Computer Networking

A Man-in-the-Middle (MITM) attack is a type of cyber attack where the attacker secretly positions themselves between two parties who believe they are communicating directly with each other.

The attacker can then intercept, read, modify, and relay all communications between the two victims. The victims remain unaware that their conversation is being controlled by a third party.

A common example is an attacker setting up a malicious Wi-Fi hotspot (an 'evil twin') in a public place like a coffee shop. When users connect to it, the attacker can intercept all their unencrypted traffic. HTTPS is the primary defense against MITM attacks, as it encrypts the data and authenticates the server, making it much harder for an attacker to successfully intercept and read the information.

Link Aggregation is a technique used to combine multiple physical network links between two devices (like a switch and a server, or two switches) into a single logical link. This single logical link is often called a port channel, etherchannel, or bond.

LACP (Link Aggregation Control Protocol) is the standardized protocol that automates the configuration and management of these aggregated links.

The main benefits are:

• Increased Bandwidth: The bandwidth of the logical link is the sum of the bandwidths of the individual physical links. For example, combining four 1 Gbps links creates a single 4 Gbps logical link.
• High Availability/Redundancy: If one of the physical links in the group fails, traffic is automatically redirected over the remaining active links without any disruption.

A jumbo frame is an Ethernet frame with a payload size greater than the standard 1500-byte Maximum Transmission Unit (MTU).

By allowing for a larger payload per frame (typically up to 9000 bytes), jumbo frames can increase network throughput and reduce CPU overhead. This is because fewer frames (and thus fewer headers) need to be processed to transfer the same amount of data.

However, for jumbo frames to work, every device in the data path (switches, routers, NICs) must be configured to support them. They are most commonly used in specialized high-performance networks, such as on the backend of a storage area network (SAN) or in high-performance computing clusters.

The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged Ethernet network. Its primary purpose is to prevent broadcast storms and MAC table instability caused by Layer 2 loops.

In order to provide redundancy, network administrators often create redundant links between switches. However, this creates loops. If a broadcast frame is sent on a network with a loop, it will circulate endlessly, amplifying itself and consuming all available bandwidth, causing the network to crash (a 'broadcast storm').

STP solves this by logically blocking redundant paths. It elects a 'root bridge' and then calculates the best path from all other switches to the root bridge. Any other paths are put into a 'blocking' state. If the primary path fails, STP automatically unblocks the backup path to restore connectivity.

Split-horizon DNS (also known as split-view DNS) is a configuration in which a DNS server provides different responses to the same query depending on the source IP address of the query.

This is commonly used to separate DNS information for an internal network from DNS information for the external, public internet. For example:

• When an internal employee queries for mail.company.com, the DNS server returns a private IP address (e.g., 10.1.1.50), directing the employee to the mail server on the internal LAN.
• When an external user on the internet queries for the same domain, mail.company.com, the DNS server returns the public IP address (e.g., 203.0.113.100), directing them to the same server via its public interface.

This enhances security by hiding internal network structure from the outside world and provides more efficient routing for internal users.

The terms are often used interchangeably, and their functionalities overlap significantly, but there's a subtle difference in their primary purpose.

• A Load Balancer is primarily designed to distribute incoming network traffic across a group of backend servers (a server farm or pool). Its main goal is to improve performance, scalability, and high availability by ensuring that no single server becomes overwhelmed.
• A Reverse Proxy is an intermediary server that sits in front of one or more web servers. It forwards client requests to those servers. While it can be used for load balancing, its purpose is broader and can also include:
  • SSL/TLS Termination: Offloading the encryption/decryption process from the web servers.
  • Caching: Storing and serving static content to reduce load on the backend.
  • Security: Acting as a single entry point to filter malicious requests.
  • URL Rewriting: Presenting a single, unified URL structure to the outside world, even if the backend is composed of many different applications.

In essence, all load balancers are a type of reverse proxy, but not all reverse proxies are used for load balancing.

QUIC (Quick UDP Internet Connections) is a modern transport layer network protocol originally developed by Google. It is the underlying protocol for HTTP/3.

QUIC aims to fix some of the major shortcomings of TCP, especially for modern web traffic. It is built on top of UDP, not TCP.

Key Features and Advantages over TCP:

• Reduced Connection Latency: It combines the TCP handshake and the TLS handshake into a single initial exchange, reducing round trips and speeding up connection establishment.
• Solves Head-of-Line Blocking: In TCP, if one packet is lost, all subsequent packets in the stream must wait for it to be retransmitted, even if they have arrived successfully. In QUIC, streams are independent. If one packet is lost, it only blocks its own stream, while other streams can continue to be processed.
• Improved Congestion Control: It has more advanced, pluggable congestion control mechanisms.
• Connection Migration: If a user switches networks (e.g., from Wi-Fi to cellular), their TCP connection breaks. QUIC uses a connection ID to maintain the connection, allowing for a seamless transition without interruption.

Both are solutions for centralized network storage, but they use different technologies and protocols.

NAS (Network Attached Storage):

• It is a single storage device that connects to the network and provides file-level storage services to other devices on the network.
• It uses standard network protocols like NFS (for Linux/Unix) or SMB/CIFS (for Windows).
• To the operating system, a NAS appears as a shared folder on the network.
• It is generally easier to set up and less expensive. Good for home use and small businesses.

SAN (Storage Area Network):

• It is a dedicated, high-performance network of storage devices that provides block-level storage access.
• It uses specialized protocols like Fibre Channel or iSCSI.
• To the operating system, a SAN appears as a local hard drive. The OS can format it with its own file system.
• It offers much higher performance and is used in enterprise environments for mission-critical applications like database servers and virtualization clusters.

An Autonomous System (AS) is a collection of connected IP routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the internet.

An Autonomous System Number (ASN) is a globally unique number that identifies each AS. These numbers are assigned by the Internet Assigned Numbers Authority (IANA) and regional registries.

ASNs are used by the Border Gateway Protocol (BGP) to route traffic between different networks on the internet. When you see a BGP path, it is listed as a sequence of AS numbers that the traffic must traverse to reach its destination.

Multicast snooping (specifically, IGMP snooping) is a feature on a Layer 2 switch that allows it to intelligently manage multicast traffic.

By default, a Layer 2 switch treats multicast traffic like broadcast traffic and floods it to all ports within a VLAN. This is inefficient and can consume unnecessary bandwidth, slowing down the network for hosts that have no interest in that multicast traffic.

With IGMP snooping enabled, the switch 'snoops' on the IGMP (Internet Group Management Protocol) messages exchanged between hosts and multicast routers. By listening to these messages, the switch learns which hosts on which ports have joined a particular multicast group. It then forwards multicast traffic only to those specific ports that have interested receivers, rather than flooding it to all ports.