Deep Dive Into the OSI Model
The OSI model is a conceptual model created to standardize communication function within a TCP/IP network. The acronym stands for Open Systems Interconnection model. It’s a linear model for remembering all the parts that go into one node sending a packet to another receiving it. After learning it you find yourself thinking your way through it whenever you are trying to solve a networking issue.
The model consists of seven different layers which encompass all of the steps coming from the time you send a packet from your web browser to the packet hitting whatever server you’re querying. We are going to be exploring an explanation of each layer and try to deep dive into some of the concepts surrounding each layer. We are also going to go over some vulnerabilities that each layer presents. When referring to each layer they have a name and a number associated along with them. For example the Physical Layer is referred to as Layer 1, so moving forward we will be using the name of our layer and the number interchangeably.
Let’s start on our first layer, the Physical Layer. Which is also considered the bottom layer, then we will work our way up.
Physical Layer (Layer 1):
Our Physical Layer consists of our data encoding patterns brought forth by our hardware. This is the layer in which physical mediums are connected to make our packets go back and forth. It also includes the large set of standards which include pin alignment and number, electrical current and light modulation. This will include the physical pieces we use including our data cables and ethernet cards. A couple of protocols that are associated with Layer 1 technology are RJ-45 which are our tips from the ethernet cords. And the Ethernet standard as created by the IEEE, also known as IEEE 802.3. For an idea of other devices we also have LAN hubs and LAN repeaters that take advantage of those protocols alone. Since they don’t perform any routing (or thinking for that matter).
One of the attacks that are often associated with this layer is traffic sniffing. As anyone with security experience will tell you, anyone with physical access to your box or your network media can infiltrate your network. All someone needs to do is hook up a physical go between on your media and they can remotely sniff your traffic. Or save it to come back to later. Only costs $10. The other thing is the danger to the network media. Whether maliciously or accidentally if there is physical access there is danger to network.
Data Link Layer (Layer 2):
Our Data Link Layer takes all of our electricity coming from the bottom layer and encodes it into bits which turn into bytes and so on. It encompasses the transport protocol and handles errors from the Physical Layer. It also performs flow control and frame synchronization. We explore this layer by dividing it into two sublayers, the MAC Layer and the LLC Layer
Logical Link Control Layer: The LLC Layer is the upper sublayer is what is in charge of error correction and frame syncing.
Media Access Control (MAC) Layer: The MAC Layer is the lower sub-layer which controls the node and how it is granted access and permissions to the network assets.
Some of the protocols in this layer include IEEE 802.3 and HDLC. This layer would also include LAN switches, wireless access points, also cable and DSL modems.
Quick Note:
There are also different models which are studied for different standards. There is also the IP model and TCP/IP model. There is not much difference in the layers themselves as they all act the same. However there are some differences in which they are arranged. For example, the TCP/IP model actually combines the first two layers into one layer. I find it’s far easier to remember the steps in the OSI Model and recall them when referencing the IP or TCP/IP models.
One of the fun attacks from this layer is flooding the MAC table. The technique is pretty simple; You flood the MAC table with bogus information forcing legitimate information to leak to the network. MAC tables are maintained in the switch and are kept so that the switch knows which box is what, and directs traffic that way. Ass opposed to a hub which blasts information out to each port. Now the attack implementation can vary but best case scenario for the attack is to fill the switches memory with ethernet frames to force legitimate information to blasted out to each port on the switch.
Network Layer (Layer 3):
The Network Layer is our next step up, handling the switching and routing of our packets. This routing creates logical paths also referred to as virtual circuits, which transmit data from one node to another. One of the most quintessential protocols lives on this layer. Specifically IP (one half of TCP/IP), the most ubiquitous protocol in networking today. This protocol includes things such as IP addressing and routing, the very basics of how a node talks to a network. We also handle error correction and congestion control. Some of the other protocols that live on this layer include Appletalk and IPX.
This layer is vulnerable to a few attacks. The first being IP spoofing, the second is arp poisoning and the third is route poisoning. IP spoofing is pretty simple, it’s an attack in which the IP information is spoofed. Often to take advantage of trust relationships units will have with other units on the internal network. ARP poisoning takes advantage of the address resolution protocol. Usually in this attack the attacker sends arp messages to the local network in hopes of associating the attackers IP address with a certain MAC address to fool the network.
Transport Layer (Layer 4):
Our Transport Layer encapsulates the transportation of data between a node and a server. It is responsible for end-to-end error recovery and flow control. To go a little deeper your flow control is the process in which your device transports the data from one node to another and that the end device can handle the flow of data coming from the sending node. Often times the sending and receiving node or the network in between don’t have matching speeds, so flow control guarantees that your data is going to be received when it is transmitted. What happens on a hardware level and a software level are two very different things. However the basic mechanism is either achieved through buffering or an on or off method in which the flow is turned off to allow for the slower technology to catch up.
Some of the protocols that live on this layer would be TCP and UDP. The other half of TCP/IP. The hardware associated with this layer would include firewalls.
There are different types of denial of service attacks (DoS). The one that happens at the transport layer is referred to as t a SYN flood attack. It’s a pretty simple one, the attacker spams the server with a barrage of SYN messages without sending back the SYN-ACK message, taking advantage of the inherent patience of the TCP protocol. This causes the server to be hung up using resources to deal with all the messages and send the messages back.
Session Layer (Layer 5):
The Session Layer will take our data connect, manage and terminate the connection. The session layer starts the conversation with the node, handles the exchange of data, and decides when the conversation is over. The Session Layer also handles security and identification. It is also where all of the logging for sessions live. The protocols associated with this layer include NFS, NetBios, RPC, and SQL.
Presentation Layer (Layer 6):
The Presentation Layer provides the service of translating the Application Layer data into network transferable data formats. Alternatively it takes our data received over the network and translates the information into Application Layer readable data. As an example text and other commands are taken from the Application Layer and convert them into ASCII language. This layer is also responsible for encrypting the data going across the network.
Application Layer (Layer 7):
The Application Layer is the layer that the users see. It encompasses all the applications used for sending information over your network. Here in this layer we consider a few things; Namely authentication, partner identification, quality of service, and also things like data syntax. The application services can actually include several things including file transfers, e-mail, or network software such as FTP and Telnet. FTP and Telnet exist exclusively on this layer. On this layer also lives your web browsers, running protocols such as HTTP/HTTPS, SNMP and NFS.
Quick Note:
The TCP/IP models actually combine the top three layers into one layer. It doesn’t make a difference really how you think about it. However when you are acutely aware of all the layers I think that provides a bit of an edge and allows you to think more granularly about the the process of sending and receiving data.
Attacks on the Application Layer:
In this section I’m going to go over some of the attacks that plague the upper part of the OSI layer. In this section we will be referring to the top three layers in the OSI model in the way the TCP layer refers to them, as the attacks are all the same.
The most well known attack on this layer is the DDOS or distributed denial of service attack. We know what a denial of service attack is, however the DDOS is a step from that where in a network of nodes (usually zombie nodes or bots) will all focus an attack on one target. This attack can be carried out in a multitude of ways and is usually created for specific targets. In most cases it is used to break a system through hitting it endlessly with requests, or is used as a distraction to launch a more insidious attack.
The other attack mostly associated with this layer is a number of spoofing acts through vectors like the web. An example would be certificate spoofing or sometimes referred to as man in the middle attacks. What takes place in this type of attack is a certificate is faked say to example.com, your browser will see the spoofed certificate and will register the site as https://example.com allowing you the false assumption of traffic encryption. However what’s really happening is that someone is listening to your traffic between you and whatever server you are on, thus a man in the middle.
Conclusion:
In conclusion the OSI model allows for a logical path of how information from one computer is transferred to another. This information is very important as it allows you to think through the process which allows for better troubleshooting, or other activities. The order in which they are stacked from Layer 1 to Layer 7 is the process for receiving data. If you follow the process in reverse order (Layer7 to Layer 1) this is the process for sending information. You aren’t going to go out and use this for pull lines or hacking the Gibson however know it allows a granular look into how information travels.