Master Network Fundamentals: From TCP/IP Layers to SYN Flood Defense

Hi everyone, I'm Xiao Lin. After the National Day holiday most companies pause recruitment, and the autumn hiring peak resumes with campus job fairs and on‑site interviews.

Kingsoft Office (WPS) will start scheduling interviews after the holiday, typically completing them within 2‑3 weeks and moving to salary negotiations in October, offering salaries around 18k‑22k for development positions.

Kingsoft has R&D centers in Beijing, Zhuhai, and Wuhan, so candidates in second‑tier cities can also expect offers around 20k. The company’s work rhythm is 9‑6‑5, making it a comfortable environment.

The development roles at Kingsoft focus on C++, backend, and frontend development, with a strong emphasis on fundamentals.

Kingsoft Software (Backend Development Interview)

1. Explain the TCP/IP four‑layer model and the OSI seven‑layer model

The OSI model defines seven layers—Application, Presentation, Session, Transport, Network, Data Link, and Physical—to ensure interoperability among diverse network devices.

Application layer provides a uniform interface for applications.

Presentation layer converts data into a format understandable by other systems.

Session layer manages communication sessions.

Transport layer handles end‑to‑end data transfer.

Network layer manages routing, forwarding, and fragmentation.

Data Link layer frames data and performs error detection and MAC addressing.

Physical layer transmits data frames over the physical medium.

In practice, the simpler four‑layer TCP/IP model—Application, Transport, Network, and Link—is commonly used and implemented by Linux.

2. What is the full process of accessing a website?

Parse the URL and validate the protocol and host.

Check caches (browser, hosts file, router, ISP DNS) for a stored IP.

If not cached, perform DNS resolution to obtain the IP address.

Obtain the MAC address via ARP (or via the gateway if on a different subnet).

Establish a TCP connection with a three‑way handshake.

If using HTTPS, complete the TLS four‑handshake.

Send the HTTP request.

The server processes the request and returns a response.

3. Describe the TCP three‑way handshake

The client sends a SYN packet, the server replies with SYN‑ACK, and the client finalizes with ACK. The third handshake can carry data, while the first two cannot.

4. Why is a four‑step termination needed?

Both sides must ensure all pending data is transmitted before closing. The client sends FIN, the server acknowledges with ACK, then the server sends its own FIN, and the client acknowledges, entering TIME_WAIT before fully closing.

5. When does the server actively close a connection?

HTTP short‑connection (no Keep‑Alive).

HTTP Keep‑Alive timeout.

HTTP Keep‑Alive request limit reached.

For short connections, the client or server can close after each request. In Keep‑Alive, the server may close after a timeout or when the request count exceeds a configured limit (e.g., keepalive_requests in Nginx).

6. What is a SYN flood attack and how to mitigate it?

A SYN flood exhausts the server’s half‑open connection queue, preventing legitimate connections.

Increase netdev_max_backlog.

Enlarge the TCP SYN backlog ( net.ipv4.tcp_max_syn_backlog, net.core.somaxconn, listen() backlog).

Enable tcp_syncookies.

Reduce SYN‑ACK retransmission attempts ( tcp_synack_retries).

Increase net.core.netdev_max_backlog = 10000

Increase net.ipv4.tcp_max_syn_backlog , net.core.somaxconn , and the listen() backlog.

Enable syncookies: echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Reduce SYN‑ACK retries: echo 2 > /proc/sys/net/ipv4/tcp_synack_retries

7. Redis Bloom filter basics

A Bloom filter uses a bitmap initialized to zero and multiple hash functions. Adding an element sets bits at positions derived from the hashes; checking membership verifies that all those bits are set.

False positives are possible, but false negatives never occur.

8. How does Redis ensure data consistency?

Read operations use a cache‑aside pattern: if the cache misses, load from the database. Write operations update the database first, then delete the cache entry.

Because caching sacrifices strong consistency (CAP theorem), eventual consistency techniques such as retrying cache deletions via a message queue or subscribing to MySQL binlog (e.g., using Canal) are employed.

Message‑queue retry mechanism for cache deletion.

Subscribe to binlog and delete cache accordingly.

9. Network I/O models

Blocking I/O: the thread waits until the operation completes.

Non‑blocking I/O: the call returns immediately; the program polls or uses select/poll/epoll.

I/O multiplexing: select, poll, epoll allow a single thread to monitor many descriptors.

Signal‑driven I/O: the OS sends a signal when I/O completes.

Asynchronous I/O: the kernel performs the operation and notifies the application upon completion.

10. How does epoll work?

epoll maintains a red‑black tree of watched file descriptors in the kernel and an event list for ready descriptors. Adding sockets via epoll_ctl updates the tree; epoll_wait returns only ready events, avoiding repeated scans of all descriptors.

int s = socket(AF_INET, SOCK_STREAM, 0);
bind(s, ...);
listen(s, ...);
int epfd = epoll_create(...);
epoll_ctl(epfd, ...);
while (1) {
    int n = epoll_wait(...);
    // handle ready sockets
}

11. Why does InnoDB use B+ trees instead of B trees?

Non‑leaf nodes store only keys, allowing more entries per node and shallower trees.

Redundant leaf pointers simplify insert/delete operations.

Leaf nodes are linked, enabling efficient range queries.

12. What is the CAP theorem?

In a distributed system, Consistency, Availability, and Partition tolerance cannot all be achieved simultaneously; a system must trade off two of them.

13. Algorithm example: Find the number that appears only once

// Example code placeholder for the algorithm