IC Study Guide

DNS Record Types Contact list with routing rules

Core understanding: DNS isn't just "name → IP." It stores different record types that control where traffic goes and how services are discovered.

What it is: A distributed directory with multiple record types, each serving a different routing purpose.

Key records:

• A → domain → IPv4 (most common)
• AAAA → domain → IPv6
• CNAME → alias (domain points to another domain)
• MX → mail routing
• TXT → verification / policies (SPF, DKIM)
• NS → which DNS servers are authoritative

Problem in incident: Wrong IP in A record · broken CNAME chain · missing or incorrect records

Effect (what you see): Users routed to wrong server · partial outages · some services work, others fail

Technical effect: DNS resolves — but to the wrong destination

What it means: Misconfiguration, not outage — traffic is flowing, but incorrectly

Analogy: Contact list with wrong phone numbers or forwarding rules

Incident signals:

• Traffic hitting wrong servers
• Sudden shift in traffic patterns
• "It works for some domains but not others"

IC questions: "What record changed?" / "Are we resolving to the expected IP?" / "Is there a CNAME chain involved?"

Pattern: Traffic going somewhere wrong → think DNS misconfiguration

TTL & Propagation Old maps still in circulation

Core understanding: DNS changes are not instant — TTL (Time To Live) controls how long old answers stay cached by resolvers across the internet.

What it does: TTL determines how long a resolver caches a DNS answer before it re-queries the authoritative server.

Problem in incident: Old records still cached · some users see new config, others see old

Effect (what you see): "Works for me but not others" · gradual recovery · region-dependent behaviour

Technical effect: Different resolvers return different answers — inconsistent global state

What it means: Not a failure — the change is still propagating. Expected behaviour after a DNS update.

Analogy: Old maps still being used while new maps are being distributed

Incident signals:

• Mixed behaviour across regions or users
• Gradual improvement over time after a DNS change
• "Some users fixed, others still broken"

IC questions: "What is the TTL?" / "When was the change made?" / "Are caches cleared?"

Pattern: Inconsistent behaviour after a DNS change → think TTL propagation delay

TCP vs UDP Registered mail vs postcards

Core understanding: TCP and UDP are two transport protocols — reliable vs fast. Knowing which one your traffic uses changes how you diagnose failures.

TCP (Transmission Control Protocol): Reliable, ordered, connection-based · used by HTTP/S, MySQL · retries automatically · guaranteed delivery

UDP (User Datagram Protocol): Fast, no guarantees, connectionless · used by DNS, streaming, VoIP · sends and forgets — no retry built in

Problem in incident:

• TCP: congestion, connection limits, slow under load
• UDP: silent drops, hard-to-detect failures, no error trail

Effect (what you see): TCP issues → timeouts, slow apps · UDP issues → intermittent failures, missing responses

What it means: TCP problems = congestion or capacity · UDP problems = loss or instability

Analogy: TCP = registered mail (guaranteed delivery) · UDP = postcards (fast but may get lost)

Incident signals:

• TCP: high latency, connection timeouts
• UDP: missing responses, intermittent failures, no error logs

IC questions: "Is this TCP or UDP traffic?" / "Do we see retries or silent drops?" / "Is reliability or speed more critical?"

Pattern: Silent failures with no error logs → think UDP packet loss

TCP Handshake & Connection Lifecycle Knocking on a door that won't answer

Core understanding: Before any data flows, TCP must establish a connection via a 3-step handshake. If this fails, no requests can be processed at all.

The handshake: SYN → SYN-ACK → ACK

Problem in incident: Handshake fails or is delayed · SYN queue fills up · server cannot accept new connections

Effect (what you see): Connection timeouts · users can't connect · errors appear before any request is sent

Technical effect: Entry point is saturated — the problem is at the door, not inside the application

What it means: Often load-related or an attack — not an application bug

Analogy: Knocking on a door but no one answers — the house is overwhelmed before anyone can get inside

Incident signals:

• SYN backlog warnings
• High connection attempt counts
• Timeouts before any request data is exchanged

IC questions: "Are connections failing before requests?" / "Is the SYN queue full?" / "Is this a traffic spike or an attack?"

Pattern: Fails before any request is processed → think TCP handshake saturation

Retransmissions & Congestion Traffic jam where cars keep re-entering

Core understanding: When TCP packets are lost, they are automatically retransmitted. Under high load, this creates a congestion feedback loop — more retransmits = more traffic = worse congestion.

What it does: TCP guarantees delivery by resending lost packets — but each resend adds to overall traffic load.

Problem in incident: High retransmission rate · congestion builds · performance degrades progressively under sustained load

Effect (what you see): Slow responses · latency climbing · throughput dropping under load

Technical effect: More traffic → more loss → more retransmits → worse performance (self-reinforcing loop)

What it means: Network degradation spiral — not a full outage, but worsening performance under load

Analogy: Traffic jam where cars keep re-entering — clearing gets harder the more vehicles try to pass

Incident signals:

• Retransmission rate climbing
• Latency increasing over time
• Throughput dropping under load

IC questions: "Are retransmissions increasing?" / "Is packet loss present?" / "Where is the congested link?"

Pattern: Progressive slowdown under load + rising retries → think TCP congestion loop

IDCS Global Authentication Failure Highway entrance closed

Core understanding: IDCS is a centralised cloud identity provider. It acts as the first gate users must pass through before reaching any system. If it becomes unavailable, users cannot authenticate anywhere — even though the underlying apps may still be healthy.

What it is: A shared login authority used across multiple systems.

What it does: Authenticates users and issues access tokens.

Problem in incident: IDCS outage or service disruption.

Effect (what you see):

• All apps inaccessible after login attempt
• 401/403 spike across every service simultaneously

Technical effect: No tokens issued — authentication cannot begin.

IC interpretation: Central dependency failure — the authentication hub is down.

Analogy: Highway entrance closed — all routes blocked even though the roads beyond are clear.

Incident signals: Login failures across all apps at once · drop in successful auth metrics.

IC questions: "Are all apps affected?" / "Is IDCS reachable?" / "When did auth success rate drop?"

Pattern recognition: All apps fail login simultaneously → suspect IDCS.

Token Expiry / Validation Issues Expired train ticket during journey

Core understanding: After login, users don't continuously re-authenticate — they use tokens as proof of identity. These tokens have rules like expiration time and validation checks. If those rules are misconfigured or systems disagree on time, valid users can suddenly appear invalid.

What it does: Maintains authenticated sessions across systems.

Problem in incident: Expired or misvalidated tokens.

Effect (what you see):

• Random mid-session logouts
• Intermittent 401 errors for users already logged in

Technical effect: Token rejected by applications.

IC interpretation: Misconfiguration or time sync issue — not an outage.

Analogy: Expired train ticket during the journey — you bought it, you're on the train, but the gate says it's invalid.

Incident signals: Token validation errors in logs · session drops without user action.

IC questions: "Are tokens expiring earlier than expected?" / "Is system time consistent across services?"

Pattern recognition: Random auth failures for already-logged-in users → token issue.

Federation / SSO Misconfiguration Two border checkpoints refusing each other

Core understanding: Federation allows one identity system to trust another (e.g., corporate login into cloud apps). This relies on precise configuration and certificates. If that trust breaks, users get stuck in login flows or cannot authenticate at all.

What it does: Enables login via external identity providers.

Problem in incident: Broken trust configuration or certificate mismatch.

Effect (what you see):

• Redirect loops — browser bounces between app and login page
• Login fails after being redirected to SSO

Technical effect: Authentication handshake fails between identity providers.

IC interpretation: Integration misconfiguration — the two systems no longer agree on trust.

Analogy: Two border checkpoints refusing to accept each other's stamps.

Incident signals: Repeated redirect errors · SSO-specific error codes · only SSO users affected.

IC questions: "Are only SSO users affected (local accounts still work)?" / "Any cert or config changes recently?"

Pattern recognition: Redirect loop → SSO / federation issue.

LDAP Latency (IDM) Traffic jam at ID checkpoint

Core understanding: LDAP is the directory service that stores user identities in IDM environments. During login, systems query LDAP to verify users. If LDAP is slow, every authentication request slows down — even if nothing is technically broken.

What it does: Provides user data for authentication queries.

Problem in incident: Slow directory responses.

Effect (what you see):

• Login takes much longer than normal (15–20s instead of 1–2s)
• Occasional timeouts for some users

Technical effect: Queued or delayed auth requests — high LDAP response times.

IC interpretation: Performance bottleneck — slowness, not failure.

Analogy: Traffic jam at the ID checkpoint — everyone gets through eventually, but very slowly.

Incident signals: High auth latency · complaints about slow login, not login failure.

IC questions: "Is login slow or actually failing?" / "What are LDAP query response times?" / "Any load increase recently?"

Pattern recognition: Login eventually works but is very slow → LDAP latency.

User Provisioning / Sync Issues Different checkpoints, different passenger lists

Core understanding: Users and permissions are synchronised across systems. If this process fails, different systems may have different views of who a user is or what they can access — creating inconsistent, hard-to-diagnose failures.

What it does: Keeps user identities and roles consistent across all systems.

Problem in incident: Sync delays or failures.

Effect (what you see):

• Some users fail while others succeed
• Permissions missing or incorrect for affected users

Technical effect: Data inconsistency across systems.

IC interpretation: State mismatch — not an outage, but a divergence between systems.

Analogy: Different checkpoints using different passenger lists.

Incident signals: Only specific users or groups affected · new users, recently changed roles, or recently onboarded teams impacted.

IC questions: "Who exactly is affected?" / "Any recent provisioning changes or new user onboarding?"

Pattern recognition: Partial user failures (not everyone) → sync or provisioning issue.

MFA Failure Second checkpoint blocked

Core understanding: MFA adds a second verification step after password authentication. This step often depends on external systems (SMS providers, authenticator apps). If it fails, users are authenticated on password but cannot complete login.

What it does: Provides additional identity verification beyond password.

Problem in incident: MFA system or provider failure.

Effect (what you see):

• Users stuck after entering their password
• MFA prompts that never arrive or fail to validate

Technical effect: Second authentication step cannot complete.

IC interpretation: Partial authentication failure — first step worked, second step blocked.

Analogy: Getting through the first checkpoint but being blocked at the second.

Incident signals: MFA error messages in logs · push notifications or SMS not arriving.

IC questions: "Where exactly does login stop — before or after MFA prompt?" / "Is this an external MFA provider?"

Pattern recognition: Login stalls after password entry → MFA failure.

OAuth / OIDC Misconfiguration Wrong key for one door

Core understanding: Applications must be correctly configured to trust IDCS tokens. This includes client IDs, secrets, and redirect URLs. A small mismatch can break authentication for a single app while others work fine.

What it does: Connects individual applications to the identity provider.

Problem in incident: Incorrect client configuration in one app.

Effect (what you see):

• One specific app fails login
• All other apps still work fine

Technical effect: Token rejected by the misconfigured application.

IC interpretation: App-specific misconfiguration — scope is narrow, not a platform issue.

Analogy: Wrong key for one door — master key still works on all others.

Incident signals: Single app impacted · OAuth error codes (invalid_client, redirect_uri_mismatch).

IC questions: "Is this only one app or multiple?" / "Any config deployment to this app recently?"

Pattern recognition: One app broken while others work → OAuth / OIDC misconfiguration.

Certificate Expiry Expired passport

Core understanding: Certificates establish trust between systems in authentication flows. They have expiration dates. When they expire, systems stop trusting each other — causing sudden, complete failures with no degraded middle period.

What it does: Secures and validates identity communication between systems.

Problem in incident: Expired certificate.

Effect (what you see):

• Sudden, complete login failure — was working, now completely broken
• SSO stops working

Technical effect: Trust validation fails — systems refuse to communicate.

IC interpretation: Preventable config failure — a known expiry date was missed.

Analogy: Expired passport — valid until midnight on the expiry date, then refused everywhere instantly.

Incident signals: Certificate error messages in logs · sudden complete outage with no deployment.

IC questions: "Did any certificate expire recently?" / "Was there a cert change or renewal attempt?"

Pattern recognition: Sudden auth break with no deployment → check certificate expiry first.

Rate Limiting / Throttling Road closed due to too much traffic

Core understanding: Identity systems protect themselves by limiting how many requests they accept per time window. During traffic spikes, legitimate users can be blocked if limits are hit — even when the identity system itself is completely healthy.

What it does: Prevents overload or abuse by capping request rates.

Problem in incident: Too many requests trigger the limit.

Effect (what you see):

• Login failures during peak usage times
• 429 (Too Many Requests) responses

Technical effect: Requests rejected or delayed by the rate limiter.

IC interpretation: Capacity or protection issue — the limit may be correct or may need tuning.

Analogy: Road closed due to too much traffic — the road is fine, volume exceeded what's allowed.

Incident signals: Traffic spike correlates exactly with login failure onset · 429 errors in logs.

IC questions: "Is there a traffic spike right now?" / "Are 429 errors visible?" / "What are the configured rate limit thresholds?"

Pattern recognition: Peak usage + login failures + 429 errors → throttling.

Identity Dependency Failure Checkpoint staff can't access records

Core understanding: Identity systems rely on underlying services like databases, network, and storage. If those fail, identity services degrade or stop working — even if the identity system's own processes are healthy.

What it does: Depends on backend infrastructure to function.

Problem in incident: Database, network, or storage failure beneath IDCS.

Effect (what you see):

• Slow or failed login
• Auth errors combined with infrastructure alerts

Technical effect: Backend dependency unavailable — IDCS cannot complete auth lookups.

IC interpretation: Downstream dependency issue — the visible failure is auth, but the root cause is infrastructure.

Analogy: Checkpoint staff can't access the records database — they're present but unable to do their job.

Incident signals: Infra alerts fire alongside auth failures · auth latency spike coincides with DB / network alerts.

IC questions: "Are there DB or network alerts at the same time?" / "Is this auth-only or a wider infrastructure issue?"

Pattern recognition: Auth failures + infra alerts simultaneously → dependency failure.

Framing the Incident (Impact First) Side street vs motorway

Core understanding: Framing means quickly defining what is broken and how bad it is. Without it, teams focus on the wrong things or move too slowly.

What it does: Aligns everyone on what matters most and how urgent the situation is.

Problem in incident: Engineers jump into debugging without confirming impact. Low-priority issues get equal attention as critical ones. No urgency → slow decisions.

Effect (what you see): People asking different questions, no shared sense of severity, delayed mitigation.

What it means (IC interpretation): This is a priority alignment problem. The system isn't just failing — the response is unfocused.

Analogy: An accident happens but no one knows if it's on a side street or a major motorway. If it's the motorway (checkout), you need immediate response and all resources focused.

Incident signals: "Is this actually impacting users?" / "How bad is this?" / "Are we sure this is critical?" / Multiple threads of investigation.

IC questions: "What is the user impact right now?" / "Which functionality is affected?" / "Is this revenue-critical (checkout/login)?" / "How many users are impacted?" / "When did this start?"

Then state clearly: "Checkout is failing → high priority → focus on mitigation."

Ownership Assignment Uncontrolled junction

Core understanding: Every critical task needs a clearly named person or team responsible. Without this, work is assumed, duplicated, or not done at all.

What it does: Ensures work happens without delay and everyone knows who is doing what.

Problem in incident: Tasks are suggested but not assigned. People assume "someone else is doing it." Gaps or duplication in work.

Effect (what you see): "I thought that was already happening." Silence after actions are suggested. Same task done twice or not at all.

What it means (IC interpretation): This is a responsibility gap. The system is slow because no one owns execution.

Analogy: Traffic lights exist but no one is assigned to operate them. Cars hesitate, collide, or stop moving entirely.

Incident signals: "Who is doing that?" / "Is that being worked on?" / Long pauses after instructions.

IC questions: "Who owns the app right now?" / "Who is handling DB investigation?" / "Who is managing infra/network?"

Then assign clearly: "App team → initiate rollback now. DBA → investigate queries. Network → prepare to drain nodes."

Timeline Tracking Sequence before the crash

Core understanding: Timeline tracking means keeping a clear sequence of events during the incident. This helps connect cause and effect quickly.

What it does: Identifies what changed before the failure. Prevents confusion during the incident.

Problem in incident: Events get mixed up. Teams argue about what happened first. Root cause becomes harder to identify.

Effect (what you see): "Wait, did that happen before or after the deploy?" Repeated questions. Confusion about sequence.

Technical effect: Slower diagnosis. Missed correlations (e.g., deploy → failure).

What it means (IC interpretation): This is a visibility problem over time. You can't solve what you can't sequence.

Analogy: Trying to understand a crash without knowing which car entered the junction first or when the collision happened.

Incident signals: Confusion about timing / "When did that happen?" repeated / Misaligned understanding across teams.

IC questions: "When did alerts start?" / "When was the last deploy?" / "When did user impact begin?"

Then state: "09:05 deploy → 09:12 alerts → likely related."

Parallel Work (Avoid Serial Investigation) Multi-lane road

Core understanding: Parallel work means multiple teams investigate different areas at the same time. Serial work (one after another) slows everything down.

What it does: Speeds up diagnosis and mitigation simultaneously.

Problem in incident: Teams wait for each other. Only one path investigated at a time. Bottlenecks form.

Effect (what you see): "Let's wait for DB before doing anything." Idle teams. Slow progress.

What it means (IC interpretation): This is a throughput problem. Not enough work happening simultaneously.

Analogy: Only opening one lane when multiple lanes are available — traffic builds up unnecessarily.

Incident signals: Teams waiting / Sequential updates / Slow momentum.

IC questions: "What can each team investigate right now?" / "Are we blocked or just waiting?" / "Can we run these in parallel?"

Then assign: App → deploy/rollback. DBA → queries. Network → traffic. All simultaneously.

Decisive Action (Mitigation First) Clear the road before the inquest

Core understanding: Incident command requires making fast, reasonable decisions to reduce impact — even without full information.

What it does: Stops user impact quickly. Buys time for deeper investigation.

Problem in incident: Over-analysis. Fear of making the wrong decision. Delayed action.

Effect (what you see): Endless discussion. No clear plan. Metrics not improving.

What it means (IC interpretation): This is a decision paralysis problem. The system isn't recovering because no action is taken.

Analogy: Seeing a blocked road but debating the causes instead of clearing it first.

Incident signals: "We're still investigating…" with no action taken / No improvement in metrics / Repeated theories.

IC questions: "What is the fastest way to reduce impact?" / "Can we roll back?" / "What is the safest immediate mitigation?"

Then decide: "We are rolling back — execute now."

Structured Communication (Who / What / Priority) Clear junction signs

Core understanding: Communication must be clear, direct, and structured so actions happen immediately.

What it does: Removes ambiguity. Speeds up execution.

Problem in incident: Vague instructions. Long explanations. Misunderstandings.

Effect (what you see): "Sorry, what was I doing?" Delayed responses. Confusion.

What it means (IC interpretation): This is a clarity problem. Work slows because instructions are unclear.

Analogy: Giving unclear directions at a busy junction — cars hesitate or go the wrong way.

Incident signals: Repeated clarifications / Tasks misunderstood / Slow execution after instruction.

Structure: Every instruction = Who is doing this + What exactly + Priority (now / next).

Example: "App team → roll back all nodes → priority now." (not "let's look into rollback")