) – TCP segments. View active connections:
– Linux: `ss -tulpn`
– Windows: `netstat -an | findstr :443`
4. Network Layer (Layer 3) – IP packets. Check your route: `ip route` (Linux) or `route print` (Windows).
5. Data Link (Layer 2) – ARP resolves MAC addresses. Inspect ARP cache: `arp -a`.
6. Physical (Layer 1) – Interface stats: `ethtool eth0` (Linux) or `Get-1etAdapterStatistics` (PowerShell).
> Attack relevance: Rogue ARP replies (Layer 2) enable MiTM; malformed IP fragments (Layer 3) evade some firewalls.
2. TCP vs UDP – Reliable vs Fast (and How to Test Both)
TCP guarantees delivery via sequence numbers and ACKs; UDP sends without tracking. Attackers love UDP for amplification (DNS, NTP) and TCP for stealthy scans.
Step‑by‑step guide – Simulate and filter:
– Check TCP retransmissions (sign of network drops or active interference):
Linux: `netstat -s | grep retrans`
Windows: `netsh interface tcp show global`
– Send a UDP probe to a DNS server:
`dig @8.8.8.8 google.com +notcp` (forces UDP)
– Detect UDP traffic with tcpdump: `tcpdump -i eth0 udp`
– Block UDP flood using iptables (Linux):
`iptables -A INPUT -p udp –dport 53 -m limit –limit 10/s -j ACCEPT`
For Windows Defender Firewall:
`New-1etFirewallRule -DisplayName “Limit UDP DNS” -Direction Inbound -Protocol UDP -LocalPort 53 -Action Block`
Key takeaway: Port 53 (DNS) is often left open for UDP – source of infamous reflection attacks.
3. DNS Deep Dive – From Name to IP and How to Abuse It
DNS turns `google.com` into `142.250.190.46`. Attackers use DNS tunneling to exfiltrate data or C2 over port 53.
Step‑by‑step guide – Query, cache, and secure:
– Manual lookup (bypass local cache):
Linux: `dig +trace example.com`
Windows: `nslookup example.com 8.8.8.8`
– Flush DNS cache (troubleshoot stale records):
Linux: `sudo systemd-resolve –flush-caches` or `sudo resolvectl flush-caches`
Windows: `ipconfig /flushdns`
– Capture DNS tunnel attempt – filter for unusually long TXT records:
`tcpdump -i eth0 -vvv -s 0 port 53 | grep -i “txt\|length[0-9]”`
– Hardening: Restrict recursive queries to internal subnets only (in `/etc/bind/named.conf.options` on BIND9).
Real‑world use: Blue teams monitor for high‑volume DNS requests to rare domains – a sign of tunneling.
4. Ports and Sockets – Identifying Services and Communication Endpoints
A port (e.g., 22, 443) identifies a service; a socket is the unique combination `{src_IP:src_port, dst_IP:dst_port}`. Pentesters scan open ports; defenders lock down unneeded ones.
Step‑by‑step guide – Enumerate and harden sockets:
– List all listening ports with associated process:
Linux: `sudo ss -tulpn` or `lsof -i -P -1`
Windows: `netstat -ano | findstr LISTEN` then `tasklist /fi “PID eq
– Check socket states – especially `TIME_WAIT` (indicates closed connections lingering) and `SYN_RECV` (possible SYN flood).
– Close an open port via firewall (example: block port 445 SMB):
Linux: `sudo iptables -A INPUT -p tcp –dport 445 -j DROP`
Windows: `New-1etFirewallRule -DisplayName “Block SMB” -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block`
– Monitor socket creation in real‑time:
Linux: `bpftrace -e ‘tracepoint:syscalls:sys_enter_connect { printf(“connect to %s\n”, args->uservaddr); }’` (requires BCC tools)
> Pro tip: Ephemeral ports (32768–60999 on Linux) are where outbound connections originate – attackers pivot using these.
5. DHCP and Router/Switch Inspection – Misconfigurations That Break Security
DHCP assigns IPs automatically; an attacker can run a rogue DHCP server to become the default gateway. Routers connect networks; switches forward inside a network. Both have security knobs.
Step‑by‑step guide – Verify and lock down:
– Release and renew DHCP lease (test for rogue responses):
Linux: `sudo dhclient -r eth0 && sudo dhclient eth0`
Windows: `ipconfig /release && ipconfig /renew`
– Check default gateway after renew: `ip route show default` (Linux) or `route print -4` (Windows).
– Prevent rogue DHCP on Linux switch: Enable DHCP snooping (Cisco/Aruba) or use `arptables` to block unauthorized DHCP offers.
– View MAC address table on a switch (simulated from host’s ARP): `arp -1` – any duplicate IP with different MAC indicates possible ARP spoofing.
Hardening action: Set static ARP entries for critical hosts (gateway, DNS) using `arp -s
6. HTTP vs HTTPS – See the Plaintext Danger
HTTP transmits in cleartext; HTTPS wraps the same HTTP inside TLS. Never assume a website is safe just because it uses HTTPS – but without it, every cookie and credential is broadcast.
Step‑by‑step guide – Capture and compare:
– Capture HTTP traffic (example to `httpbin.org` on port 80):
`tcpdump -i eth0 -A port 80 | grep -i “cookie\|password”`
– Capture HTTPS – you’ll see only TLS handshake gibberish. To decrypt (own cert): set up `SSLKEYLOGFILE` in Firefox/Chrome, then Wireshark.
– Enforce HTTPS with iptables – redirect port 80 to 443 (poor man’s HSTS):
`iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 443`
– Windows equivalent using Netsh (port proxy):
`netsh interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=443 connectaddress=target.com`
Alert: Tools like `sslstrip` downgrade HTTPS to HTTP if the user types `http://` – enforce HSTS headers on your web servers.
What Undercode Say
Key Takeaway 1
Networking isn’t a “basic” topic to check off – it’s the operating system of security. You cannot analyze a PCAP, configure a zero‑trust gateway, or debug a lateral movement attack without internalizing how DNS, TCP, and routing actually behave on the wire.
Key Takeaway 2
Memorizing terms (OSI, UDP vs TCP) is useless without practice. The moment you run `tcpdump` and see a SYN‑ACK, or use `ss` to discover a backdoor listening on port 4444, the abstract layers become visceral.
Analysis (10 lines):
The original post by Tolga YILDIZ correctly argues that firewalls and SIEMs are meaningless if you don’t understand the traffic they inspect. Too many SOC analysts jump into Splunk queries without knowing whether a packet is being routed or switched. This gap leads to missed intrusions – e.g., ignoring ARP spoofing because they only monitor IP‑layer logs. By connecting DNS (name resolution) → IP (device addressing) → Ports (services) → TCP/UDP (transport) → Routers (network boundaries), you build a mental model that exposes exactly where an attacker can inject malicious traffic. Practical commands like `dig +trace` or `ss -tulpn` transform theory into evidence. The most dangerous skill gap today is not advanced exploit development; it’s the inability to read a packet flow from a compromised host back to a C2 server. Remediation starts with daily CLI drills on every OSI layer.
Prediction
– -1 As networks adopt IPv6 more aggressively, misconfigured DHCPv6 and neighbor discovery (NDP) will become the new ARP spoofing. Analysts who only know IPv4 subnetting will struggle, leading to a rise in router‑adjacent attacks.
– -1 AI‑driven network monitoring tools will automate 80% of alert triage, but the remaining 20% – novel tunneling protocols or zero‑day port abuse – will require deep manual packet analysis. Teams that outsourced networking fundamentals to “auto‑remediation” will get breached.
– +1 The growing adoption of eBPF (Linux) and WinDivert (Windows) gives defenders the ability to filter, modify, and inspect packets at kernel speed. Analysts who master these tools (e.g., `bpftrace` for socket tracing) will outperform legacy SOCs by orders of magnitude.
– +1 Networking basics are finally being embedded into purple team exercises – e.g., forcing junior engineers to exfiltrate a file using only DNS TXT records. This hands‑on shift will produce a generation of security pros who don’t just know the OSI model but can break and fix each layer under pressure.
▶️ Related Video (68% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Iamtolgayildiz Networking](https://www.linkedin.com/posts/iamtolgayildiz_networking-cybersecurity-infosec-ugcPost-7469704674976313344-ghd0/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
