10 classic interview questions that 99% of network engineers will encounter. Do you dare to challenge them?

1. Introduce the three-way handshake of TCP connection? Follow-up question: Why does TCP need to handshake three times?

Three-way handshake:

• Step 1: A sends a SYN message to B to indicate that it wants to establish a connection
• Step 2: After B receives the data packet sent by A, it knows through SYN that this is a request to establish a connection, so it sends ACK confirmation. Due to TCP's full-duplex mode, B should also send a SYN message to A to indicate that it hopes to establish a connection with A.
• Step 3: After A receives the SYN message sent by B, A sends an ACK to B to indicate that A has received B's SYN.

[[351781]]

Follow-up question:

• Ensure that both parties have the ability to receive and send messages
• Prevent request timeouts from causing dirty connections

Because the message lifetime may exceed the TCP request timeout, if a connection can be established with two handshakes, A's message is stranded in the network due to some problems. When the message times out but the connection is released, this timed-out connection is transmitted to B. B thinks it is a new request from A to create a connection, and then confirms the connection. However, A knows that this is a timed-out connection, so it directly discards B's confirmation data, resulting in only B unilaterally establishing the connection. And it keeps waiting for A to send data, so B's resources are wasted.

2. Introduce the four waves of TCP disconnection? Question: Why does TCP need to wave four times?

Four waves:

• Step 1: A sends FIN and ACK messages to B to indicate that it wants to disconnect.
• Step 2: After receiving the request sent by A, B will send ACK to confirm the disconnection.
• Step 3: At this time, B is in a semi-connected state. B will send FIN and ACK requests to disconnect from A.
• Step 4: A receives the disconnect request sent by B and sends ACK to confirm the disconnection

Follow-up question:

• Ensure that all data can be transferred
• Four times to ensure that all connections are disconnected

3. Why is it three times when connecting and four times when waving?

Question 1:

(1) Assuming that the connection is made twice, the message left in the network by A is transmitted to B after a period of time, and B confirms the connection. B unilaterally establishes the connection, and A discards B's confirmation data message. B will keep waiting for A to send data, resulting in a waste of B's ​​resources.

Official explanation:

Twice: No, to prevent the invalid

(2) We know that after three attempts, the two parties have established a connection, and a fourth attempt is completely unnecessary

Question 2:

Ensure that all data can be transferred

After A sends FIN, B may be transmitting data to A, so it will not be closed immediately. When all data is transmitted, it will send ACK to confirm the disconnection.

4. What is the process of TCP syn attack? Follow-up question: How to defend against it?

Attack principle:

After B receives the SYN message, it will add the corresponding semi-connection record to the queue, and then wait to receive the handshake packet. If the handshake is successful, the semi-connection record will be deleted from the queue; or when B does not receive A's confirmation packet, it will resend the request packet until the timeout, then the record will be deleted from the semi-connection queue.

The half-connection records stored in the server's TCP protocol stack are limited. When the server receives a SYN-type DOS attack, the queue will quickly fill up. The client forges a large number of non-existent IP addresses in a short period of time and continuously sends SYN packets to the server. The server replies with confirmation packets and waits for the client's confirmation. Since the source address does not exist, the server needs to continuously resend until it times out. These forged SYN packets will occupy the unconnected queue for a long time, and normal SYN requests will be discarded. The target system will run slowly, causing severe network congestion or even system paralysis. The server will then no longer accept new network connections, causing normal clients to be unable to access the server.

defense:

• Increase the maximum number of half-connections in the queue SYN. ​​The maximum number of connections in Linux is 256.
• Reduce the timeout period for half-connection
• Filter suspicious addresses
• Using SYN cookies to defend against DOS attacks

SYN Cookie uses a Cookie to respond to TCP SYN requests. During a normal TCP connection, when the server receives a SYN packet, it returns a SYN-ACK packet in response, and the half-open connection state waits for the final returned ACK packet. The server uses a data space to describe all unresolved connections, but the size of this data space is limited, so the attacker will fill up this space. During the execution of SYN Cookie, when the server receives a SYN packet, it returns a SYN-ACK packet. The ACK sequence number of this data packet is encrypted. It is calculated by HASH using the source address and port number, the destination address and port number of the TCP connection, and an encrypted seed. Then the server releases all states. If an ACK packet is returned from the client, the server recalculates the Cookie to determine whether it is the return packet of the previous SYN-ACK. If so, the server can directly enter the TCP connection state and open the connection. In this way, the server can avoid waiting for a half-open connection.

5. What is a sliding window? Follow-up question: Why does a sliding window appear?

Sliding Window:

It is used to tell the sender the size of the data that can be sent or the window marks the size of the receiver's buffer. The window refers to how much data is sent in batches at one time.

Why does a sliding window appear?

In the confirmation and response strategy, each time a data segment is sent, an ACK confirmation is required. After receiving the ACK, the next data segment is sent. In this way, confirmation is required every time, which leads to poor performance. The sliding window mechanism will send multiple data at a time to improve transmission performance.

6. How does TCP implement flow control and congestion control through the sliding window protocol?

By setting the size of the sliding window and using ACK to inform the sender of the size of its own buffer, the sender can send at an appropriate speed to achieve flow control;

The sender determines the window value based on the network congestion situation. When the sender actually determines the send window, it should take the minimum value of the "notification window" and the "congestion window".

7. Describe the difference between TCP and UDP?

UDP:

• Connectionless, that is, no connection needs to be established before sending data
• Reliable delivery is not guaranteed and congestion control is not used
• U supports one-to-one, one-to-many, many-to-one, and many-to-many interactive communications
• The header is only 8 bytes

TCP:

• Connection-oriented transport layer protocol
• Provide reliable delivery capabilities
• Only supports one-to-one communication
• Supports full-duplex communication (allows data to be transmitted in both directions simultaneously)
• The minimum header is 20 bytes

Question: How to achieve good transmission with UDP?

The introduction of sequence numbers ensures the order of data, the confirmation mechanism ensures that data can reach the other end, and the retransmission mechanism ensures that data is discarded due to timeout.

8. What are the timers in TCP?

• Retransmission timer
• Stick to the timer
• Keep-alive timer
• Time Wait Timer

9. What is CDN and how does it work?

Q1: CDN is a content distribution network

Question 2: CDN adds a cache layer between the user and the server, which is achieved by taking over DNS and directing the user's request to the cache server to obtain the data of the source server.

10. What is DNS? What is the DNS resolution process?

Q1: DNS is the Domain Name System, a distributed database on the Internet that maps domain names and IP addresses to each other.

Question 2:

• The browser checks the cache to see if there is a resolved IP address corresponding to this domain name. If there is, the resolution process will end.
• Check whether the local hosts file has this URL mapping relationship
• If there is no domain name mapping in hosts, search the local DNS resolver cache, and return it directly if it is available.
• Through the preferred DNS server (local domain name server), the IP address corresponding to the domain name is queried and returned in a recursive or circular manner. (top-level domain, second-level domain, third-level domain)