How to Mitigate DDoS Vulnerabilities in Layers of OSI Model

If you have previously worked in the telecommunication field, most vendors you come across make an attempt to explain products and services in terms of the OSI Model. For someone who has some background in the field of networking and communications, you probably understand what the OSI Model is. But, in case you don’t belong to the field, you need to develop a bit of an understanding. Although OSI models are important for carrying out discussions and conducting evaluative sessions, it is still not implemented in most cases.

So, why particularly is it important to learn what the OSI Model is all about? When we talk about DDoS attacks, they usually target the layers in the OSI model. Understanding the layers will eventually help users understand where the vulnerabilities lie and how can one keep the infrastructure protected. To give you a brief overview, the OSI model was originally developed by representatives of major telecommunication companies in the year 1983. It was established as a common reference model that standardized the governance of transmission of data packets and was adopted as a standard by the ISO.

Explaining the OSI Model Layers

The process of communication in networking is dependent on two endpoints. It can be divided into seven different layers based on their relative functions. In the OSI model architecture, each layer is dependent on the layer above it and is equally dependent on the layer below it. If the lower layer doesn’t fulfill the function, the consecutive layer will fail to get executed, stopping the whole process in its wake. The data flows up from the source computer across the network and then, ultimately flows down through the layers within the receiving computer.

Here is a graphical representation of the OSI Model specifying layers

Sending signals over a network using an Ethernet cable, fiber optic cable, or Wi-Fi requires a combination of application, operating systems, network card drivers, and network hardware. These signals are delivered through seven layers of the function of the OSI Model.

Let’s discuss these seven layers in a top to bottom approach.

Layer 7: Application Layer

Layer 7, commonly known as the application layer, is the layer where communication partners are identified. This is the database access level where end-user protocols, such as FTP, Telnet, SMTP, and RAS, perform their respective functionalities. All messages and packet creations begin at this level. Here, the data is expressed visually so the user can understand. Although the layer is not the application itself, it contains a set of services an application can use.

Vulnerabilities to DDoS Attack

• PDF GET requests, HTTP GET, HTTP POST, = website forms (login, uploading photo/video, submitting feedback)

Mitigation

One way to counteract the DDoS attack possibility on Layer 7 is to bring monitoring software applications into practice. By using a set of dedicated algorithms and technologies that can detect zero-day attacks, effective application monitoring can stop and track back the source from where the attack initiated.

Layer 6: Presentation Layer

Known as the Translator, the presentation layer or Layer 6 is that part of the operating system (OS) that translates the data from the source format into a common format and then sends it to the receiver and vice versa. It uses the protocol of compression and encryption during the transaction of information between users.

Vulnerabilities to DDoS Attack

1. Malformed SSL Requests, Inspecting SSL encryption packets is resource intensive.
2. Attackers use SSL to tunnel HTTP attacks to target the server.

Mitigation

One way to avoid this attack is to offload the SSL from the origin infrastructure. Once you have successfully done that, it’s time to inspect the application traffic for any signs of malicious activities. Be sure to check up on any violations of policy at an application delivery platform (ADP). An effective ADP will also make sure that the traffic is re-encrypted and sent back to the origin infrastructure.

Layer 5: Session Layer

This layer is responsible for establishment, coordination, and termination of sessions. In case there is any interruption in between the session process, this service reviews the authentication and reconnects the layers together. Commonly, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) make better use of this service when working with applications.

Vulnerabilities to DDoS Attack

Telnet DDoS-attacker exploits a flaw in a Telnet server software running on the switch, rendering Telnet services unavailable.

Mitigation

The only way to resolve this vulnerability is to keep your hardware up to date. Most commonly, the hardware provider issues a version update or a patch, which enable users to mitigate the vulnerability.

Layer 4: Transport Layer

The transport layer, on the other hand, is responsible for the packetization of data. It delivers packets of information error-free without observing any losses or duplication. For most applications running on the Internet, these services are provided by the TCP and UDP.

Vulnerabilities to DDoS Attack

SYN Flood, Smurf Attack

Mitigation

A typical method to stop from DDoS attacks taking place on this level is through blackholing. Blackholing is a method implied by the ISPs to stop any DDoS attack that a customer experiences at the transport layer. However, this approach to keep the DDoS attack out of the system stops all traffic (malicious and legitimate) from getting into the system.

Layer 3: Network Layer

The particular layer that handles the routing of data is termed as the network layer. It is also responsible for switching information from one network to another. It specifies the right destination for all transmission data at the packet level. IP is the most common example of a network layer operating on the Internet.

Vulnerabilities to DDoS Attack

ICMP Flooding – this is the Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth.

Mitigation

You can prevent this kind of attack from taking place by rate-limiting ICMP traffic.

Layer 2: Data-Link Layer

The data-link layer is a protocol layer that transfers data frame in between nodes of the physical layer. It is responsible to conduct an error-free transfer, which allows the layer above it to assume they are virtually error-free. The layer comprises two sub-layers namely;

1. The logical link control layer
2. The media access control layer (MAC)

Vulnerabilities to DDoS Attack

MAC flooding is an attack that inundates the network switch with data packets that usually take place at the data-link layer.

Mitigation

Advance switches can be configured to limit the number of MAC addresses, which are more likely to be learned on ports connected to end stations.

Layer 1: Physical Layer

The physical layer is the bottom layer of the OSI model. It is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium. The physical layer covers a variety of devices and mediums, among them cabling, connectors, receivers, transceivers, and repeaters.

Vulnerabilities to DDoS Attack

Physical destruction, obstruction, manipulation, or malfunction of physical assets

Mitigation

Practice defense-in-depth tactics, use access controls, accountability, and auditing to track and control physical assets.

This article was originally published at HostNoc Blog.