Every time you load a webpage, send a message, or stream a video, your data travels through an intricate system of cables, routers, and protocols that spans the entire globe. Understanding how this system works is the first step toward understanding where it can fail -- and where attackers can exploit it.
The Internet's Layered Architecture
The internet is built in layers, each one handling a different part of the communication process. Think of it like sending a letter: you write the message (application layer), put it in an envelope with an address (transport layer), the postal system routes it through sorting centers (network layer), and physical trucks carry it along roads (physical layer).
Here is a simplified breakdown of the key layers:
- Physical Layer -- The actual hardware: fiber optic cables, copper wires, Wi-Fi radio signals, and satellite links that carry raw data as electrical or light signals.
- Data Link Layer -- Manages communication between devices on the same local network using MAC addresses. Protocols like Ethernet and Wi-Fi operate here.
- Network Layer -- Handles routing data across different networks using IP addresses. This is where the Internet Protocol (IP) lives.
- Transport Layer -- Ensures data arrives reliably and in order. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) work at this level.
- Application Layer -- The protocols you interact with directly: HTTP for web pages, SMTP for email, DNS for domain name lookups, and many more.
How Data Actually Travels
When you visit a website, your browser does not send one continuous stream of data. Instead, your request gets broken into small packets -- typically around 1,500 bytes each. Each packet is stamped with a source IP address, a destination IP address, and a sequence number so they can be reassembled at the other end.
These packets do not all take the same route. Routers along the way make independent decisions about the best path for each packet based on current network conditions. Your packets might travel through a dozen or more routers, crossing undersea cables and multiple countries, before reaching their destination. This decentralized routing is what makes the internet resilient -- but it also means your data passes through infrastructure you do not control.
Your ISP (Internet Service Provider) is the first hop in this journey. It can see which IP addresses you connect to, when you connect, and how much data you transfer. Without encryption, it can see the content of your communications as well.
Key Protocols and Their Security Implications
The protocols that power the internet were designed decades ago, when the network was a small, trusted academic community. Security was not the primary concern. Here is where that matters:
- IP (Internet Protocol) -- Has no built-in authentication. Anyone can forge (spoof) the source IP address on a packet, making it look like it came from somewhere else. This enables DDoS reflection attacks and makes tracing attackers difficult.
- TCP (Transmission Control Protocol) -- Uses sequence numbers to track packets, but these numbers can sometimes be predicted. Sequence prediction attacks allow an attacker to inject data into an existing connection.
- HTTP (Hypertext Transfer Protocol) -- Transmits everything in plaintext. Anyone on the network path can read your data, modify it, or inject content. This is why HTTPS (HTTP with TLS encryption) is essential.
- DNS (Domain Name System) -- Translates domain names like
example.cominto IP addresses. Traditional DNS queries are unencrypted, meaning your ISP and anyone on the network can see every website you look up.
Where Attacks Happen at Each Layer
Each layer of the internet stack presents different opportunities for attackers:
Physical Layer Attacks
At the physical level, attackers can tap into cables or intercept wireless signals. Undersea cable tapping has been documented in nation-state surveillance programs. On a smaller scale, anyone within range of your Wi-Fi signal can attempt to capture your wireless traffic.
Network Layer Attacks
IP spoofing allows attackers to forge the source address of packets, enabling reflection and amplification DDoS attacks. BGP hijacking manipulates internet routing tables to redirect traffic through attacker-controlled networks -- this has been used to intercept cryptocurrency transactions and surveil communications.
Transport Layer Attacks
SYN flood attacks exploit the TCP handshake process by sending thousands of connection requests without completing them, overwhelming a server's resources. TCP reset attacks can forcibly terminate connections between two parties.
Application Layer Attacks
This is where most attacks that affect everyday users occur. Cross-site scripting (XSS) injects malicious scripts into web pages. SQL injection manipulates database queries through web forms. Phishing exploits the gap between what a URL looks like and where it actually leads.
Why Understanding the Stack Matters
Security is not a single product or setting -- it is a practice that spans every layer. A VPN protects your data at the network layer but does nothing against a phishing email at the application layer. HTTPS encrypts your web traffic but cannot prevent DNS leaks that reveal which sites you visit. A firewall filters network connections but cannot stop malware you voluntarily download and run.
Effective security means understanding which layer each threat targets and applying the right defense at the right level. As you read through the rest of this series, you will see how specific attacks exploit specific layers -- and what you can do about each one.