A history of encrypting the TLS server name, from the 2018 ESNI experiment and why it failed to the ECH design that encrypts the whole inner ClientHello with HPKE, finished as RFC 9849 in 2026.
Traces the three proxy roles defined in RFC 9110 — forward proxy, gateway (reverse proxy), and intercepting proxy — and places CDNs, API gateways, and corporate SSL-inspection boxes inside that taxonomy by the direction of trust.
Traces how proxies append to the X-Forwarded-For and Forwarded chains, why the client-facing end is trivially spoofable, how trusted-proxy and rightmost-IP resolution actually works, and the security bugs that follow from getting it wrong.
A reference on application-layer DDoS: why HTTP floods are measured in requests per second, how they diverge from L3/L4 volumetric attacks, why they are cheap to mount and hard to filter, and what actually stops them.
Traces how a request-then-RST_STREAM loop in HTTP/2 sidestepped the concurrency limit that was supposed to bound per-connection work, set DDoS records at 398 and 201 million requests per second, and forced a round of server patches.
Traces the algorithms behind server-side rate limiting as an abuse defense: fixed and sliding windows, the log-versus-counter tradeoff, token and leaky buckets, GCRA, and how Redis enforces them across a fleet.
Traces how large networks soak up terabit floods: anycast catchment that splits attack load across hundreds of sites, scrubbing-center diversion via BGP, RTBH and flowspec, and the capacity headroom that makes it pay.
Traces the SYN flood from the 1996 Panix attack and the Phrack code that armed it, through the half-open backlog mechanism it exhausts, to SYN cookies and the modern variants that still rank near the top of Layer 3/4 attack vectors.
Traces the low-bandwidth slow attacks: Slowloris, slow POST (RUDY), and slow read, how each pins a worker thread on thread-per-connection servers, why event-driven servers shrug them off, and what actually times them out.
How spoofed-source UDP queries turn open DNS resolvers into reflectors, why a 64-byte question returns a 3,000-byte answer, what happened to Spamhaus in 2013, and why BCP 38 and RRL still matter in 2026.
A primary-source history of Mirai: the 62-credential telnet worm of 2016, the record 623 Gbps hit on Krebs and the terabit OVH flood, the Dyn outage, the HackForums source leak, and the three students behind it.
Traces the February 2018 memcached reflection attack that hit GitHub at 1.35 Tbps: UDP port 11211, the 51,000x amplification claim, Akamai's ten-minute mitigation, and why disabling UDP fixed it.
Traces how credential stuffing works at the concept level: password reuse as the root cause, combo lists built from breach dumps, the one-to-three-percent success rate offset by scale, and why it is a different attack from brute force.
Traces how account-takeover detection scores a login: credential-stuffing velocity, device-fingerprint continuity, impossible-travel and geovelocity, the false-positive problem, and where risk-based step-up auth fits in.
Traces the tooling and economics that turn a breach dump into validated accounts: combo lists and stealer logs, OpenBullet-style configs, residential proxy networks, CAPTCHA-solver farms, and the division of labor underneath.
Traces how stolen and generated card numbers get validated at scale: the BIN-enumeration pattern, the micro-authorization probe, the bot infrastructure behind it, and the merchant- and network-side signals that catch it.
Traces how scalper and Grinch bots monitor stock, race the add-to-cart and checkout, and hoard inventory, what the BOTS Act actually covers, and how queues, raffles, and bot management push back.
Traces how invalid traffic gets monetized in programmatic advertising, from the Methbot and 3ve botnets to domain spoofing, and how the IVT-detection industry and ads.txt try to catch it.
Traces how mass fake-account creation works: SMS-verification farms built on infected phones, disposable email, the phone-number economy, and the defenses that fight back, velocity, device fingerprint, proof-of-work, and phone reputation.
Traces gift-card balance-checking bots like GiftGhostBot and loyalty-point theft: the enumeration and account-takeover patterns behind them, why the endpoints are soft targets, and why the whole category stays under-reported.
How a device fingerprint plus proxy, velocity, and history signals turns into a fraud risk score, traced through Sift, SEON, and Fingerprint Pro, and where it diverges from bot detection.
How to read obfuscated anti-bot JavaScript without running it blind: beautify, scope and string-array recovery, Babel AST transforms, runtime hooking, and where the workflow hits a wall against bytecode VMs.
Traces how VM-based JavaScript obfuscation works: a custom opcode set and dispatcher loop replace readable code with bytecode, why this is the strongest JS obfuscation, and how devirtualization recovers the logic.
A reference on the JavaScript primitives obfuscators lean on most: dynamic eval and Function construction, the with statement for scope confusion, and string-array rotation, plus how AST deobfuscators take them apart.