Blog What we do Support Community
Login Sign up

CloudFlare "Interview Questions"

by Marek Majkowski.

For quite some time we've been grilling our candidates about dirty corners of TCP/IP stack. Every engineer here must prove his/her comprehensive understanding of the full network stack. For example: what are the differences in checksumming algorithms between IPv4 and IPv6 stacks?

I'm joking of course, but in the spirit of the old TCP/IP pub game I want to share some of the amusing TCP/IP quirks I've bumped into over the last few months while working on CloudFlare's automatic attack mitigation systems.

CC BY-SA 2.0 image by Daan Berg

Don't worry if you don't know the correct answer: you may always come up with a funny one!

Some of the questions are fairly obvious, some don't have a direct answer and are supposed to provoke a longer discussion. The goal is to encourage our readers to review the dusty RFCs, get interested in the inner workings of the network stack and generally spread the knowledge about the protocols we rely on so much.

Don't forget to add a comment below if you want to share a response!

You think you know all about TCP/IP? Let's find out.


  1. What is the lowest TCP port number?

  2. The TCP frame has an URG pointer field, when is it used?

  3. Can the RST packet have a payload?

  4. When is the "flow" field in IPv6 used?

  5. What does the IP_FREEBIND socket option do?

Forgotten Quirks

  1. What does the PSH flag actually do?

  2. The TCP timestamp is implicated in SYN cookies. How?

  3. Can a "UDP" packet have a checksum field set to zero?

  4. How does TCP simultaneous open work? Does it actually work?

Fragmentation and Congestion

  1. What is a stupid window syndrome?

  2. What are the CWE and ECE flags in TCP header?

  3. What is the IP ID field and what does it have to do with DF bit? Why do some packets have a non-zero IP ID and a DF set?

Fresh Ideas

  1. Can a SYN packet have a payload? (hint: new RFC proposals)

  2. Can a SYN+ACK packet have a payload?


  1. ICMP packet-too-big messages are returned by routers and contain a part of the original packet in the payload. What is the minimal length of this payload that is accepted by Linux?

  2. When an ICMP packet-too-big message is returned by an intermediate router it will have the source IP of that router. In practice though, we often see a source IP of the ICMP message to be identical to the destination IP of the original packet. Why could that happen?

Linux Configuration

  1. Linux has a "tcp_no_metrics_save" sysctl setting. What does it save and for how long?

  2. Linux uses two queues to handle incoming TCP connections: the SYN queue and the accept queue. What is the length of the SYN queue?

  3. What happens if the SYN queue grows too large and overflows?

Touching the router

  1. What are BGP bogons, and why are they less of a problem now?

  2. TCP has an extension which adds MD5 checksums to packets. When is it useful?

And finally:

  1. What are the differences in checksumming algorithms in IPv4 and IPv6?

At CloudFlare we touch low level things like that every day. Is this something that interests you? Consider applying!

comments powered by Disqus