Written by Kevin Perez

12/30/2022

As a follow-up to our recent article introducing the Open System Interconnection (OSI) model, we will be going into detail on looking at the model through a cybersecurity lens. Understanding what protocols are targeted in network communication will allow you to best implement security to protect from these attacks. In this article, we will discuss how the OSI model can be used to understand both cyberattacks and the cybersecurity measures that can be used to protect from these attacks.

Cyberattacks that target each layer

In our last article, we discussed the processes that occur in the different layers of the OSI model. Now we can start to look at how hackers attack vulnerabilities at each layer. The diagram above includes some of the most common attack vectors that hackers use. These attacks generally target protocols and vulnerabilities found on these specific layers, but just as the OSI model had some overlap between layers, so will these attacks. Even so, it is helpful to be able to quickly identify threats that are occurring in relation to the layer they are on.

Going down from layer 7 to layer 1, we will talk about common attack vectors found in each layer. The most common type of attack discussed will be variants of Distributed Denial of Service (DDoS) attacks. DDoS attacks are when a hacker overwhelms a network or server with so much traffic that no legitimate users can get in.

Application layer attack – HTTP flood

This is a type of volumetric DDoS attack that exploits weaknesses in layer 7 by opening connections and initiating process and transaction requests. By doing this, application DDoS attacks are able to consume disk space and available memory. These attacks are efficient. They require less total bandwidth to achieve similarly disruptive attacks to the other two methods described earlier. These attacks are also particularly hard to distinguish from genuine traffic, and therefore are harder to detect.

An example of a DDoS attack that targets HTTP is the Slowloris attack. The Slowloris attack works by keeping a web server’s connections open for as long as possible. It uses HTTP GET requests to occupy all available HTTP connections on the web server. These servers wait for an entire HTTP header to be received before releasing the open connection. Normally, a server will time out if a request takes too long. But during a Slowloris attack, partial request headers are sent to the target to keep the request open. The Slowloris attack is successful once all available server threads are occupied.

Presentation/Session layer attack – SSL hijacking

This attack is also known as session hijacking or cookie hijacking. In this attack, hackers gain unauthorized access to the session key, and then are able to exploit a session that the user assumes is a safe connection. The user will go to an HTTPS domain that appears to be valid, but in reality, it has been compromised, and are really on a proxy site. These are a form of phishing attack and can be used to infect a system with malware, launch a ransomware attack, or steal credentials.

Transport Layer attack – SYN flood

SYN flood is another type of DDoS attack. A SYN flood attack exploits a layer 3 and 4 protocol. A SYN flood exploits the three-way handshake process of a TCP (transport control protocol) connection. The normal process of a TCP connection involves: a client initiating a connection by sending a SYN (synchronize) packet to the server, the server responding to this packet with a SYN/ACK (synchronize-acknowledge) packet, and then the client returning the ACK (acknowledge) packet. Once this process is complete, the TCP connection is able to send and receive data. The exploit comes from a hacker continually sending SYN packets to the server, but never sending the ACK packet back to the server to complete the TCP handshake. For the DDoS attack to be successful, the SYN attack needs to be larger than the available backlog in the target’s operating system.

Network Layer attack – ICMP flood (ping) attack

To perform this attack a hacker will overwhelm their target with ICMP echo requests (also known as pings). Outside of a malicious context, ICMP echo requests and subsequent echo-reply messages are used to diagnose the health and connectivity of a device and to test the connection between the sender and the device. A specific computer or router can be targeted for these attacks. A system can only receive and reply to a certain amount of ICMP echo requests before it gets overwhelmed.

Data Link Layer attack – MAC flooding

This attack is executed by flooding network switches with fake MAC addresses. A network switch forwards data packets to and from devices connected within a network. In the data link layer, the network switches forward data based on the destination MAC address. A hacker can flood the network switch with a high volume of requests containing fake MAC addresses. This overwhelms the MAC address table’s capacity, and in order to deal with this it removes old (real) MAC addresses and replaces them with new (fake) addresses. As the legitimate MAC addresses are forced out of the MAC address table, large amounts of incoming frames are flooded out on all ports. Malicious data packets are sent to users, and in doing so, it allows all the hacker access to the ingoing and outgoing traffic.

Physical Layer attack – malicious insiders

Malicious insiders are a larger risk than many businesses would like to believe. IT sabotage involves accessing systems and intentionally sabotaging them. The sabotage can either be deleting critical data or uploading harmful material into these systems. IT employees are often the most dangerous when it comes to malicious insiders as they most often have access to critical systems. System administrators and programmers in the IT sector are most likely to perpetrate IT sabotage. While other malicious activity generally has a financial motivation, this kind is generally perpetrated by a disgruntled employee. In particular, an employee who has recently been terminated, or otherwise subject to conditions they deem unfair.

Security measures to protect each layer of the OSI model

Vulnerabilities and exploits are what make cyberattacks possible. Protocols on each layer of the OSI model are open to exploits, and as hackers’ sophistication increases, new exploits may be found. Luckily, security experts are just as aware of these exploits as hackers. There are security measures that can be taken to protect against the threats discussed in the last section. 

DDoS attacks

There are several PeerWise articles that directly address the threats discussed, and offer possible solutions to these threats. Since DDoS attacks came up several times as possible attack vectors on these layer protocols, they are what we will address first. All of these tips and more are discussed in our article on DDoS defense.

One of the tools available to help protect against DDoS attacks is a firewall. Often more effective than a regular firewall are Web Application Firewalls (WAF). However, while these can act as a level of protection, they should not be considered your only line of defense. Firewalls can help to protect against certain DDoS attack vectors, such as SYN and UDP flood protection up to a point. TCP floods however can quickly knock out most firewalls by exploiting a vulnerability in “stateful” devices.

It is important to have a defense-in-depth approach in place, which means having layered security so that if one measure fails there are other measures in place. Bolstering your defenses through network hardening, setting up perimeter security, and considering purchasing a DDoS cloud protection service are all options to better protect against DDoS attacks.

Endpoint security

Several attack vectors used by hackers can be prevented with strong endpoint security. Endpoints are any device that connects to the internet through your network. This includes laptops, desktops, smartphones, tablets, printers, routers, and other IoT devices. Our article on endpoint security solutions lists vendor tools that are available to help improve endpoint security. These include antimalware software, encryption services, and application controls. Each of these plays a role in protecting against attacks on layers within the OSI model, particularly layers 4,5, and 7.

Malicious insiders

Our article on malicious insiders helps shed light on the fact that malicious insiders are likely more prevalent than many companies would like to believe. A 2022 report by the Ponemon Institute reports that 26% of all insider incidents involved criminal and malicious insiders. In total, this means that about 17% of all data breaches involve malicious insiders.

There are two ways to protect against malicious insiders. The first way is to bolster both physical and network security so that if any insider does want to sabotage systems, they will have a more difficult time. This includes putting locks on rooms in the office that employees do not need access to. This also involves following secure off-boarding procedures and making sure that all logins that a terminated employee had access to are changed. 

The other way method is to prevent malicious insiders in the first place. HR plays a leading role in this. It is important to do background checks on employees. It is also important to check employee morale. A good work culture that respects employees can go a long way.

Sign up to PeerWise

For more insights on cybersecurity education and security trends, sign up for free to have access to all of our articles.