Cyber Security Basics
📂 Foundation
· 6 of 15
64 min read
Privatising & Scaling — A Cybersecurity Perspective
A deep walkthrough of how the Internet scaled from 4 ARPANET hosts to 5.4 billion users — through RFC 1918, NAT, CIDR, and IPv6 — and the cybersecurity architecture (Zero Trust, defence-in-depth, anycast scrubbing) that holds it together. Includes the June 2024 Cloudflare BGP hijack, July 2024 CrowdStrike outage, XZ Utils backdoor, and the 31.4 Tbps Aisuru DDoS.
Section 01
The Internet by the Numbers — Why Scale Is the Real Story
Before we can talk about how the Internet was privatized and scaled, we have to grasp the
scale itself. Every number below represents compounding attack surface.
When you defend the modern Internet, you defend something that did not exist 30 years ago
and that grows faster than any defensive team can keep up with.
👥
Internet Users
5.4 Billion
Roughly two-thirds of humanity is online. Each one is a potential phishing target, a potential identity-theft victim, and a potential entry point into a corporate network.
📈
Global Cyber Economy
$8.4 Trillion
Roughly 8% of global GDP. Every dollar of digital commerce is also a dollar of attack incentive — criminals follow the money.
🔌
Connected Devices by 2028
33 Billion
From smart fridges to industrial sensors. Most ship with default passwords and no patch lifecycle — IoT is the largest under-defended population in cybersecurity.
🚨
Annual Cybercrime Cost
$10.5 Trillion
Larger than the GDP of every country except the US and China. The economics of cybercrime now rival entire national economies.
📐
The Compounding Effect
Privatising and scaling the Internet means scaling its risks just as fast.
Every connected device, every cloud workload, every user account is a
potential attack vector. The numbers above are not separate — they
multiply each other.
Section 02
What Is Internet Privatisation?
📖 Working Definition
The Quiet Handover of an Entire Civilisation's Plumbing
Internet Privatisation is the transfer of control over Internet
infrastructure, services, and governance from public or governmental entities
to private corporations and commercial actors.
This handover happened gradually between roughly 1989 and 2016. It covered:
✅ Backbone networks and Internet Exchange Points (IXPs)
✅ DNS root servers
✅ IP address allocation (via the five RIRs)
✅ Submarine cables
✅ CDN and cloud infrastructure
🏭
Infrastructure Control
the physical layer
Private ISPs, hyperscalers, and CDN providers now own more than
90% of the global Internet backbone. Tata Communications,
NTT, AT&T, Deutsche Telekom and a few others carry most international traffic.
⚖️
Governance Shift
the policy layer
ICANN, IANA, and the five Regional Internet Registries (ARIN, RIPE NCC, APNIC,
LACNIC, AFRINIC) transitioned away from direct US government oversight in 2016
to a multi-stakeholder model involving private firms, governments, and civil society.
☁️
Service Commercialisation
the application layer
Cloud and SaaS layers have created walled gardens, concentrating
data flows into a handful of hyperscalers — AWS, Azure, Google Cloud, Alibaba.
A single outage at any one now disrupts thousands of dependent services.
Section 03
The Three-Layer Architecture of the Modern Internet
Privatisation didn't just change ownership — it created concentration risk at
each of the three layers that make up the Internet. Knowing the layers helps
you reason about where defences belong and where breaches actually happen.
🌐 L1 → L2 → L3 — The Three Layers and Their Chokepoints
Concentration at every layer means one outage at AWS, one BGP misconfiguration at a Tier-1, one cable cut, can cascade globally.
Annual Traffic Growth
+26% YoY
Compounding faster than most defensive budgets.
Data Centres Worldwide
8,000+
Concentrated in roughly 20 countries, run by a few dozen private operators.
Submarine Cable Systems
574
Carry over 95% of international traffic. Many privately owned and accident-prone.
BGP Prefixes (v4 + v6)
~1.2 Million
The "global routing table." A single bad announcement among these can break the Internet.
Section 04
The Scaling Problem — From 4 Hosts to 5 Billion Users
📖 A Forecasting Mistake of Historic Proportions
"4.3 Billion Addresses Should Be Enough"
When the Internet Protocol version 4 (IPv4) was finalised in 1981 in
RFC 791, its 32-bit address field could hold
approximately 4.3 billion unique addresses. The protocol's
designers genuinely believed this was enough — for context, the world had
fewer than 500 computers networked together at the time.
They were spectacularly wrong. Mobile phones, IoT sensors, cloud workloads,
smart TVs, cars, fitness trackers, and routers all consume IP addresses.
By 3 February 2011, the central IANA pool of unallocated
IPv4 addresses was officially exhausted. The five Regional Internet
Registries (RIRs) handed out their final allocations between 2011 (APNIC) and
2019 (RIPE NCC), and AFRINIC ran out in 2024.
📅 The IPv4 Exhaustion Timeline
1981
IPv4 finalised in RFC 791 — 32 bits, 4.3 billion addresses, "more than we'll ever need."
1993
CIDR introduced (RFC 1519) to slow consumption by escaping the rigid Class A/B/C system.
1996
RFC 1918 carves out private address ranges, enabling massive reuse via NAT.
IANA exhausts its central IPv4 pool. No more new /8 blocks for the RIRs.
2025
Over 30 billion connected devices share the same ~4.3 billion IPv4 addresses — through NAT, CGNAT, and gradual IPv6 adoption.
📐
Three Solutions, One Problem
Three engineering tricks bought the Internet time to keep growing on top of
the IPv4 ceiling: RFC 1918 (private addresses),
NAT (address translation), and CIDR (classless prefixes).
The long-term fix — IPv6 — is still being adopted today, four decades
after the problem became visible. The next sections explain each of these in turn.
Section 05
IPv4 Addressing — The Foundation
An IPv4 address is just 32 bits, conventionally written as four 8-bit
octets separated by dots. Each octet ranges from 0 to 255.
🔗 The Anatomy of an IPv4 Address
The Original Classful Allocation (1981–1993)
Before CIDR, IPv4 was allocated in five rigid classes based on the leading bits
of the address. The system was wasteful — a Class B network gave you 65,534 hosts
even if you only needed 300 — but it was simple.
Class
Leading Bits
Range
Networks
Hosts per Network
A
0
1.0.0.0 – 126.255.255.255
128
~16.7 million
B
10
128.0.0.0 – 191.255.255.255
16,384
65,534
C
110
192.0.0.0 – 223.255.255.255
~2 million
254
D
1110
224.0.0.0 – 239.255.255.255
Multicast (one-to-many group delivery)
E
1111
240.0.0.0 – 255.255.255.255
Reserved for experimental use
Section 06
RFC 1918 — The Genius Hack That Bought the Internet 30 Years
💡 The Insight
"Most Hosts Don't Need to Be Globally Reachable"
In February 1996, the IETF published RFC 1918,
"Address Allocation for Private Internets." The insight was elegant:
most computers on most networks never need to be reached directly from the
Internet. A printer in an accounting department, a development server, a
home laptop — these only need to talk to a few specific destinations, and they
do so via a gateway.
So why not reserve a few address ranges that everyone can use locally,
so long as those addresses never appear on the global Internet? That is exactly
what RFC 1918 did. Three blocks were carved out of the IPv4 space, and a router
rule was added: never route these ranges between networks.
🏣
10.0.0.0/8
Class A range
16,777,214 usable hosts. Used by large enterprises, ISPs,
and cloud providers internally. AWS VPCs, Azure VNets, and Google Cloud
VPCs all use this range by default.
🏢
172.16.0.0/12
Class B range
1,048,574 usable hosts (172.16.0.0 to 172.31.255.255).
Common for medium organisations and Docker's default bridge networks.
🏡
192.168.0.0/16
Class C range
65,534 usable hosts. The famous "home router" range —
192.168.1.1 is the default admin address of most consumer routers worldwide.
💡
Why This Was a Stroke of Genius
Private IPs are unique only within their local network. Two completely
different organisations can each use 10.0.0.1 simultaneously — because those
addresses are filtered at Internet gateways and never appear in the global
routing table. The Internet, in effect, supports orders of magnitude more
hosts than its address space allows — by letting most of them hide inside
private bubbles. The price of that bubble is the next concept: NAT.
Section 07
Network Address Translation (NAT)
NAT is the device that sits at the boundary between a private network and the
public Internet, translating private addresses into one (or a few) public
addresses. Without NAT, RFC 1918 would be useless — private addresses would
never reach the outside world.
🔌 How NAT Sits Between Two Worlds
The Packet Flow — Step by Step
When an internal host sends a packet outbound, the NAT router rewrites the source
address (and almost always the source port too). It records the mapping in a
translation table. Reply packets coming back are translated back using
the same table.
Inside Local (Private)
Inside Global (Public)
Outside (Destination)
Protocol
192.168.1.10 : 5023
203.0.113.45 : 40001
142.250.190.78 : 443
TCP
192.168.1.20 : 5023
203.0.113.45 : 40002
151.101.1.140 : 443
TCP
192.168.1.30 : 8080
203.0.113.45 : 40003
8.8.8.8 : 53
UDP
192.168.1.10 : 5024
203.0.113.45 : 40004
20.205.243.166 : 443
TCP
📥 The Three-Step NAT Lifecycle
Step 1
An outbound packet leaves an internal host with a private source IP and port (e.g. 192.168.1.10:5023). The destination is a public server.
Step 2
The NAT router rewrites the source to its public IP and a unique port (e.g. 203.0.113.45:40001) and logs the mapping in its translation table.
Step 3
The reply packet arrives at the NAT's public IP and port. The router looks up the mapping in its table and forwards the packet back to the original internal host.
Section 08
Types of NAT — Static, Dynamic, and PAT
Not all NAT is the same. Three flavours exist, each with its own use case.
➡️
Static NAT (1:1)
How: One private address is permanently mapped to one public address.
Where: Servers that must be reachable from the Internet — public web servers, mail relays, VPN endpoints. The mapping never changes, so the public address is stable.
predictable, but no address savings
🔄
Dynamic NAT (N:M)
How: A pool of public addresses is shared. Each session is given any free public IP from the pool.
Where: Organisations with more internal hosts than public IPs, but where one-to-one isolation per session is required.
flexible, but pool can exhaust
🌏
PAT / NAPT (N:1)
How: Many private hosts share one public address. Each session is identified by a unique port number on the public side.
Where: Nearly every home router on Earth. Powers Carrier-Grade NAT (CGNAT) at ISPs serving entire neighbourhoods through a single public IP.
the world's most-deployed NAT
💡
PAT Is What Made the Modern Internet Possible
A small office with one $30 router and one public IP can host fifty laptops,
thirty phones, ten IoT devices, and three printers — all simultaneously
browsing the Internet — because PAT multiplexes them through 65,000+ available
ports. Without PAT, every device would need its own public IP and the
Internet would have collapsed under address exhaustion two decades ago.
Section 09
NAT — Benefits, Limitations, and Security Reality
✅ What NAT Gives You
Benefit
Why It Matters
Address conservation
Lets millions of orgs reuse 10.0.0.0/8
Topology hiding
Internal IPs invisible to outside scanners
Implicit inbound deny
Without a mapping, packets are dropped
ISP independence
Renumber internally without touching every host
Single monitoring point
All traffic flows through one chokepoint
Defence-in-depth bonus
One more layer attackers must traverse
❌ What NAT Costs You
Limitation
What Breaks
End-to-end principle
Internet's original design assumption violated
Peer-to-peer apps
VoIP, gaming, video calls need workarounds
STUN/TURN/ICE needed
NAT traversal protocols add complexity
Inbound services need port forwarding
Manual configuration per service
IPsec AH breaks
Authentication Header includes IP in checksum
Stateful single point of failure
Router reboot = all sessions dropped
The Security Implications of NAT
⚠️
The Most Important Sentence About NAT
"NAT is not security. NAT is address translation that happens to have a
side effect resembling security."
✅
Inbound Default-Deny
side-effect security
Without an explicit mapping, unsolicited inbound packets are dropped. This
is a useful first line of defence for casual reconnaissance attempts, but
it does nothing against attacks that ride on outbound-initiated connections.
👁️
Topology Hiding
harder reconnaissance
External attackers see only the public IP. The internal structure — how many
hosts exist, what subnets, which servers — is invisible. This raises the cost
of reconnaissance but does not stop a determined adversary.
⚠️
False Sense of Security
the deadly mistake
NAT inspects no content, blocks no malware, stops no outbound command-and-control
traffic, and does not detect tunnels. Every modern attack against home and
small office networks happens through a NAT — phishing, ransomware,
botnet C2 — without ever touching the inbound side.
🔎
Forensics & Attribution
the post-incident problem
Carrier-Grade NAT can put 10,000 subscribers behind a single public IP.
When law enforcement requests "who used this IP at 2:14 PM on Tuesday?",
without translation logs the answer is "ten thousand people."
Logging NAT mappings is essential for incident response.
Section 10
CIDR — Classless Inter-Domain Routing
🎯 The Reform That Saved IPv4
From Rigid Classes to Variable-Length Prefixes (1993)
Introduced in RFC 1519 in September 1993, CIDR (Classless
Inter-Domain Routing) abolished the rigid Class A/B/C system. Instead of
being stuck with networks of exactly 16.7 million, 65,534, or 254 hosts,
network operators could now allocate any power-of-two sized block.
The notation is simple: network address / prefix length in bits.
For example, 192.168.1.0/24 means "the network that starts at
192.168.1.0, with the first 24 bits as the network portion and the remaining
8 bits available for hosts" — giving 256 addresses (254 usable).
CIDR also enabled route aggregation: instead of carrying
millions of tiny routes in the global BGP table, ISPs could announce one
big prefix covering many smaller customer networks. Without CIDR, the global
routing table would have collapsed by the mid-1990s.
Prefix
Subnet Mask
Addresses
Typical Use
/8
255.0.0.0
16,777,216
Large ISP, private 10.0.0.0/8
/16
255.255.0.0
65,536
Enterprise campus or large datacenter
/24
255.255.255.0
256
Office floor or VLAN
/27
255.255.255.224
32
Small subnet
/30
255.255.255.252
4
Point-to-point router link
/32
255.255.255.255
1
Host route or loopback
Section 11
CIDR Subnetting in Practice — Building Trust Zones
Subnetting is not just an addressing exercise — it is a security
exercise. Each subnet becomes a separately-firewalled segment, allowing
you to enforce different policies for servers, workstations, IoT, and DMZ traffic.
🏘️ Splitting a /24 Into Four Security Zones
🛡️
Subnetting as Defence Architecture
If ransomware lands on a workstation in 192.168.1.64/26, it should not be
able to scan or touch the servers in 192.168.1.0/26 directly. The boundary
between subnets — enforced by ACLs, VLANs, or east-west firewalls — is what
contains the blast radius when (not if) a host gets compromised.
This is the foundation of network micro-segmentation.
Section 12
IPv6 — The 128-Bit Long-Term Solution
🚀 The Real Fix
128 Bits, ~3.4 × 1038 Addresses, Built for the Next Century
Finalised in RFC 2460 (December 1998) and updated by RFC 8200,
IPv6 is the long-term answer to IPv4 exhaustion. It uses
128 bits per address — four times longer than IPv4 — written
as eight groups of 16-bit hexadecimal values separated by colons.
An example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
The math is staggering. IPv6 provides approximately
340 undecillion addresses — about
7.9 × 1028 per person on Earth, or roughly
one address per atom of carbon in your body. We will not run out again.
Address Length
128 bits
Four times the IPv4 address length, written in eight 16-bit hex groups.
Total Addresses
3.4 × 1038
Approximately 340 undecillion addresses. Effectively unlimited at human scale.
Per Person on Earth
~7.9 × 1028
Each human being could have more IPv6 addresses than there are grains of sand on Earth.
🔒
Built-in IPsec
security by design
Encryption and authentication (ESP and AH) were specified as mandatory in
the original IPv6 spec, though RFC 6434 later softened this to "recommended."
Either way, IPsec support is universal in IPv6 stacks.
⚙️
SLAAC Auto-Config
no DHCP needed
Stateless Address Auto-Configuration lets hosts generate their own unique
addresses from the network prefix and their MAC. Plug a device in, it gets
online — no DHCP server required.
📁
Simpler Header
faster routing
IPv6 uses a fixed 40-byte header (versus IPv4's variable 20–60 bytes), with
optional extensions chained on. Routers can forward packets faster because
they know exactly where each field lives.
🔥
No NAT Required
end-to-end restored
With trillions of addresses, every device can have its own globally-unique
IP. The original end-to-end principle of the Internet — every host can talk
directly to every other host — is restored.
Section 13
IPv4 vs IPv6 — Side by Side
Property
IPv4
IPv6
Address length
32 bits
128 bits
Total addresses
~4.3 billion
~3.4 × 1038
Notation
Dotted decimal (192.168.1.1)
Colon hex (2001:db8::1)
Header size
20–60 bytes (variable)
40 bytes (fixed)
Address configuration
Manual or DHCP
SLAAC, DHCPv6, or manual
NAT
Required for scale
Not required — end-to-end
IPsec support
Optional
Universal (originally mandatory)
Broadcast
Yes
Replaced by multicast
Fragmentation
Routers and hosts
Only end hosts
Security posture
Bolted on after the fact
Designed in from day one
Section 14
IPv6 Transition Mechanisms — Living in Two Worlds
The world cannot flip from IPv4 to IPv6 overnight. As of 2025, roughly 45-50% of
Google traffic arrives over IPv6 — meaningful, but far from total. Three
coexistence strategies bridge the two protocols.
📚
Dual-Stack
How: Every host runs both IPv4 and IPv6 stacks simultaneously
and picks whichever protocol the destination supports. The "happy eyeballs"
algorithm (RFC 8305) races both stacks and uses whichever connects first.
Trade-off: Simple, no translation overhead — but every device
still needs a public IPv4 address.
cleanest, but address-hungry
🔎
Tunneling
How: IPv6 packets are encapsulated inside IPv4 packets
(technologies: 6in4, 6to4, Teredo) to traverse IPv4-only network segments.
Trade-off: Reuses the existing IPv4 backbone, but adds
encapsulation overhead and makes troubleshooting harder.
transitional, complex
🔄
Translation (NAT64)
How: A gateway translates between IPv6-only clients and
IPv4-only servers in real time. The mobile carrier T-Mobile US has run
IPv6-only with NAT64 for years.
Trade-off: Lets IPv6-only networks reach IPv4 content,
but is stateful and breaks end-to-end IPsec.
pragmatic, stateful
Section 15
Security in the IPv6 Era — New Powers, New Pitfalls
IPv6 brings genuine security improvements — and a whole new attack surface that
most enterprises are not yet equipped to defend.
🔒
Mandatory IPsec Support
encryption first-class
Encapsulating Security Payload (ESP) and Authentication Header (AH) are
first-class citizens in every IPv6 stack. Properly configured, this enables
authenticated and encrypted end-to-end communication without bolt-on layers.
🔭
Reconnaissance Changes
brute scanning impossible
A single IPv6 /64 subnet contains 18 quintillion addresses. Brute-force IP
scanning is statistically futile. But attackers shift to DNS enumeration,
multicast probing, and exploiting predictable SLAAC patterns instead.
⚠️
New Attack Surface
ICMPv6 & Neighbor Discovery
ICMPv6 is essential for Neighbor Discovery Protocol (NDP) — blindly blocking
it breaks the network. Rogue Router Advertisements (RA) and DHCPv6 attacks
need RA Guard and DHCPv6 Guard on every
switch port.
🚫
No Implicit Firewall
every host is reachable
Without NAT, every device is potentially globally reachable. The casual
"NAT hides me" assumption disappears. Stateful firewalls, host hardening,
and zero-trust access become mandatory, not optional.
Section 16
The Cybersecurity Threat Landscape of the Privatised Internet
Privatisation and scaling have created six recurring threat patterns — each
amplified by the concentration of infrastructure in a few private hands.
🧹
Supply Chain Attacks
Private vendors inject vulnerabilities into trusted update channels.
SolarWinds (2020) compromised 18,000+ organisations through
a single Orion software update. The XZ Utils backdoor (March 2024)
almost compromised every Linux distribution before it was caught by a Microsoft
engineer noticing a 500ms delay.
trust is the attack surface
🔗
BGP Hijacking
Malicious or accidental route announcements redirect global traffic.
Cloudflare 1.1.1.1 (27 June 2024): a Brazilian ISP
(AS267613) announced a /32 hijack of Cloudflare's resolver — DNS broke
for users across 300 networks in 70 countries.
Rostelecom (April 2020): 8,800+ prefixes for Google,
Facebook, Amazon, Akamai rerouted through Russia for two hours.
the Internet's weakest layer
☁️
Hyperscaler Breaches
Concentration in AWS, Azure, and GCP turns single outages into global
events. The CrowdStrike-Microsoft outage on 19 July 2024
grounded airlines worldwide, knocked hospitals offline, and disrupted
payments in dozens of countries — one bad update, eight million Windows
machines blue-screened simultaneously.
single point of mass failure
⚡
DDoS at Scale
Botnets leverage the IoT explosion. October 2024: Cloudflare
publicly mitigated a 3.8 Tbps DDoS attack. Records keep
breaking: August 2025 — 11.5 Tbps; December 2025 —
31.4 Tbps from the Aisuru botnet. Private CDNs are now the only
practical defence at this scale.
tens of Tbps now routine
👁️
Mass Surveillance
Privatised infrastructure enables commercial and state surveillance at
unprecedented scale. Metadata — who talked to whom, when, from where — is
collected by ISPs, ad networks, and SaaS platforms. Snowden's 2013
disclosures revealed how routinely this happens behind the scenes.
privacy as economic side-effect
💰
Ransomware Ecosystem
Ransomware-as-a-Service (RaaS) groups exploit poorly secured private
infrastructure. Average ransom demand in 2024: $1.5M+.
Change Healthcare paid roughly $22M and was extorted a second time.
Colonial Pipeline paid $4.4M after a single legacy VPN account was breached.
criminal economy at $10B+/year
📰
Newspaper References
Cloudflare's official blog (blog.cloudflare.com) and BleepingComputer covered
the 1.1.1.1 hijack in detail in July 2024. Dark Reading and The Register have
maintained running coverage of major BGP incidents since the AS7007 leak of
1997. The CrowdStrike-Microsoft July 2024 outage was front-page news at
Reuters, Financial Times, BBC, and Wall Street Journal. The XZ Utils
backdoor (CVE-2024-3094) was covered by Wired, Ars Technica, and the New
York Times in early April 2024.
Section 17
VPNs and Modern Private Networking
🔐 Building Private Networks On Top of Hostile Transit
The Public Internet Is Just the Wire — Privacy Comes From Cryptography
A Virtual Private Network (VPN) extends a private network
across the public Internet by tunnelling encrypted traffic between endpoints.
From a cybersecurity standpoint, it provides three things that the Internet
itself does not: confidentiality (no one in between can read
the traffic), integrity (no one can tamper with it
undetected), and authentication (you know who you are
talking to).
In the privatised Internet — where your packets traverse dozens of carriers
you have never met — VPNs are not optional luxuries. They are the basic
sanitary layer of modern network engineering.
🛡️ The VPN Technology Landscape
IPsec
Internet Protocol Security — the workhorse of site-to-site VPNs, mandatory in IPv6. Operates at Layer 3 with ESP and AH headers. Used by every enterprise router.
WireGuard
Modern, minimal, fast — a 2018 design using modern cryptography (Curve25519, ChaCha20, Poly1305). Roughly 4,000 lines of code vs IPsec's 400,000+. Now standard in the Linux kernel.
OpenVPN
TLS-based, widely deployed — runs over TCP or UDP, traverses NAT and firewalls easily. Popular for remote-access scenarios where IPsec is too rigid.
SSL/TLS VPN
Clientless remote access — a user opens a browser, authenticates, and gets web-based access to internal applications without installing a VPN client.
ZTNA
Zero Trust Network Access overlays — the modern replacement for traditional VPNs. Cloudflare Access, Tailscale, Zscaler ZPA, and similar services authenticate every request rather than granting blanket network access.
Section 18
Zero Trust Architecture for a Private Internet
⚠️
The Core Principle
"Never trust, always verify."
Every request is authenticated and authorised, regardless of whether it
originates inside or outside the corporate network. The network perimeter
is dead.
Zero Trust was popularised by Google's BeyondCorp initiative
(post-2009 Aurora attack) and formalised by NIST in SP 800-207 (2020).
It operates across five pillars — every one must be in place for the architecture
to actually deliver on its promise.
🎯 The Five Pillars of Zero Trust
Section 19
Network Resilience at Internet Scale
When adversaries can muster terabit-scale firepower (as the 31.4 Tbps Aisuru
attack of December 2025 demonstrated), no single firewall or server can
survive. Resilience at Internet scale relies on four interlocking techniques.
🌐
Anycast Routing
distribute by geography
The same IP address is announced from many Points of Presence (POPs)
worldwide. Traffic is automatically routed to the nearest POP.
A DDoS attack from Asia hits Asian POPs only; European users keep working.
Cloudflare, Google Public DNS, and Akamai all use anycast.
🧹
Cloud Scrubbing
absorb the flood
On-demand filtering through providers like Cloudflare, Akamai Prolexic,
and AWS Shield Advanced. Aggregate global capacity is now over
100 Tbps — enough to absorb the largest known attacks
and forward only clean traffic to the customer's origin.
🚫
BGP Blackholing
sacrifice the IP, save the network
Remote-Triggered Black Hole (RTBH) signals null routes for IPs under
attack — telling the entire Internet to drop traffic to that specific
address. The targeted service goes offline, but the rest of the network
stays up. A last-resort technique for catastrophic floods.
🛡️
WAF + Rate Limiting
block at Layer 7
Web Application Firewalls inspect HTTP requests and block application-layer
floods (slow-loris, HTTP/2 rapid reset, brute-force login) while letting
legitimate traffic through. Rate limiting throttles per-IP and per-token
request rates before they reach the application.
💡
Resilience = Diversity
Resilience is fundamentally a function of diversity —
in routes, providers, geographies, and architectural assumptions. If your
entire defence depends on one provider, one route, one data centre, one
protocol — you do not have resilience. You have a single point of failure
with extra steps.
Section 20
Defence-in-Depth Architecture
No single boundary is sufficient. Modern defence is layered — six layers, each
catching what the previous one missed.
L1
Perimeter
Border firewall, DDoS scrubbing service, public DNS hardening (DNSSEC), reverse-proxy WAF, intrusion prevention. The outermost ring.
Encryption at rest and in transit, DLP, tokenisation, hardware security modules (HSMs), key management (KMS), backup integrity.
L6
Identity
MFA, SSO, least privilege, just-in-time (JIT) access, Privileged Access Management (PAM), behavioural biometrics. The innermost — and most often broken.
Section 21
Data Sovereignty & Privacy
The privatised Internet creates jurisdictional puzzles. A user in India types a
message in WhatsApp, which is stored on Meta servers in Texas, encrypted using
keys generated in California, served by Cloudflare POPs in Mumbai, and
potentially subject to US, EU, and Indian law all at once. Whose rules
apply? Four big challenges and the policy responses to them:
Data localisation laws (GDPR, India's DPDP Act 2023)
Mandatory data minimisation & anonymisation
Federated learning & on-device inference
End-to-end encryption mandates (and political backlash)
📑
The Modern Reality
The GDPR (EU, 2018), India's Digital Personal Data Protection Act,
2023, Brazil's LGPD, California's CCPA/CPRA, and dozens of similar
laws now force private companies to treat user data as a regulated asset.
Together they have re-introduced government oversight to a domain that
privatisation had largely escaped.
Section 22
Policy, Governance & Recommendations
Regulatory Frameworks Shaping the Modern Internet
🇪🇺
EU NIS2 Directive
in force since Oct 2024
Cybersecurity baseline for 18 "essential" and "important" sectors across the
EU. Mandatory incident reporting, board accountability, and fines up to 2% of
global turnover for non-compliance.
⚖️
GDPR / DPDP Act
cross-border data flow
The EU GDPR (2018) and India's DPDP Act (2023) restrict how personal data
flows across borders and require privacy-by-design — building privacy
protections into systems from the start, not as an afterthought.
📚
NIST CSF 2.0
the global standard
Six functions: Govern, Identify, Protect, Detect, Respond, Recover.
Adopted by tens of thousands of organisations worldwide as the de-facto
cybersecurity playbook. Released February 2024.
🔗
IETF RFCs (TCP, TLS, QUIC)
the technical layer
RFC 9293 (TCP modernisation), the TLS 1.3 mandate, and QUIC adoption (HTTP/3)
are slowly retrofitting the Internet's lowest layers with modern security
defaults — without breaking backward compatibility.
🌐
ITU Cybersecurity
global coordination
The UN's International Telecommunication Union coordinates Critical
Information Infrastructure Protection (CIIP) and incident response across
its 193 member states.
🏆
DORA (EU finance)
in force since Jan 2025
Digital Operational Resilience Act — sector-specific cyber rules for every
bank, insurer, and payment provider serving the EU. Mandates third-party
ICT risk management and threat-led penetration testing.
Four Strategic Recommendations
🎯 What Should Actually Be Done
01
Mandate BGP Security (RPKI). Require Tier-1 ISPs to deploy
RPKI Route Origin Validation. As of 2024 approximately half of global
prefixes have ROAs — half the Internet is still vulnerable to hijacks
like the June 2024 Cloudflare incident.
02
Multi-Cloud Architecture. Critical workloads should
not depend on a single hyperscaler. Distribute across at least
three providers so an AWS outage, an Azure outage, or a
CrowdStrike-style misconfiguration cannot take down the entire service.
03
Cyber Resilience Testing. Mandate Threat-Led Penetration
Testing (TLPT) for critical Internet infrastructure. The EU's TIBER-EU
framework and DORA make this requirement for finance; other sectors
should follow.
04
Internet Exchange Points (IXPs). Promote neutral IXP
expansion in underserved regions to reduce concentration at private
chokepoints. Local peering means local resilience.
Section 23
The Architect's Checklist — Six Technical Best Practices
✅ What Every Network and Security Engineer Should Do
01
Plan your address space hierarchically. Use CIDR allocation that leaves room for growth, separates environments (prod/staging/dev), and aligns subnets with roles (servers, workstations, IoT, DMZ). Document it. Re-IPing later is painful.
02
Treat NAT as plumbing, not security. Layer stateful firewalls, IDS/IPS, and segmentation behind it. Never rely on translation alone to keep attackers out — they will come through outbound channels.
03
Adopt IPv6 deliberately. Dual-stack new services from day one. Enable RA Guard and DHCPv6 Guard on every switch port. Audit ACLs and firewall rules for IPv6 parity — most breaches into IPv6 networks happen because IPv4-only ACLs left v6 open.
04
Encrypt by default. Use IPsec or WireGuard for site-to-site links, TLS 1.3 for application traffic, and zero-trust access (Cloudflare Access, Tailscale, Zscaler) for users. There is no transit network in 2025 that should be trusted unencrypted.
05
Log translations and flows. Retain NAT mappings and NetFlow/IPFIX records for at least the regulatory minimum (often 6–12 months). They are essential for incident response and law-enforcement attribution.
06
Segment to contain blast radius. Micro-segment by application role, not just by physical location. Assume breach. Design every segment so that a compromise inside it cannot reach into another segment without explicit authorisation.
Section 24
Key Takeaways — Six Ideas to Carry Home
🎯 The Distilled Lessons
01
Privatisation Scaled the Internet. RFC 1918, NAT, and CIDR
turned a 4.3-billion-address ceiling into the network of billions we have
today. Without those three engineering tricks, the Internet would have
stalled in the late 1990s.
02
Concentration Creates Risk. Private control of backbones,
DNS, and clouds means resilience requires deliberate decentralisation.
A single AWS region, a single CDN, a single CrowdStrike update can take down
the world's airlines simultaneously.
03
IPv6 is the Long-Term Answer. End-to-end addressing,
universally available IPsec, and a clean slate for the next generation of
services. The transition has taken 25 years and is still incomplete — but
it is inevitable.
04
Security by Design, Not Bolt-On. Every scaling decision
must embed security at the architecture level — not as an afterthought.
The cybersecurity industry exists largely to retrofit security onto
systems that did not have it from the start.
05
Zero Trust is the New Default. In a privatised Internet,
traditional network trust boundaries are meaningless. Verify every
request, every time. The firewall is no longer "the edge of the network"
— it is the boundary around every individual identity.
06
Policy and Technology Must Align. Effective governance
requires regulators, operators, and security professionals to move
together. Technical excellence without policy creates Wild West; policy
without technical understanding creates compliance theatre. Both are
failure modes.
🎯
You Are Now Equipped to Architect the Modern Internet
Privatisation built the Internet you use. Scaling kept it alive. Cybersecurity
keeps it usable. Anyone who understands all three — the addressing, the
translation, the routing, the threats, and the governance — has the full
picture that most defenders only see in fragments. That picture is the
foundation of being a network and security architect for the next decade.