The OSI Model Explained

What is the OSI Model?

Imagine you want to send a letter to someone on the other side of the world. You write the letter, put it in an envelope, address it, hand it to a courier who puts it on a truck, then a plane, then another truck, until it arrives at the door. Each step has a job. The OSI model works exactly like that — but for data traveling across a network.

OSI stands for Open Systems Interconnection. It is a framework that breaks network communication into 7 layers. Each layer has a specific job, and they all work together so that two devices — anywhere in the world — can communicate reliably.

The 7 Layers — Plain English

Layer 7 — Application

What it does: This is the layer you actually interact with. When you open a browser, send an email, or use an app, this layer handles it.

Examples: HTTP, HTTPS, SMTP, DNS, FTP.

Attacks at Layer 7

Phishing: Fake websites designed to steal login details.
SQL Injection: Malicious commands typed into web inputs to extract database data.
XSS: Injecting bad scripts into trusted websites.
DDoS (App Layer): Flooding a web app with fake requests until it crashes.

Layer 6 — Presentation

What it does: Translates data so both sides understand it. Handles encryption and compression.

Examples: SSL/TLS encryption, JPEG/PNG image formats, data compression.

Attacks at Layer 6

SSL Stripping: Downgrades HTTPS to HTTP so attackers can read data in plain text.
Weak Encryption Exploitation: Cracking outdated algorithms like MD5 to read private data.

Layer 5 — Session

What it does: Manages conversations (sessions) between devices — opening, maintaining, and closing them.

Examples: Session tokens keeping you logged into websites.

Attacks at Layer 5

Session Hijacking: Stealing your session token to impersonate you without a password.
Session Fixation: Tricking you into using an attacker-controlled session ID.

Layer 4 — Transport

What it does: Breaks data into segments, sends them, and reassembles them on arrival. Decides between reliable (TCP) or fast (UDP) delivery.

Examples: TCP for web browsing, UDP for gaming and video.

Attacks at Layer 4

SYN Flood: Thousands of half-completed TCP handshakes that exhaust server resources.
Port Scanning: Mapping open ports to find exploitable services.

Layer 3 — Network

What it does: Routes data between networks using IP addresses.

Examples: IP addresses, routers, ICMP (ping).

Attacks at Layer 3

IP Spoofing: Faking a source IP to appear as a trusted host.
ICMP Flood: Overwhelming a target with ping requests.
Man-in-the-Middle: Redirecting traffic through an attacker's machine.

Layer 2 — Data Link

What it does: Handles local network communication using MAC addresses.

Examples: Ethernet, Wi-Fi, MAC addresses, switches.

Attacks at Layer 2

ARP Spoofing: Linking an attacker's MAC to a legitimate IP to intercept traffic.
MAC Flooding: Overloading switch memory to broadcast all traffic to every port.

Layer 1 — Physical

What it does: The actual hardware — cables, radio signals, electrical impulses, fiber optics.

Examples: Ethernet cables, Wi-Fi signals, fiber optic cables, network interface cards.

Attacks at Layer 1

Physical Tapping: Connecting a device directly to intercept data from cables.
Signal Jamming: Radio interference disrupting wireless communications.
Hardware Implants: Rogue USB or keyboard devices capturing keystrokes.

Why Defenders Need to Understand This

Every attack targets a specific layer. A firewall blocks threats at Layers 3 to 4. An IDS watches Layers 4 to 7. A WAF defends Layer 7. When you understand which layer is being attacked, you know which tool to reach for — and where to look in the logs.

The OSI model is not just theory. It is the map every attacker and defender uses to navigate the battlefield.