7

As I understand it, there are generally only two common types of Denial of Service attacks in regards to the OSI model:

  • Network-Layer-DoS (NLDoS) on layers 3, 2 or 1.

  • Application-Layer-DoS (ALDoS) on layers 7, 6, or 5.

What about layer 4? Are there any generally common Denial of Service attacks available on this layer? Also, is my reducing attempt accurate?

  • 7
    OSI model is an idealized representation of how to design a network protocol. Real world implementation of TCP/IP deviates quite a bit from OSI model, so real world attacks often don't quite match the layers in OSI models either. – Lie Ryan Sep 16 '18 at 07:47
  • 3
    The reason for the bounty is in the bounty message and does not appear within the StackExchange app. – schroeder Sep 18 '18 at 07:19

4 Answers4

6

Layer 4 (Transport) DoS attack is often referred to as a SYN flood.

Layers 5,6 and 7 of the OSI model are referred to as the application layer within TCP/IP. Which you mentioned as "Application-Layer-DoS (ALDoS), on layer 7". However, an application layer flood, could be referred to as XDoS. Unfortunately, besides DDoS Quick Guide by National Cybersecurity and Communications Integration Center, 29 January 2014 I could not find much regarding the OSI model for DoS. Instead, most documentation speaks about the TCP/IP model for DoS.

From DDoS Quick Guide I was able to determine these examples for the OSI Model though:

  • Layer 5 (Session) - Telnet DDoS attack
  • Layer 6 (Presentation) - Malformed SSL Request
  • Layer 7 (Application):
    • PDF GET request
    • HTTP GET
    • HTTP POST
safesploit
  • 1,827
  • 8
  • 18
  • I am unclear on what needs editing. However, I believe *Transport-Layer-Dos (TLDoS); on layer 4* is likely your answer, regarding the acronym and name. For reliability and stability reasons primarily, the OSI model is not used in a production environment anymore and instead, the TCP/IP model is used. However, the OSI model is used as a reference tool. [Difference between OSI and TCP/IP](http://www.differencebetween.net/technology/internet/difference-between-osi-and-tcp-ip-model/) should clarify. [OSI and TCP/IP models image](https://24itworld.files.wordpress.com/2016/08/136014-proto.jpg?w=620) – safesploit Sep 18 '18 at 20:00
  • This answer is wrong and misleading. Transport Layer DDoS is not limited to *only* SYN flood. – ximaera Sep 20 '18 at 14:39
  • I never said OSI Layer 4 was restricted to *SYN flood* I merely gave an example, then made reference to a source with more explicit answers. [DDoS Quick Guide](https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf) – safesploit Sep 20 '18 at 17:09
  • Err. https://www.merriam-webster.com/dictionary/refer%20to%20as : "to refer to as" means to call (a layer 4 attack) by (the name of SYN flood). The opposite is true: SYN flood is often referred to as a layer 4 DDoS attack, but not vice versa. – ximaera Sep 20 '18 at 17:42
  • 1
    "Refer to as" or "an example is" both can be used interchangeably, while I see your confusion, because "refer to as" can have two interpretation, I did provide a couple of sources to consult for this reason, as I am merely paraphrasing. Furthermore, I am working off my references, given you have not provided a viable alternative or source, I cannot make any changes without skewing necessary facts. And simply providing a URL only answer will not suffice with StackExchange policies. – safesploit Sep 20 '18 at 20:13
  • oh, really? Glad to hear that. Have reverted my downvote (though I'd personally strongly suggest that you'd rephrase that to avoid any further inconvenience). As for the references, please see my own answer. – ximaera Sep 20 '18 at 20:17
6

OSI Layers and Sample DoS attacks are as follows:

Layer 7 (Application Layer) - HTTP GET or POST based attacks

Layer 6 (Presentation Layer) - Malformed SSL request attacks

Layer 5 (Session Layer) - Telnet/SSH session attacks

Layer 4 (Transport Layer) - SYN Flood attacks/ SMURF attacks

Layer 3 (Network Layer) - ICMP flood attacks

Layer 2 (Data Link Layer) - MAC flooding attacks

Layer 1 (Physical Layer) - Physical destruction

Kay
  • 396
  • 2
  • 4
  • 1
    reflection? DNS? physical could also be interference/jamming. Are session attacks DoS? – schroeder Sep 17 '18 at 16:13
  • Thank for suggestions. On Telnet, there are many organizations have limitations (FW level or System level) on number of Telnet sessions allowed. Hence if an attacker started utilizing all session, legitimate user may not be able to get access... – Kay Sep 19 '18 at 08:21
  • Then you used the incorrect term. That's not a session attack. A season attack is when one takes over an existing session. You meant "resource exhaustion" or something similar. – schroeder Sep 19 '18 at 08:28
4

What about layer 4 and is my reducing attempt accurate?

Your reducing attempt appears to group levels 3, 2, and 1 together and group 7, 6, and 5 together. This is not entirely accurate since denial of service attacks can exist at every level of the OSI model.

In addition, there is a complication with respect to the OSI model versus the real world. The other answers and comments are correct that the seven-layer OSI model is not the model that is most commonly used to describe network-based attacks (such as DOS). The more commonly used model is the "TCP/IP" Internet stack model. The main semantic different between these models is that the OSI model uses layers 5,6, and 7, whereas in the TCP/IP model everything above TCP is just called layer 5 (the application layer). One reason for this is that the OSI model is protocol independent, but in the real world TCP/IP is king. In TCP/IP, TCP and IP correspond to layers 4 and 3 of the OSI model, respectively. Everything above TCP is just called layer 5 (the application layer).

Regarding layer 4: There are a variety of attacks that can occur at layer 4. In the real world, for the most part this means attacks on the transport layer via TCP or UDP (two of the major transport layer protocols). As the other answers and comments mention, one major attack via TCP is the TCP SYN Flood attack. This involves sending a large number of SYN packets to open connections on the machine being attacked, but never completing or ending the connection so that the attacked machine spends resources and time listening and has to eventually time out. I list some layer 4 DOS (or DDOS) attacks below:

  • TCP SYN Flood Attack (Described above and in other answers)
  • TCP SYN-ACK Attack (Send SYN with a spoofed address to zombie machine(s), zombie(s) send(s) SYN-ACK to attack target)
  • UDP Flood Attack (Sending lots of UDP packets)

Regarding ICMP, this is also often called "ping," and is used to understand network connectivity. For this reason it is better to call an ICMP flood attack a layer 3 attack rather than a layer 4 attack even though ICMP "lives above" IP.

Here are some additional examples of DOS attacks at each layer of the Internet stack:

  • Layer 5 (Application Layer): Examples of application layer protocols are HTTP, FTP, DNS, etc. A DNS flood attack is an example of a DOS attack where attackers try to use up all a DNS server's resources and thereby deny service to other legitimate users.
  • Layer 4 (Transport Layer): (See above)
  • Layer 3 (Network Layer): ICMP flood (See discussion of ICMP above). For another example, consider IP hijacking.
  • Layer 2: CAM table overflow of a layer-2 switch.
  • Layer 1: Cut the Ethernet cable. Or, another example, cellular phone jamming (blast the physical (air) channel with RF noise).
hft
  • 4,910
  • 17
  • 32
  • What is the reason to put ICMP flood on the layer 4? Just because ICMP is (believed to be) a L4 protocol? In this case, DNS amplification or NTP amplification are layer 7 attacks, which doesn't make any sense. – ximaera Sep 20 '18 at 14:44
  • I explained in the post that it would be better to put this at layer three, but I guess having it in the list of layer four attacks is misleading. I'll just remove it. – hft Sep 20 '18 at 15:25
2

There are basically two different approaches to classify DDoS attacks using the ISO/OSI network model.

1) The first of those is mostly popular in research papers: try to parse the payload of the packets the victim is receiving, as if it were legitimate traffic. The topmost (in terms of OSI model) protocol which is still recognizable defines the layerness of the attack.

Say, you're operating on a gigabit link and are receiving 3 gigabits of UDP flood per second, which renders your Internet-facing services unreachable for the rest of the world due to heavy congestion. With this approach, if the source or destination UDP port within the attack packets equals 53 and contents of those packets resemble DNS queries, then you can say it's a "DNS flood". Domain Name System belongs to the OSI layer 7, so this is a layer 7 DDoS attack.

But if suddenly the UDP port value is changed to, say, 0, then it immediately becomes a layer 4 DDoS attack ("UDP flood"), though the ultimate effect of the attack stays the same.

With this approach, virtually any attack where packets contain any sensible value in the IPv4 Protocol/IPv6 Next Header field but don't allow for any further fingerprinting would be a layer 4 attack.

2) The other approach, which is mostly used by DDoS mitigation vendors[1], [2], [3], is as follows. The purpose of a DDoS attack is to bring a network resource down. A network resource doesn't provide a service if, and only if, at least one of the network layers it depends on doesn't work properly. An attack "belongs" to the lowest layer which gets affected.

This way, in the example above, both DNS flood and UDP flood would be marked with either OSI layer 2 or layer 3, depending on the architecture of your network (e.g. whether the likes of arp packet-priority enable are configured on your switches, and so on), and any attack which affects layer 4 implementations (e.g. TCP drivers and kernel modules) directly would be a layer 4 attack. Common examples include:

and so on.

ximaera
  • 3,395
  • 8
  • 23