Beginner Networks
OSI and TCP/IP models applied to security
Knowing where an attack happens is the first step to stopping it. The OSI model splits communication into 7 layers; TCP/IP condenses that into 4. Each layer has specific protocols — and specific vulnerabilities.
OSI layers and their risks
Layer 7 — Application → HTTP, DNS, SMTP → XSS, SQLi, phishing
Layer 6 — Presentation → TLS, encoding → weak crypto attacks
Layer 5 — Session → RPC, NetBIOS → session hijacking
Layer 4 — Transport → TCP, UDP → SYN flood, port scan
Layer 3 — Network → IP, ICMP, OSPF → IP spoofing, route injection
Layer 2 — Data Link → Ethernet, ARP, VLAN → ARP spoofing, MAC flooding
Layer 1 — Physical → cable, Wi-Fi → physical sniffing, jammingTCP/IP — equivalent layers
Application → OSI 5, 6, 7
Transport → OSI 4
Internet → OSI 3
Network Access → OSI 1, 2Why this matters in security
A packet firewall works at layer 3/4 — it blocks IPs and ports but cannot see HTTP content. A WAF (Web Application Firewall) works at layer 7 — it inspects the full HTTP request. An IDS can operate across multiple layers simultaneously.
Example: SYN Flood
Attack happens at layer 4 (Transport):
Attacker → [SYN] → Server
Server → [SYN-ACK] → Attacker (waits for ACK that never arrives)
Result: connection table exhaustedDefense: SYN cookies in the kernel, per-IP rate limiting at layer 3.
Example: ARP Spoofing
Occurs at layer 2 (Data Link):
Attacker sends: "192.168.1.1 is at MAC 00:AA:BB:CC:DD:EE"
Victim updates ARP table → traffic flows to attackerDefense: Dynamic ARP Inspection (DAI) on managed switches.
Attack-to-layer mapping
| Layer | Common attack | Primary defense |
|---|---|---|
| 7 | SQLi, XSS | WAF, input validation |
| 4 | SYN flood, port scan | Stateful firewall, rate limit |
| 3 | IP spoofing | BCP38, edge filtering |
| 2 | ARP spoofing | DAI, port security |
Identifying the layer of an attack lets you choose the right defensive tool.