Intermediate ⏱ 60 Minutes Prereq: Module 01

OSI & TCP/IP Models

To exploit a network, you must understand how data is packaged. This module breaks down the layers of communication and how they are targeted by attackers.

1. The OSI Model

Launch OSI Visualizer

The OSI (Open Systems Interconnection) model is a 7-layer framework used to describe how data moves from one device to another.

Why the OSI Model Exists

The OSI model is not a protocol itself β€” it is a conceptual framework. It was created to standardize how vendors build networking hardware and software.

Instead of one giant system handling communication, responsibilities are divided into layers. Each layer solves a specific problem.

🧠 Analyst Mindset

When troubleshooting or attacking a system, always ask: "Which layer is failing?" Misconfiguration at one layer cannot be solved at another.

L7ApplicationData
L6PresentationData
L5SessionData
L4TransportSegments
L3NetworkPackets
L2Data LinkFrames
L1PhysicalBits

Layer Breakdown (What Each Actually Does)

  • Layer 7 – Application: User-facing protocols (HTTP, FTP, DNS).
  • Layer 6 – Presentation: Encryption, compression (SSL/TLS).
  • Layer 5 – Session: Maintains communication sessions.
  • Layer 4 – Transport: Controls reliability (TCP/UDP, ports).
  • Layer 3 – Network: Logical addressing (IP routing).
  • Layer 2 – Data Link: MAC addressing, switching.
  • Layer 1 – Physical: Electrical signals, cables, radio waves.

Troubleshooting by Layer

  • No link light? β†’ Layer 1 issue.
  • Connected but no internet? β†’ Layer 3 routing issue.
  • Website not loading but ping works? β†’ Layer 7 problem.

Good analysts isolate problems layer by layer.

Mnemonic Tool

Remember it from bottom (L1) to top (L7): Please Do Not Throw Sausage Pizza Away.

2. Data Encapsulation

As data travels down the layers, each layer adds a "Header" (like an envelope). This process is called Encapsulation. When the receiver gets it, they De-encapsulate it.

[L2 Header] [L3 Header] [L4 Header] [Data Payload] [L2 Trailer]
^--- The "Frame" that actually hits the wire ---^

Encapsulation Flow Example

  1. You type a URL in your browser (Layer 7).
  2. Data is encrypted (Layer 6).
  3. A session is established (Layer 5).
  4. TCP adds port numbers (Layer 4).
  5. IP adds source/destination IP (Layer 3).
  6. Ethernet adds MAC addresses (Layer 2).
  7. Bits are transmitted over wire or Wi-Fi (Layer 1).

At the receiver side, this process is reversed (De-encapsulation).

Real Packet Example (HTTP Request)

Ethernet Header (MAC)
IP Header (Src: 192.168.1.10 β†’ Dest: 142.250.183.14)
TCP Header (Src Port: 49152 β†’ Dest Port: 80)
HTTP Payload: GET /index.html HTTP/1.1

This shows how a simple web request is layered. Each layer adds its own control information.

πŸ›‘οΈ Deep Packet Inspection (DPI)

Basic firewalls only look at L3 (IP) and L4 (Ports). Modern security tools use DPI to look inside the L7 "Data Payload" to find malware.

3. TCP vs UDP

The Transport Layer (L4) decides how to send data. It's a choice between Reliability and Speed.

FeatureTCP (Transmission Control)UDP (User Datagram)
ConnectionConnection-OrientedConnectionless
SpeedSlower (Reliability overhead)Faster (Fire and forget)
ReliabilityGuaranteed DeliveryNo Guarantee
ExamplesHTTP, SSH, FTPDNS, VoIP, Gaming

When to Use Each

  • TCP: When data integrity matters (Web browsing, SSH, file transfer).
  • UDP: When speed matters more than reliability (Gaming, VoIP, Streaming).

Understanding Port Numbers

Ports allow multiple services to run on the same IP address.

  • Port 80 β†’ HTTP
  • Port 443 β†’ HTTPS
  • Port 22 β†’ SSH
  • Port 53 β†’ DNS

🎯 Recon Insight

Port scanning reveals which services are exposed. Open ports define your attack surface.

βš”οΈ Attack Surface

Because UDP has no handshake, it is commonly abused in amplification attacks (e.g., DNS amplification).

4. The 3-Way Handshake

Launch Handshake Sim

Before TCP sends any real data, it performs a 3-step greeting to ensure both sides are ready.

1. Client -> [SYN] -> Server (Synchronize?)
2. Server -> [SYN/ACK] -> Client (Yes, Synchronize & Acknowledge)
3. Client -> [ACK] -> Server (Understood, Acknowledged)

πŸ’€ SYN Flood Attack

Hackers send thousands of [SYN] packets but never send the final [ACK]. This leaves the server's memory full of "half-open" connections, causing a Denial of Service (DoS).

Why the Handshake Matters

The handshake ensures:

  • Both sides agree on sequence numbers.
  • Both sides are ready to receive data.
  • The connection is legitimate.

If this process is interrupted, connections fail.

Sequence Numbers Explained

Each SYN packet includes a random sequence number. The server replies with its own sequence number plus acknowledgment of the client’s number.

This prevents packet replay and ensures ordered delivery.

πŸ” Blue Team Insight

Unusual numbers of SYN packets without ACK responses may indicate scanning or DoS attempts.

5. Layer-Based Attacks

Hackers target specific layers depending on their goal. Knowing where an attack lives helps you defend against it.

OSI LayerAttack Examples
Layer 7 (App)SQL Injection, Cross-Site Scripting (XSS)
Layer 4 (Transport)Port Scanning, SYN Flooding
Layer 3 (Network)IP Spoofing, ICMP Smurfing
Layer 2 (Data Link)ARP Spoofing, MAC Flooding

Defense Strategy by Layer

  • L7: Web Application Firewall (WAF)
  • L4: Stateful Firewalls
  • L3: Router ACLs, IP filtering
  • L2: Port Security, ARP Inspection

Stateful vs Stateless Security

  • Stateless Firewall: Checks packets individually.
  • Stateful Firewall: Tracks connection state (e.g., completed handshake).

Stateful inspection prevents spoofed packets from bypassing filters.

Security is strongest when protection exists at multiple layers.

πŸ§ͺ Mini Exercise

Run a "Stealth Scan" using Nmap: sudo nmap -sS [target-ip].
This performs a "Half-Open" handshake (SYN, then RST) to see if a port is open without completing the connection.

6. OSI vs TCP/IP

The OSI model has 7 layers. The TCP/IP model has 4 layers and is used in real-world networking.

OSI Model TCP/IP Model
Application, Presentation, Session Application
Transport Transport
Network Internet
Data Link + Physical Network Access

🧠 Knowledge Check

  • Which OSI layer is responsible for encryption?
  • Why does UDP not require a handshake?
  • At which layer does ARP operate?
  • What happens if Layer 3 fails but Layer 2 works?
  • Why are SYN floods effective?

πŸ“Œ Module Recap

  • OSI Model has 7 layers; TCP/IP has 4 layers.
  • Encapsulation wraps data in headers as it moves down the stack.
  • TCP is reliable (Handshake); UDP is fast (No Handshake).
  • Security issues exist at every layer of the stack.
← Previous Module
Next: IP Addressing & Subnetting
Next Module β†’