OSI Layers - Security attacks illustrated

The OSI Model Explained With Real Security Attack Examples

Table of Contents

Why the OSI Model Matters for Security

The OSI (Open Systems Interconnection) model is a conceptual framework that breaks network communication into 7 layers. You've probably seen it in a textbook or a certification study guide. What those resources often miss is that the model is genuinely useful for security work - not as an exam answer, but as a mental framework for understanding attacks and defenses.

Every network attack targets a specific layer. ARP spoofing targets Layer 2. SQL injection targets Layer 7. RF jamming targets Layer 1. The layer an attack operates at determines which defenses are relevant and which are useless. A firewall (Layer 3-4) does nothing to stop a Layer 2 deauthentication attack. An intrusion detection system watching network traffic won't catch a Layer 1 RF jammer. Encryption at Layer 6 doesn't protect you from a Layer 2 MAC address attack.

When you know which layer an attack operates at, you know what can and can't defend against it. That's the practical value of the model.

Layer 1 - Physical

Layer 1 is the physical medium: electrical signals on copper, light pulses on fiber, radio waves in the air, and the hardware that transmits and receives them. No addressing at this layer - just raw bits encoded as physical signals.

What it handles: Bit transmission and reception, signal encoding, physical connectors and media, transmission power and frequency. For wireless networks, the radio PHY (physical layer) lives here. The 2.4GHz and 5GHz bands used by WiFi, the 2.4GHz band used by Bluetooth and BLE, the 940nm infrared used by TV remotes - all Layer 1.

Attacks at Layer 1:

  • RF jamming: Transmitting noise on the same frequency as a target network, raising the noise floor until legitimate signals can't be decoded.
  • Physical wiretapping: Connecting directly to a copper wire to intercept electrical signals.
  • Physical interception of wireless: Any receiver within range of a wireless transmitter can receive the signal. The air is a shared medium.

BLEShark Nano at Layer 1: IR communication is entirely Layer 1. When the BLEShark Nano transmits an IR TV-B-Gone sequence or replays a captured remote code, it's operating purely at the physical layer. The WiFi radio is also a Layer 1 component.

graph LR
    subgraph OSI["OSI Layers"]
        L7["Layer 7
Application"]
        L6["Layer 6
Presentation"]
        L5["Layer 5
Session"]
        L4["Layer 4
Transport"]
        L3["Layer 3
Network"]
        L2["Layer 2
Data Link"]
        L1["Layer 1
Physical"]
    end
    subgraph ATTACKS["Security Attacks"]
        A7["XSS, SQL Injection
Credential harvesting"]
        A6["SSL stripping
Data format exploits"]
        A5["Session hijacking
Token theft"]
        A4["SYN flood, Port scan
TCP reset attacks"]
        A3["IP spoofing, ICMP flood
Route manipulation"]
        A2["ARP spoofing, Deauth
MAC flooding, VLAN hopping"]
        A1["RF jamming
Cable tapping, IR replay"]
    end
    L7 --- A7
    L6 --- A6
    L5 --- A5
    L4 --- A4
    L3 --- A3
    L2 --- A2
    L1 --- A1

The seven OSI layers mapped to real-world security attacks - understanding which layer an attack targets determines which defenses are effective

Layer 2 - Data Link

Layer 2 is where physical signals become frames. It handles addressing within a local network segment (MAC addresses), error detection, and access control to the shared physical medium.

What it handles: MAC addressing, frame construction and parsing, switching decisions, and protocol-specific framing for WiFi (802.11), Ethernet (802.3), and Bluetooth.

Attacks at Layer 2:

  • ARP spoofing/poisoning: Injecting false IP-to-MAC mappings to redirect traffic through an attacker-controlled machine.
  • MAC flooding: Overflowing a switch's CAM table to force broadcast behavior.
  • VLAN hopping: Exploiting misconfigured trunk ports to reach restricted VLANs.
  • WiFi deauthentication: Forging 802.11 deauth management frames to disconnect clients. Pure Layer 2.
  • BLE advertisement spoofing: Broadcasting fake BLE advertisements to generate popups on nearby devices.

BLEShark Nano at Layer 2: WiFi deauth testing, BLESpam, AP spam, and Bad-BT all operate at Layer 2.

Layer 3 - Network

Layer 3 handles logical addressing and routing between networks. IP is the defining protocol.

What it handles: IP addressing, packet routing, TTL management, fragmentation, ICMP.

Attacks at Layer 3:

  • IP spoofing: Forged source IP addresses for reflection/amplification DDoS.
  • ICMP redirect: Spoofed ICMP redirects to manipulate routing tables.
  • Route poisoning: Injecting false BGP/OSPF routes.
  • Rogue DHCP: Assigning attacker-controlled gateway and DNS.

Layer 4 - Transport

Layer 4 handles end-to-end communication. TCP and UDP are the dominant protocols.

What it handles: Port numbers, TCP connection state, flow control, congestion control.

Attacks at Layer 4:

  • SYN flood: Exhausting connection table resources with half-open connections.
  • TCP reset attack: Forging RST packets to terminate connections.
  • UDP flood: Overwhelming a target with UDP packets.

Layer 5 - Session

Layer 5 manages sessions - logical connections that persist across multiple requests.

Attacks at Layer 5:

  • Session hijacking: Stealing valid session tokens to impersonate users.
  • Session fixation: Forcing a user to authenticate with a known session ID.
  • Cookie theft: Capturing session cookies via XSS or network interception.

Layer 6 - Presentation

Layer 6 handles data representation, encryption, and encoding. TLS lives here.

Attacks at Layer 6:

  • SSL stripping: Downgrading HTTPS to HTTP via MITM.
  • Protocol downgrade: Forcing weaker TLS versions or cipher suites.
  • Encoding exploitation: Abusing deserialization to inject malicious data.

Layer 7 - Application

Layer 7 is the application protocol itself - HTTP, DNS, SMTP, and everything built on them.

Attacks at Layer 7:

  • SQL injection: Injecting SQL into database queries via user input.
  • Cross-Site Scripting (XSS): Injecting JavaScript into web pages served to other users.
  • DNS spoofing: Poisoning DNS caches to redirect users to attacker infrastructure.
  • Phishing and credential harvesting: Fake login pages mimicking legitimate services.

BLEShark Nano at Layer 7: The captive portal/evil portal serves web pages to connected clients for credential capture. The attack starts at L1 (radio), uses L2 (WiFi association), L3 (rogue DHCP), and L7 (the web page).

Where BLEShark Nano Fits Across the Stack

  • Layer 1: IR transmit/receive, WiFi radio, BLE radio.
  • Layer 2: WiFi deauth, BLESpam, AP spam, Bad-BT.
  • Layer 7: Evil portal / captive portal.

Layers 3-6 are mostly pass-through. The attacks of interest are at the wireless physical and data link layers, where most consumer hardware provides the fewest defenses.

Where Shiver Mesh Fits

Shiver operates at Layer 1 and Layer 2, enabling distributed L1/L2 operations across physical space. Trigger deauth from a specific node, send IR commands through a positioned node, coordinate BLESpam from multiple positions, or run evil portals across a wider area - all from a single controller.

Why Layers Matter for Pentesters

The OSI model gives you a structured way to reason about what a tool can and can't do. A firewall at Layers 3-4 cannot stop Layer 2 deauth attacks. Categorizing findings by layer helps clients understand which part of their infrastructure needs attention. Multi-layer attacks require defenses at multiple layers.

The BLEShark Nano is most effective when you understand which layer each of its capabilities targets. That understanding turns a collection of features into a coherent security testing methodology.

BLEShark Nano is designed for authorized security research, penetration testing, and educational use. Always obtain proper authorization before testing.

Get the BLEShark Nano

Back to blog

Leave a comment