How networks actually work (without the OSI poster).
IP, TCP, DNS, TLS — traced through a single curl request. What each layer adds, and which ones an attacker can lie at.
The standard introduction to networking is a layered cake — seven of them, in the OSI model — followed by a poster on the wall and a quiz. We will skip the poster. The most useful way to learn what is going on is to trace a single curl request and stop to explain everything that happens to it.
The request
This is what you type:
$ curl -v https://example.com/
From the moment you press Enter to the moment you see HTML, the bytes pass through five conversations. Each one adds something, and at each one an attacker can do something hostile.
1. DNS — turning a name into an address
Your computer does not know what example.com is. It asks a resolver (often your router; the router often asks your ISP). The resolver, in turn, asks one of the root servers, then the .com server, then example.com's own server. The answer is an IP address, typically 4 bytes for IPv4 or 16 bytes for IPv6.
$ dig +short example.com
93.184.216.34
What an attacker can do here: if they sit between you and the resolver, they can lie and send you to their server instead. This is "DNS spoofing". DNS-over-HTTPS (DoH) and DNSSEC exist to make this harder.
2. TCP — opening a reliable pipe
Now your computer has an IP. It opens a TCP connection to port 443 on that IP. TCP is the layer that turns the lossy, out-of-order chaos of the internet into something that feels like a phone line: bytes arrive, in order, exactly once.
The handshake is three packets, often visualised as SYN, SYN-ACK, ACK.
you → them SYN seq=x
them → you SYN-ACK seq=y ack=x+1
you → them ACK ack=y+1
Once that is done, both sides have a session and can stream bytes.
What an attacker can do here: the classic SYN flood is to send millions of SYNs and never reply, exhausting the server's connection table. On a LAN, ARP spoofing redirects the IP layer below so the TCP connection terminates on the wrong machine — a real "machine in the middle" attack.
3. TLS — making the pipe confidential
You used https://, so TCP alone is not enough. TLS now layers on top, doing three things in roughly one round-trip:
- Authentication: the server proves it is example.com by presenting a certificate signed by a CA your computer already trusts.
- Key exchange: the two sides agree on a shared symmetric key, using a public-key handshake (ECDHE). Your computer never sends the key directly — it derives it from a public exchange that an eavesdropper cannot reverse.
- Cipher selection: they pick a symmetric cipher (AES-GCM or ChaCha20-Poly1305) and start encrypting and authenticating each record.
If you want to see this happen, run openssl s_client -connect example.com:443 -showcerts. The chain you see is the trust path your browser is validating before it sends a single byte of HTTP.
What an attacker can do here: mostly nothing — that is the point. But if they have tricked you at the DNS layer into resolving to their server, and they have somehow gotten a valid certificate for example.com (rare), they can read everything. This is why certificate transparency logs exist.
4. HTTP — the application speaks
Inside the encrypted pipe, your computer now sends an HTTP request. The whole thing is text:
GET / HTTP/1.1
Host: example.com
User-Agent: curl/8.0
Accept: */*
The server replies with a status line, headers, a blank line, and the body. HTTP/2 and HTTP/3 frame this differently for performance but the semantics are the same.
What an attacker can do here: almost everything interesting in web security is at this layer. Header injection, smuggling, session fixation, CSRF, the entire OWASP Top 10 — they all live in the request and the response, not in TCP or TLS.
5. The reply, all the way back
The response goes back through TLS (encrypted and authenticated), through TCP (split into segments, acknowledged, reassembled), through IP (routed hop by hop), and is finally handed to curl, which prints it.
The mental model
If you keep one diagram in your head, make it this one:
| Layer | Identifies who | What an attacker can lie at |
|---|---|---|
| HTTP | By URL / cookie / header | Forge requests, steal tokens |
| TLS | By certificate | Almost nothing if certs are honest |
| TCP | By port | Exhaust state, hijack sessions |
| IP | By address | Spoof source, ARP-poison neighbours |
| DNS | By name | Send you to the wrong IP |
Every attack you will ever read about lives in one of these rows. Once you can place a new attack on the table, you already know half of how to defend against it.