Networking & Protocols
OSI/TCP-IP basics, common protocols, and traffic analysis mindset.
Showing 10 of 10
NET-01
Explain the difference between TCP and UDP.
▾
NET-01
Explain the difference between TCP and UDP.
Answer: TCP is connection-oriented and reliable (acknowledgements, retransmission, ordering). UDP is connectionless and best-effort (lower overhead, no delivery guarantee).
Tip: Know common examples: HTTP/HTTPS use TCP; DNS commonly uses UDP (and sometimes TCP).
NET-02
What is the OSI model and why does it matter in a SOC?
▾
NET-02
What is the OSI model and why does it matter in a SOC?
Answer: A 7-layer model describing how data moves across networks. It helps you isolate issues and understand where an alert/event occurs (network, transport, application).
Tip: Be able to map common protocols to layers (IP=Layer3, TCP/UDP=Layer4, HTTP=Layer7).
NET-03
What is DNS and how is it abused by attackers?
▾
NET-03
What is DNS and how is it abused by attackers?
Answer: DNS resolves domain names to IPs. Attackers abuse it for phishing domains, DNS tunneling (C2/exfil), and fast-flux infrastructure.
Tip: Look for anomalies: new domains, rare TLDs, high NXDOMAIN, long/random subdomains.
NET-04
What’s the difference between HTTP and HTTPS?
▾
NET-04
What’s the difference between HTTP and HTTPS?
Answer: HTTPS is HTTP over TLS, providing encryption and integrity for data in transit. HTTP is plaintext and easier to intercept/modify.
Tip: In SOC work, you often rely on metadata (SNI, JA3/JA4, cert info) when payload is encrypted.
NET-05
What does a firewall do? Name a few types.
▾
NET-05
What does a firewall do? Name a few types.
Answer: A firewall enforces traffic rules (allow/deny) based on IPs, ports, protocols, and sometimes application context. Types include packet filter, stateful, proxy, and next-gen.
Tip: Be ready to explain “stateful” vs “stateless” and how to read basic allow/deny logs.
NET-06
What is NAT and why is it relevant to investigations?
▾
NET-06
What is NAT and why is it relevant to investigations?
Answer: NAT translates private internal IPs to public IPs. It matters because multiple hosts can share one public IP, so you need NAT logs to identify the true source.
Tip: Always ask for NAT/egress mapping when an alert only shows a public IP.
NET-07
What is ARP and what is ARP spoofing?
▾
NET-07
What is ARP and what is ARP spoofing?
Answer: ARP maps IP addresses to MAC addresses on a local network. ARP spoofing forges ARP replies to redirect traffic (MITM) or disrupt communications.
Tip: Indicators: frequent ARP replies, duplicate IP-to-MAC mappings, sudden gateway MAC change.
NET-08
What is a subnet/CIDR and why do we use it?
▾
NET-08
What is a subnet/CIDR and why do we use it?
Answer: Subnetting divides networks into smaller ranges. CIDR (e.g., /24) describes how many bits are network vs host for routing and access control.
Tip: Know quick mental math for common masks (/24, /16, /20, /27).
NET-09
Explain a SYN flood at a high level.
▾
NET-09
Explain a SYN flood at a high level.
Answer: An attacker sends many TCP SYN packets and doesn’t complete the handshake, exhausting server resources and filling the half-open connection table.
Tip: Know mitigations: SYN cookies, rate limiting, upstream DDoS protection.
NET-10
What is a proxy and how might it appear in logs?
▾
NET-10
What is a proxy and how might it appear in logs?
Answer: A proxy relays traffic on behalf of clients (forward) or protects servers (reverse). Logs often show proxy IP as source; you may need X-Forwarded-For/client IP fields.
Tip: Always confirm whether an IP is the true client or a proxy/load balancer.