Networking & Protocols
Network security: multiple-choice review
Crux Multiple-choice synthesis across the network-security unit: attack vectors, amplification economics, rate-limiting tradeoffs, WAF tuning, mTLS identity, and RPKI/ROV.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitSix questions that cut across the whole unit. Each mirrors a call you make mid-incident — which layer is failing, which knob actually moves the attacker’s cost — not a definition to recite.
Goal
Confirm you can connect attack vector to defense layer: which tool stops which attack, why amplification and Rapid Reset bypass naive limits, and why some defenses (RPKI without ROV, HSTS without preload) are cosmetic on their own.
Quiz
Completed
An attacker rents a botnet pushing 1 Gbps directly, then pivots to memcached reflection at a 1,024x amplification factor with the same 1 Gbps of upstream. What changes, and why is it harder to stop?
Heads-up Amplification's whole point is that the third-party server's response bandwidth, not the attacker's, sets the volume. 1 Gbps of 1,024x reflection approaches 1 Tbps at the victim.
Heads-up Those are real DNS/NTP/memcached servers; blocklisting them breaks legitimate traffic. The fix is absorbing volume at an anycast edge and closing open services, not blocking reflectors.
Heads-up Amplification is an L3/L4 volumetric flood that saturates the pipe before any HTTP layer; a WAF inspects L7 content and never sees these packets in time.
Quiz
Completed
A public API uses a strict fixed-window limit of 100 req/min per IP. A scraper consistently pulls ~200 requests in a few seconds without ever being blocked. What is the mechanism, and which algorithm fixes it cheaply?
Heads-up Fixed window is O(1) — one counter per window. The defect is accuracy at the boundary, not memory.
Heads-up A sliding-window counter fixes the boundary burst at O(1) cost. Token bucket is a fine choice too, but it deliberately allows bursts up to capacity — it is not 'the only' fix.
Heads-up A sliding-window log is exact but O(n) per client — at thousands of req/sec it stores a timestamp per request and is impractical at scale. The counter gives near-exact accuracy at O(1).
Quiz
Completed
Black Friday is in three days. Your WAF at PL2 blocks ~70% of an ongoing L7 attack; raising it to PL4 reaches ~95% coverage but pushes legitimate-customer false positives to ~5%. What is the senior move?
Heads-up 5% blocked customers on Black Friday is direct revenue loss and churn. A false positive that blocks a buyer is worse here than letting bounded attack traffic through.
Heads-up Accepting the bypass means the degradation continues; you have solved nothing. You need another layer, not resignation.
Heads-up Stacking two high-false-positive WAFs compounds false positives rather than reducing them. Add a load-reactive layer, not a second content-matching layer.
Quiz
Completed
A platform team proposes locking down service-to-service traffic with network IP allowlists (only pods in subnet 10.2.0.0/16 may call payments). Why does a senior engineer push for mTLS instead?
Heads-up mTLS adds a handshake cost (tens of ms per new connection on older hardware); its value is cryptographic identity and encryption, not speed.
Heads-up NetworkPolicies express IP/label allowlists fine. The point is that network location is not identity — mTLS binds identity cryptographically.
Heads-up Encryption is not authorization; mTLS authenticates identity, and you still layer network policy as defense-in-depth. They solve different problems.
Quiz
Completed
Your prefixes all have valid RPKI ROAs published, yet a hijacked announcement from an unauthorized AS still pulls a chunk of your traffic away for an hour. How is that possible?
Heads-up Even a perfectly valid, current ROA cannot stop a hijack on networks that do not enforce ROV. ROA publication and ROV enforcement are two separate halves.
Heads-up This is a BGP/routing hijack, not DNS. DNSSEC protects DNS response integrity; it has no effect on route propagation.
Heads-up BGPsec adoption is minimal due to CPU/path-signing overhead — it is not universally deployed. The realistic defense today is ROA publication plus widespread ROV enforcement.
Quiz
Completed
You front everything with a CDN, rate limits, and a WAF. The attacker switches to GET requests with a unique ?x=random per request against your most expensive query; cache-hit rate collapses from 95% to 5% and the origin database melts. Which layer actually saves you?
Heads-up The premise is a distributed flood where no single IP exceeds the limit; tightening per-IP thresholds blocks real users before it touches the attack.
Heads-up Edge absorption stops Gbps-scale volume, but this is low-volume, cache-busting L7 traffic that looks legitimate and passes straight through to the origin.
Heads-up The cache-hit drop is the attacker appending unique query params to bypass the CDN cache, not DNS poisoning. DNSSEC is unrelated to HTTP cache behavior.
Recap
The through-line is one map: attack vector to defense layer. Amplification turns a small attacker into a volumetric flood you must absorb at an anycast edge, not blocklist. Rate-limiter choice is a tradeoff — fixed window leaks at the boundary, the sliding-window counter fixes it at O(1). WAF paranoia trades coverage for false positives, so you pair a moderate WAF with load-reactive adaptive concurrency rather than chasing perfect content matching. mTLS gives identity that IP allowlists cannot. And RPKI without ROV — like HSTS without preload — is only half a control. No single layer stops every vector; that is the entire premise of defense in depth.