The Open Systems Interconnection (OSI) model is a conceptual framework developed by the International Standards Organization (ISO). It has been in use for over 40 years, and is cited in every computer network book. It is also a favorite resource for just about every cybersecurity exam. The OSI model is represented in seven layers that help us understand how communications between computer systems occur. This is beneficial in troubleshooting network-related issues, since it exclusively separates protocols, services, and interfaces of each layer, and for manufacturers to maintain compatibility with other brands when defining technologies.

Through the progression of technology, threat actors have found many complex methods to compromise networks. With an understanding of the functions of each OSI layer and their vulnerabilities, many network attacks could be prevented.

1 – Physical Layer

This layer is responsible for the transmission and reception of raw bit streams (the binary 1 and 0) over physical mediums such as cables, wires, and wireless signals. It can establish, maintain, and deactivate the physical connection. It synchronizes the data bits and defines the data transmission rate and the data transmission modes, such as full-duplex and half-duplex modes. The devices that are used in the physical layer are cables such as Ethernet, coaxial, fiber-optic, and other connectors.

Denial of Service (DoS) attacks are targeted at the physical layer, as this is the hardware, the tangible layer of the system. DoS attacks halt all network functions. A DoS attack can be accomplished by physically cutting or unplugging network cables. Physical layer vulnerabilities can be mitigated with physical security measures, such as access control, video surveillance, tamper-proof electromagnetic interference shields, and the use of redundant links.

2 – Data Link Layer

This layer works with information flows that are encapsulated in “frames”. This layer detects and corrects errors in data, ensuring reliable transmission between network devices over a physical link. It is responsible for sequential and consistent data exchange, error control, and flow control. Cyclic Redundancy Check (CRC) monitors against lost frames, which can then be retransmitted. Devices such as bridges, switches, and Network Interface Controllers (NICs) and protocols such as Address Resolution Protocol (ARP), Point-to-Point Protocol (PPP) Spanning Tree Protocol (STP), Link Aggregation Control Protocol (LACP) belong to this layer.

Data link layer attacks originate from the internal LAN (Local Area Network), some of these attacks are:

• ARP spoofing – ARP spoofing is a Man in The Middle (MiTM) attack, where the threat actor pretends to be both sides of a network communication channel; sniffing packets to steal data and alter communications, perform session hijacking, and Distributed Denial of Service (DDoS) attacks. To prevent this attack, enable private VLANS, static ARP, and install Intrusion Detection Systems (IDS).
• MAC flooding attack – This attack is carried on the network switch. The threat actor overflows the Media Access Control (MAC) address table of the switch with fake MAC addresses, which replaces valid addresses. This forces the switch to behave like a network hub, that is, when a valid user attempts to access the web, they create a broadcast “flood” throughout the network. The data intended for the authentic user will now be received by the attacker instead. This attack can be mitigated by enabling port security and authentication with an Authentication, Authorization, and Accounting (AAA) server.
• Spanning Tree attack – The Spanning Tree Protocol (STP) removes potential loops between redundant switches from causing an endless broadcast traffic storm. The threat actor alters the operation by adding a new STP device to become the root bridge, and the traffic will then transmit across the attacker`s switch. Enabling Bridge Protocol Data Unit (BPDU) guard on switches will prevent this attack.

3 – Network Layer

The network layer operates on “packets”, routing them across devices and networks. It manages logical device identification and addressing, and performs routing by choosing the shortest, and most logically efficient path to forward the packets. Routers and switches are the most common devices associated with this layer. The protocols that function at this layer include Internet Protocol (IP), Internet Control Message Protocol (ICMP), Routing Information Protocol (RIP), and Open Shortest Path First (OSPF).

Attacks in the network layer are performed over the internet, such as DDoS attacks, where a router is targeted and overwhelmed with illegitimate requests, subsequently rendering it unable to accept genuine requests. Packet filtering controls, and security mechanisms such as Virtual Private Networks (VPNs), IPsec, and firewalls are common methods to limit the chance of network layer attacks.

4 – Transport Layer

This layer establishes a point-to-point connection between the source and the destination, ensuring that the data is transmitted in the correct order. It also performs flow control, error control, data reassembly, and segmentation. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are examples of transport layer protocols.

Attacks in this layer are often conducted through vulnerable open ports identified by port scanning.

• SYN flood attack – is a type of DDoS attack that exploits the TCP three-way handshake. The attacker sends multiple synchronization (SYN) packets to every port of a server. The server acknowledges by sending a Synchronize-Acknowledge (SYN-ACK) message for each SYN packet. If the malicious client doesn’t send the final ACK packet as expected, it creates “half-open” sessions on the server. As the server’s ability to process requests becomes depleted, new requests and services to legitimate clients will be denied. If the SYN flood continues, the server will malfunction or crash. SYN flood attacks can be mitigated by allocating micro-blocks, as few as 16 bytes for a SYN request, and maintaining SYN cookies and RST cookies.
• Smurf attack – named after a popular toy figure from the 1980s that appeared to be everywhere, the Smurf attack is also a type of a DDoS attack. This attack is carried out by generating fake ICMP Echo request (PING) packets to an IP broadcast network using the targeted server`s IP address as the source IP address. With so many ICMP responses, seeming to come from everywhere, the target server becomes overwhelmed and is bought down. Inspection of incoming, traffic and blocking illegal ICMP responses will limit the chances of a Smurf attack.

5 – Session Layer

This layer is responsible for establishing, maintaining, and terminating sessions between a local and remote device. It`s responsible for synchronization and recovery, it adds checkpoints during the transmission of data. If there are any During any instance transmission errors, the transmission will resume from the last good checkpoint.

Common attacks in this layer include: 

• Session hijacking – A threat actor takes over a web session by compromising the session token to gain access to personal information and passwords. Strong passwords with multifactor authentication, VPNs, and keeping software up to date are a few mitigations against session hijacking attacks.
• MiTM attack – During this attack, the threat actor is positioned between a two parties’ data transmission session to eavesdrop and relay messages. Open, unsecured Wi-Fi connections are the most popular vector for this type of attack. Other communication technologies, such as Secure Shell (SSH) will limit these types of attacks

6 – Presentation Layer

This layer is responsible for translating data from a sender-dependent format to a common format that is understood by the application layer. For example, the translation of different character sets, such as ASCII to EBCDIC. Most importantly from a cybersecurity perspective, this layer handles the encryption and decryption of data. Data compression for network transmission is also managed at the Presentation layer. Secure Sockets Layer (SSL) hijacking, also known as session hijacking attacks occur in the presentation layer. Encryption technologies ensures the confidentiality and integrity of data during transmission.

7 – Application Layer

This layer provides services for the end user, such as mail services, directory services, file transfer, access, and management (FTAM). File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP), Domain Name System (DNS), Hypertext Transfer Protocol (HTTP), and email protocols (SMTP, POP3, IMAP) are some examples of application layer protocols.

Application layer attacks are the hardest to defend against because many vulnerabilities are encountered here since it`s the layer that is most exposed to the outer world. Employing application monitoring technologies to detect layer 7 and zero-day attacks, and updating the applications regularly are best practices to secure the application layer.

The most common cyberattacks occur at this layer, including viruses, worms, Trojan horses, phishing attacks, DDoS attacks, HTTP floods, SQL injections, cross-site scripting, and many more.

Conclusion

The OSI model is a representation of how communications between devices occur. The conceptual model makes it easier to understand how data is transmitted. In its complex process, threat actors have found ways to exploit and compromise systems. It is very important to identify the kind of attacks and vulnerabilities available on each layer and implement proper defense strategies to protect a network.

About the Author:

Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security. 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.