For any enterprise network, a firewall must be installed in various infrastructure locations to protect from attackers. Firewalls receive and analyze traffic based on layers of the Open Systems Interconnection (OSI) model. The OSI model is an industry standard that describes the way systems communicate. Each layer represents a component of communications and the traffic that travels across a wire. Layer 7 is the top layer of the OSI model, and it provides the most information available to a firewall. It also represents the most common distributed denial-of-service (DDoS) attacks seen today, which is why layer 7 firewalls are preferred over older firewall standards.
Layers 3, 4 and 7 of the OSI Model
The OSI model is not a physical part of infrastructure. It’s a conceptual way for administrators to identify communication problems and work with specific technology. For firewalls, the important layers are layers 3, 4 and 7. These layers are where firewalls analyze traffic and either allow or disallow packets to continue flowing.
Layer 3 of the OSI model is the network layer. This layer determines the path that communications will take to get from a source to the destination device. It’s also responsible for the packet structure used to send data in smaller components. The Internet Protocol (IP) of TCP/IP works on layer 3 of the OSI model.
Transmission protocols (TCP of the TCP/IP protocol) run on layer 4 of the OSI model. Both UDP and TCP protocols run on layer 4. This layer is also responsible for error control. When you connect to a remote server using TCP, layer 4 ensures that data transfers smoothly even when both source and destination have different bandwidth and speed potential.
Finally, layer 7 of the OSI model is the application layer. It’s the upper layer of the model where most users are familiar with. Web browsers, for example, run on layer 7 of the OSI model. It’s also the layer where HTTP functions to transfer data across the Internet. Layer 7 transfers several data points that can be used by firewalls to analyze traffic and protect infrastructure.
Layer 3, 4 and 7 DDoS Attacks
Before understanding OSI layer attacks, it’s first important to understand that any form of service interruption by an attacker is considered a denial-of-service (DoS). By definition, a DoS is any attack that interrupts service for your users regardless of the way it’s carried out. For instance, an attacker can interrupt service on a website where authentication and password resets are mishandled. If a user gets locked out of their account after an attacker attempts to authenticate too many times, the attacker successfully launches a DoS attack on the website.
Before computers were able to process requests much faster, a single attacker could cause a DoS on a web server. The “ping of death” was an old-style DoS where an attacker would send several ping requests using ICMP (Internet Control Message Protocol) in quick succession. This flood of ICMP requests ran on layer 3 of the OSI model and would eventually exhaust computer resources. These attacks were an issue in the late 1990s, but they no longer work due to better technology with high-power resources.
In the mid-2000s, a type of DoS called SYN-ACK incorporated both layer 3 and layer 4. TCP requests were made to a web server with a spoofed source IP address. In a SYN-ACK attack, an attacker spoofs the source IP address and sends a TCP synchronization (SYN) request to a destination web server. When a web server receives the connection request, resources are allotted while waiting for a reply from the sender, and an acknowledgement (ACK) is sent back to the source computer. Since the source IP address does not exist, the server never receives an acknowledgement from the sender. If several of these requests are sent to the server simultaneously, the server resources are exhausted as they stay open waiting for a response. The result is that the server eventually crashes. This attack is also no longer popular as most servers will drop the open connection after some time.
The current DoS attacks are now distributed DoS (DDoS) attacks to overcome the higher-powered equipment available. New attacks incorporate level 7 attacks by making hundreds or thousands of HTTP connections to a web server simultaneously. This attack is usually done by infecting numerous devices with malware that give an attacker control over each computer. When the attacker sends a control signal, all infected devices from across the globe send data requests simultaneously, which eventually exhaust resources and crash the web server. Most servers have resources to process requests at peak hours, but they are incapable of handling thousands of requests at once.
Firewalls and Protection from DDoS Attacks
Layer 3 firewalls only protect the internal network based on IP address or port. This type of firewall is beneficial if you just want to whitelist or blacklist specific IP addresses or ports. It’s also beneficial when you want to route traffic to a specific location. For instance, you want to route all port 80 (HTTP) traffic to a web server. Most low-level OSI model attacks combine layer 3 (network) IP addresses and the layer 4 (transport) TCP protocol to mount an attack against a targeted server.
Application (layer 7) firewalls can get much more information from traffic compared to a layer 3 or 4 attack. For instance, a layer 7 router can detect if malicious SQL code is included in a request. The firewall detects it, logs the error, and alerts an administrator. This is possible due to the amount of information available at layer 7. An application firewall can also log usernames, specific application names, source information and other data.
With a better understanding of the source, an application firewall can detect an ongoing DDoS attack. Providers such as CloudFlare will route data to several dozen data centers to distribute requests to avoid overloading one targeted server. This technique is one way a CDN (Content Delivery Network) is beneficial to a web server. It shields the origin server and distributes traffic using load balancers and geolocation information.
An application firewall along with other cybersecurity infrastructure can stop many of the common attacks in the wild including a DDoS attack. DDoS attacks can be complicated, so a firewall is rarely the only solution, but a good firewall will help detect them and alert an administrator so that the attacks can be more quickly mitigated.