Complete OSI Layer Breakdown With Attacks, Examples, Detection, and Protection
| Layer | Layer Name | What This Layer Really Does (Plain English) | Attack Types That Target This Layer | Simple Real-World Example | How Attacks Are Detected | How Attacks Are Prevented / Mitigated |
|---|---|---|---|---|---|---|
| 7 | Application | This is where users interact with services: websites, apps, APIs, email, file uploads. Business logic lives here. | SQL Injection, XSS, CSRF, API abuse, authentication bypass, logic flaws, app-layer DDoS, credential stuffing, hardcoded secrets | Hacker types malicious code into a login form and steals the entire database | WAF alerts, abnormal request patterns, failed login spikes, unusual API usage | WAF, secure coding, input validation, MFA, rate limits, regular security testing |
| 6 | Presentation | Makes data readable and secure: encryption, decryption, formatting, compression. HTTPS lives here. | SSL stripping, TLS downgrade, weak encryption attacks, cryptographic flaws, malformed file parsing | Attacker forces HTTPS to downgrade to HTTP on public Wi-Fi | TLS handshake errors, certificate mismatches, protocol downgrade alerts | Enforce TLS 1.3, disable old ciphers, HSTS, certificate pinning |
| 5 | Session | Manages login sessions and keeps conversations alive. Tracks who is logged in and for how long. | Session hijacking, session fixation, session replay, session exhaustion | Attacker steals a session cookie and logs in without a password | Multiple sessions from different locations, abnormal session reuse | Secure cookies, session timeouts, re-authentication, per-IP session limits |
| 4 | Transport | Handles delivery of data using ports and connections (TCP/UDP). Ensures data arrives correctly. | SYN flood, UDP flood, Slowloris, port scanning, TCP hijacking | Server overloaded by half-open connections | Connection spikes, abnormal port activity, SYN backlog alerts | Stateful firewalls, SYN cookies, rate limiting, DDoS scrubbing |
| 3 | Network | Routes data between networks using IP addresses. Decides where packets go. | IP spoofing, DNS poisoning, routing attacks, volumetric DDoS, ICMP floods | Fake DNS sends users to a phishing site | Traffic floods, routing table changes, DNS anomalies | Firewalls, IP filtering, DNS security, rate limiting, BGP protections |
| 2 | Data Link | Moves data inside the local network using MAC addresses and frames. | ARP spoofing, MAC flooding, switch poisoning, VLAN hopping | Attacker intercepts traffic on public Wi-Fi | Duplicate MAC alerts, ARP table changes | Port security, MAC filtering, network segmentation, encrypted LAN traffic |
| 1 | Physical | The physical network: cables, switches, Wi-Fi signals, hardware. | Cable tapping, rogue access points, physical sabotage | Unauthorized device plugged into network port | Inventory mismatches, rogue device detection | Locked rooms, CCTV, access controls, physical audits |
Expanded Attack Mapping by Category
Credential & Identity Attacks
- Credential stuffing → Layer 7
- Password spraying → Layer 7
- Session cookie theft → Layer 5
- Token replay → Layer 5
Network & Traffic Flooding Attacks
- Volumetric DDoS → Layers 3 & 4
- SYN floods → Layer 4
- Application DDoS → Layer 7
Man-in-the-Middle Attacks
- ARP poisoning → Layer 2
- DNS poisoning → Layer 3
- SSL stripping → Layer 6
Malware & Exploitation
- Drive-by downloads → Layer 7
- Malformed files → Layer 6
- Backdoor traffic → Layers 4 & 7
Lateral Movement
- Pass-the-hash → Layer 5
- SMB abuse → Layer 4
- Internal scanning → Layer 3
How Real Attacks Span Multiple OSI Layers
A typical modern attack looks like this:
- Phishing email tricks a user (Layer 7)
- Session token stolen after login (Layer 5)
- Lateral movement through the network (Layer 3)
- Data exfiltration via encrypted traffic (Layer 6)
- Backup systems deleted (Layer 4)
- Ransomware deployed (Layer 7)
This is why single-layer defenses always fail.
Why Layered Defense Works
Each OSI layer:
- Detects different behaviors
- Uses different tools
- Stops different attack stages
If attackers bypass one layer, another still stands in their way.
Quick Security Tool Mapping to OSI Layers
| Security Tool | OSI Layer(s) |
|---|---|
| Firewall | Layers 3–4 |
| WAF | Layer 7 |
| IDS / IPS | Layers 3–7 |
| EDR | Layers 4–7 |
| SIEM | All layers |
| TLS / SSL | Layer 6 |
| VPN / IPsec | Layers 3–4 |
| Network segmentation | Layers 2–3 |
Final Takeaway
The OSI model is not just theory.
It’s a map of how attacks happen and where to stop them.
- Lower layers stop floods and noise
- Middle layers stop hijacking and movement
- Upper layers stop data theft and logic abuse
The strongest security programs defend every layer, not just the visible ones.
