International Journal of Multidisciplinary Research and Publications

ISSN (Online): 2581-6187

DoS and DDoS Attacks at OSI Layers

Hadeel S. Obaid1, Esamaddin H. Abeed2
1
College of engineering, University of Information Technology and Communications, Baghdad, Iraq
2
Civil Aviation Authority, Baghdad International Airport, Baghdad, Iraq

Abstract— Among different online attacks obstructing IT security, behind DoS attacks is not to abuse or take data, but the
Denial of Service (DoS) and Distributed Denial of Service (DDoS) purpose is to flood the server by sending a huge amount of
are the most devastating attack. It also put the security experts under traffic. In general, the attacker prevents legal users from using
enormous pressure recently in finding efficient defiance methods. an online service by draining the server resources. In addition,
DoS attack can be performed variously with diverse codes and tools
and can be launched form different OSI model layers. This paper
the Internet of Things (IoT) has recently been presented as the
describes in details DoS and DDoS attack, and explains how different next revolution and a part of the internet of the future [29].
types of attacks can be implemented and launched from different OSI DoS can be also used to pull down any IoT network as well
model layers. It provides a better understanding of these increasing [30].
occurrences in order to improve efficient countermeasures. The rest of the paper is ordered as following: in section 2
includes the related work. Section 3 explains the DoS attacks.
Keywords— DoS, DDoS, OSI Layers, OPNET. section 4 presents DDoS attacks. OSI layers and their attacks
are in Section 5. Finally, the Conclusion in section 6.
I. INTRODUCTION
The Internet has changed the style of communication, the way II. RELATED WORK
of running a business [1]. And it provides many services for Koc and Carswelll have implemented experiments using
various fields such as education, entertainment, banking Naïve Bayesian (NB), KDD99 dataset, and its variables; Tree
transactions, medicine, research, etc. Development of the (NBTree), Averaged One-Dependence Estimators (AODE),
network technologies allows intruders and hackers to discover Weightily AODE (WAODE), Tree-Augmented Naïve
illegitimate methods to enter a system. Bayesian (TAN), Decision DTNB, and Hidden Naïve
Network security is frequently discussed as part of Bayesian (HNBNB) [5]. The results of their experiments
computational infrastructure [2]. The commitment of indicate that Proportion K-Interval discretization techniques,
safeguarding critical data, information and services placed on along with HNB, offer high accuracy to detect DDoS attack.
internet and computer networks is a key focus of research Machine learning (ML) is a known area of computer
today. Many new threats have appeared and defences against science that mainly deals with the discovery of data patterns
them are constantly being developed. Computational threats and data-related irregularities [31]. Lohit Barki et al. have
can be classified into four classes: password attack, malware, proposed an IDS to detect DDoS attack in Software Defined
denial of service (DoS) attacks and reconnaissance attacks. Network (SDN) using machine learning algorithms such as K-
For the DoS type of threat, securing the network from a denial Nearest neighbour, Naive Bayes, K-medoids and K-means to
of service attack becomes critical, because this attack is very categorise incoming traffic into regular and irregular
easy to perform. categories [6]. The detection rate and efficiency parameters are
Since 1995, San Francisco Federal Bureau of Investigation used to measure these algorithms. The algorithm has more
(FBI) and Computer Security Institute (CSI) are produced an accuracy in choosing to implement Signature IDS; its results
annual survey [3]. This survey found that, the third most are then processed by Advanced IDS, where the intent is to
significant attack that causes computer crime losses is the DoS detect anomalous behaviour using open connections. This
attack, which comes after unauthorized access to information helps to provide accurate results of the hosts involved in the
and Virus attacks. The total approximate loss of DoS attack is DDOS attack.
more than 7 million dollars for 639 respondents that wanted Katkar and Bhatia have performed an experiment for
and capable of estimation losses in 2005. intrusion detection using REPTree classifier and assess the
Annually, Distributed Denial of Service attack (DDoS) variation in its performance when it is combined with different
costs businesses about $3.5 million as reported by Ponemon data pre-processing and feature selection techniques [7].
Institute‘s research [2]. 54 minutes is the average downtime Experiment results show that the accuracy of REPTree
after a DDoS attack and each minute of downtime cost classifier in detecting intrusion is better when used with
approximately $22,000. Estimations from the Yankee Group, Numeric to Binary pre-processing technique on the data set of
IDC and Forrester expect the 24 hours for a big E-commerce KDD99.
business outage cost about $30 million. Zhiyuan Tan et al. have presented detection system to
Today, many network facility and application servers can detect DoS attack using multivariate correlation analysis
be under DoS and DDoS attacks [4]. The major aim of these (MCA) [8]. By extracting geometrical correlations between
two attacks is to block legitimate users from online services. different features of network traffic, MCA can be used for
The users may have to pay for these services. An assailant network characterization. Such a detection system uses
does not distinguish due to the fee of the service. The purpose

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.
 International Journal of Multidisciplinary Research and Publications
ISSN (Online): 2581-6187

anomaly based detection in its attack recognition. The IV. DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK
advantage is it makes the solution able to detect identified and DoS attack results from many distributed sources is called
unidentified DoS attacks through learning normal patterns of a Distributed Denial of Service attack (DDoS) [11]. In this
the network traffic. Additionally, to improve and to accelerate type of attack, multiple bots called zombies are used to send a
MCA processes, a triangle-area-based method is suggested. huge amount of traffic to the victim sever.
The efficiency of this suggested detection system is assessed DDoS attack aims to expand the Dos attack strength by
using the data set of the KDD Cup 99. The effects of both using more than one computer [4]. DDoS attacks are
regulated and non-regulated data on the performance of the considered to be more efficient than DoS attacks because they
proposed detection system are tested. raise the attack density through the use of many computers
Detection methods such as Client Puzzle Protocol (CPP) simultaneously. DDoS attacks are a repeated disorder to
and Ingress filtering are used to detect DoS and DDoS attacks services in web servers of high profile sites such as insurance
at the Application layer [4]. In internet communication, CPP companies, credit card payment gateways, banks, etc. DDoS
algorithm is used and aims to stop misuse of server resources. happens when many computers overflow the resources of a
CPP requires that all clients that want to connect to the server victim, making DoS attack further effective and difficult to
to resolve a mathematical puzzle before the connection is to be find the attack creator or origin. DDoS attacks are able to
established. When the puzzle is solved, the client passes the cause a big harm to online services. Because they are able to
solution of the puzzle to the server. If the client failed to solve quickly damage the network performance and make the
the puzzle, the server refuses the connection. The puzzle is not detection hard. DDoS attacks are considered to be a dangerous
hard to solve but the attacker attempt to establish a huge security threats to the present Intrusion detection schemes.
number of connections with the target and this will be difficult Discovering DDoS attacks in adequate time would minimize
because of the time delay. The Ingress filtering technique is the damage that the attack can cause. Until now, no efficient
used to ensure that the arrival packets do not have fake source solutions to overcome all DDoS attacks‘ characteristics. Thus,
IP addresses in their header. Every packet is sent with the IP detection of DDoS attacks represent an attractive domain for
source address in the header. If this IP address is fake, this is researches. DDoS is typically executed in a logical structure as
considered as an attack. In Ingress filtering, packets are shown in Fig. 2:
examined based on the information from the past so that the
server will not be allowed to respond to packets from possible
attacking IP addresses.
III. DENIAL OF SERVICE ATTACKS
Availability, Confidentiality and Integrity are the main
aims of computer security [9]. Availability is defined as the
capability of using the desired resources or information. DoS
attacks threaten the resource‘s availability in the network.
DoS attacks can happen when an attacker attempts to make
Internet-based applications or a website and other services
unreachable to legitimate users. Also, DoS attacks can be
defined as an attack which aims to prevent the users form
using an internet-based service by disturbing the usual
functionality of a server that hosts an application [10]. DoS
attacks include an attacker sending messages to take
advantage of particular vulnerabilities which lead to anomaly
or disability in the network systems or sending a large amount
Fig. 2. Structure of DDoS Attack
of messages quickly to a single node to consume the resources
of the system that cause a crash in the system see Fig. 1 [11]. The structure of DDoS includes a client, who represents
the attacker and is connected to a number of cooperated
systems called handlers [4]. The handlers direct commands to
a number of zombie agents that ease the DDoS onto the victim
system. Each handler is able to dominate thousands of zombie
agents.
Internet Relay Channel (IRC) is used by the attacker to
communicate with agents [12]. The attacker can use (Internet
Relay Channel) IRC to communicate with agents rather than
installing a handler program on a network server. The IRC
channel enables the attacker to use genuine IRC ports to
forward instructions to agents. Using genuine ports prevent
distributed denial of service command requests to be tracked.
Fig. 1. DoS Attack
Also, IRC servers have huge amount of traffic, allowing

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.
 International Journal of Multidisciplinary Research and Publications
ISSN (Online): 2581-6187

attackers to hide their existence. A malicious node does not common DoS attacks types at different OSI model layers.
need to preserve agents listing, as he is able to directly access
A. Denial of Service Attack at the Application Layer
the IRC server and check the existing agents. In the IRC
network, the agent software sends and receives messages via DoS attacks at the application layer are more complex
an IRC channel, where information about the operational is [11]. They incapacitate features or functions as dissenting to
available for the attacker [13]. the entire network. Application layer protocols have two main
categories: user protocols and support protocols. User
V. OSI MODEL IN BRIEF protocols provide services to users directly, such as through
Open System Interconnection (OSI) is a framework to HTTP, SMTP/POP, FTP, IMAP, XMPP, SSH, IRC, etc.
define the agreements and functions required for Support protocols aim to provide common system functions.
communications between network systems [14]. Working on Such as DNS, NTP, SNMP, BOOTP/DHCP, TLS/SSL, RTP,
the OSI model started in the late of 1970s by Telephone SIP, etc [9]. Any of these protocols can be a means or an
Consultative Committee or (CCITT) and International object to launching a DoS attack. Most protocols at the
Organization for Standardization (ISO). The OSI model application layer are structured in a client-server model. A
applies a structuring technique that is called layering. This server is a procedure to implement a particular service, such as
partitions communication into a set of vertical layers, where email or file transfer services. A client is a procedure to
each layer performs functions that apply and enhance the layer request services from a server. Clients can be classified to
that is immediately at a lower level. Fig. 3 shows the OSI make them legitimate or not, that is those who do not have
Model Layers: malicious logic and malicious clients who do have malicious
logic.
DoS attacks at the Application layer are more disturbing
than other layers‘ attacks because of [11]: -
 High obscurity: these attacks use legitimate UDP or TCP
connections, making it hard to distinguish them from
legitimate users.
 Highly efficient: DoS attacks at the Application layer
require fewer numbers of connections.
 Multiple effects: they can directly or indirectly impact
many victims. For instance, DNS attacks at one DNS
provider can affect all its users.
 Normal traffic rules: these attacks follow the rules of
normal traffic and complete the process of the TCP
Fig. 3. OSI Model Layers handshake so that traffic in those attacks look like
legitimate traffic.
There are seven layers to the OSI model. The first, Layer  Affect multiple applications: they affect different
7, is the Application layer that permits access to resources on applications because any one of the protocols mentioned
the network. It helps to send and receive data between above can be used to launch a DoS attack.
different applications [15]. Message/data are the main  Simplicity in exploitation: they take advantage of the
communication unit (PDU) at this layer. Layer 6 is the simplicity in Layer 7; for instance, a server may collapse
Presentation layer, which is responsible for data formatting to by simultaneously refreshing the browsers by thousands
exchange between communication‘s points such as translation, of users.
data compression and encryption. Layer 5 is the session layer,  Limited resources requirement: they require limited
where the layer provides termination, governing and resources. An attacker can achieve a successful attack by
establishing sessions through the network. Layer 4 is the a limited investment.
Transport layer, which is responsible for providing reliable  Highly targeted: These attacks aim at a specific
data delivery from one procedure to another. It guarantees to application such as web servers running applications in
have an orderly sequence, being error free and having no Java, PHP5, and ASP.NET. Targets are crafted using
repetition of the transmission of packets. Segments, datagrams HTTP requests; there could be collisions with the web
or packets are the (PDU) or unit of communication this layer server´s hashing operation as non-unique and
is based on. Layer 3 is the Network layer, which is responsible overlapping responses are returned.
for packets‘ movement between source and destination. It An attacker may exhaust memory or CPU of a victim by
offers routing and addressing to the packets. The packet is the sending a vast number of service requests [9]. Each request
PDU at this layer. Layer 2 is the Data link layer; it ensures can cause the victim to execute memory and/or CPU intensive
error free of data transmission over physical media. The frame operations. For instance, an attacker may order malicious
is the PDU at this layer. Layer 1 is the physical layer, which agents to send HTTP requests to a server for downloading a
manages the transmission of binary data (0s and 1s) through large file. As the server must read the huge file from the hard
the transmission media. It translates bits into signals, where disk into the memory and send it to a significant number of
the bit is the PDU at this layer. The table displays the most packets to the malicious user, a single HTTP request can cause

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.
 International Journal of Multidisciplinary Research and Publications
ISSN (Online): 2581-6187

substantial resource depletion on the server in regarding, CPU, Afterwards, the encryption key for communication is built
I/O, bandwidth and memory. [15]. Several attacks take advantage of the SSL handshake to
HTTP GET, Slowloris and HTTP POST Attacks are consume server resources. The Pushdo botnet performs this by
examples of DoS attacks in Application Layer. HTTP POST sending incompressible data to the SSL server. The SSL
and HTTP GET protocols are usually misused in HTTP or protocol needs sufficient computation time and to produce
HTTPS [4]. An HTTP GET flood attack can be implemented additional workload on the server to treat the un-useful data as
by the exploitation of a weakness in the HTTP protocol. In a normal handshake. At this stage, the server may stop
this attack, the attacker sends a large number of pernicious processing SSL connections or restart them. Firewalls may fail
attacks using the HTTP protocol. The attacker sends a huge in such a scenario, as both entities have ended the TCP
number of malicious HTTP GET requests to the victim. handshake. Attackers often use SSL to tunnel their HTTP-
Because of the HTTP payloads of these packets is legitimate, based DoS attacks, as they appear to be a secure request.
the victim server cannot differentiate the malicious HTTP SSL DDoS Attacks can be divided into two classes: -
GET requests from normal requests. Therefore, the server has 1- Protocol misuse attacks
to treat all requests as legitimate requests, where this process These attacks exploit the protocol being used. A DoS attack
then consumes its resources. is mounted without completing the secure connection,
Another type of DoS attack at the application layer is when potentially lacking the need for secure keys. As one example,
the attacker executes a Slowloris attack or what is called a THC-SSL-DOS, which can be used to ‗renegotiate‘ in the
Slow Header Attack [16]. connection, can be applied without the benefit of a secure
The weakness of the HTTP GET request is also used in channel. Mitigation techniques, such as IPS signatures, help to
this attack, but it exploits the time delay in HTTP GET detect these attacks.
headers rather than flooding the server with spoofed requests. 2- SSL Traffic Floods
The attacker does not send an HTTP GET request one at a These attacks send a large amount of traffic over an
time, however the lines of the header are separated and sent. established secure channel that results in depleting the
The connection is built by the web server with the attacker and bandwidth and other resources. Without additional
waits for the request header to finish, where this can take a information, mitigation devices are not able to differentiate
long time. The malicious request for the request is detained for between normal connections and malicious connections. Such
a long time. A default threshold is setup, indicating a attacks cannot issue a web challenge in attempting to assess
maximum timeout for the next header to arrive, where source legitimacy. You are prone to false actions because you
anything over that time will lead to a closed connection. The have either nothing to connect to a rate limit.
default threshold of the Apache web server is 300s. This is put
C. Denial of Service Attack at the Session Layer
as a pause time to send the next line of the header of the
attacker‘s request. As a result, the attacker can consume the The session layer includes the synchronisation and
resources of the web server by creating multiple connections termination of connections over the network [10]. An attacker
with the victim‘s server [4]. An attacker also can take takes advantage of log-in and log-off protocols to launch DoS
advantage of the weakness in the HTTP POST request also attacks in the session layer; for instance, launching a Telnet
called a Slow Message Body attack [39]. A message body is DoS attack [15]. A Telnet application permits a terminal to
included in a POST request which can use any encoding. The communicate remotely with the counterpart. The Telnet uses
HTTP Header includes a filed Content-Length that informs the the network to send and receive data via a port (e.g.23).
web server about the message‘s body size. The HTTP Header The attacker may execute the DoS attack at this level so
portion is sent by the attacker to the web server in full. Then that defects in Telnet are misused at the switch level, making
the attacker directs the HTTP message body as 1 Byte per 110 the services of the switch unobtainable, whereby the
seconds sequentially. Simply the web servers follow the administrator will be prevented from controlling the switch
Content-Length that is on the header field while waiting for [10].
the remainder of the message. By waiting for the whole Attacks in Telnet can be classified into three classes [15]: -
message body to be sent allows web servers to backing users 1) Telnet brute force attack: in this attack, the attacker uses
with sporadic or slow connections. The server will be under a list of frequently used passwords and a program is designed
DoS attack, if there are some such connections. to attempt to create a Telnet session by using each word in the
list;
B. Denial of Service Attack at the Presentation Layer 2) Telnet communication sniffing: the lack of encryption is
DoS attacks at the presentation layer include deformed the most serious problem in a Telnet protocol. The
Secure Socket Layer (SSL) requests. SSL or TLS offers transmissions between parties over the network are sent
security for web services such as online shopping, online without any encryption. This vulnerability is exploited by the
banking, etc [15]. Because of security advantages, many well- attacker for frame sniffing. It can be easy for the attacker to
known organizations utilize SSL for securing their services sniff the plain text that flows over the network.
[9]. Currently, most transactions are secured by SSL. 3) Telnet DoS: this attack is a way to damage the
However, SSL also has attracted attackers. The TCP protocol communication between two devices over the network by
and TCP handshake is a frequent victim of DoS attacks. After consuming the bandwidth of their connection. To implement
completing the TCP handshake, the exchange of messages this, the attacker sends a large number of irrelevant and useful
starts to authorize the authenticity of communicating entities. data frames, thereby stifling the connection. As a result, a

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.
 International Journal of Multidisciplinary Research and Publications
ISSN (Online): 2581-6187

legitimate communication cannot use this connection. This

attack is also used to stop administrators from using Telnet in Transmission Control Protocol (TCP) is a process to
their devices. process protocol [19]. TCP protocol uses port numbers to
provide program to program communication. TCP is a
D. Denial of Service Attack at Transport Layer connection-oriented; for program A to communicate with
Layer 4 DoS attacks are based on transmission and program B, there must be a connection has been set up
generation of an enormous volume of traffic to deactivate or between A and B. This connection allows the sending and
totally block the availability of services or resources in the receiving processes to deliver and receive data as a stream of
network for legal clients [15]. These attacks usually include bytes. TCP is part of the transport layer above the Network
misuse of TCP and UDP protocols for flooding resources in layer; variable length data streams can be sent and received.
the network. Fig. 5 shows the TCP header:
DoS attacks at Transport layer classified into flooding
attacks and de-synchronization attack [17]:
- Flooding
If an attacker is iterating to make a new connection with
the same server, which wants to retain status at each end of the
connection, the resources that are needed for each one of these
connections will be consumed [17]. As a result, any further
connections from any other users cannot be served, where they
may even be dropped.
- De-synchronization
De-synchronization attack is the disturbance of a current
connection [17]. For example, the attacker can spoof messages
continually to a node and this causes the node to retransmit the
lost frames. End hosts may not be able to exchange data
effectively, if the attack is done promptly, where the resources Fig. 5. TCP Header
are then wasted in the connection.
TCP is a connection-oriented, stream protocol which offers
To understand DoS attacks at the transport layer, a brief
full duplex service where the data can flow over the internet in
explanation of the TCP/IP protocol is needed [18]. The USA
military Defense Department was the first to implement the both directions [20]. To establish the connection, TCP uses the
TCP/IP protocol suite. The Internet, at that time, was very three-way handshake process. In Fig. 6, the illustration shows
limited and the TCP/IP protocol was capable of providing the a three-way handshake process between a TCP server and a
required security. However, by time the Internet started to TCP client.
mature, the TCP/IP protocol had not improved. Today, the
TCP/IP suite is neither considered secure nor resistant to
attacks. An Internet protocol (IP) is defined as a service with
packet delivery [19]:
 Delivery without assurances of acknowledgements.
 IP Protocol is connection less i.e. each packet is
handled individually from all other packets.
 The Internet makes a reasonable effort to deliver
packets to the best of its abilities. Fig. 4 represents the
IP header:

Fig. 6. TCP Three Way Handshake

 First, the client sends a packet marked with SYN to the

server.
 After the SYN packet is received from the client, the
server sends a SYN+ACK packet to the client.
 The client reply with an ACK packet and the
connection is established with the server. Now, the
client is able to send the data messages.
A TCP SYN flood attack represents easiest and most
dangerous ways to launch DDoS attacks [21]. This attack uses
the weaknesses in the TCP protocol, but it was not considered
a weakness when the protocol was developed. In 1994, Steve
Bellovin and Bill Cheswick discovered the weakness in the
Fig. 4. IP Header

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.
 International Journal of Multidisciplinary Research and Publications
ISSN (Online): 2581-6187

TCP protocol (TCP SYN flood attack). to the listener (i.e., only permitting SYN packets out); the
In such TCP SYN attacks, a synchronize flag in TCP firewall can filter arriving packets so that the SYN-ACK
headers is utilized in messages sent [22]. This flag is set when packets are dropped before approaching the processing code
the system sends a packet in a TCP connection; there is an of the local TCP.
indication that the receipt system has to store the sequence The source IP address is also can be spoofed to perform
number contained in this packet. the TCP SYN attack; this is more complicated than the direct
The characteristics of the TCP SYN flood attack are [21]: attack [22]. In such attack, the attacker changes firewall rules,
 A huge number of server connections are generated by the generates and send IP packets that have legal TCP and IP
attacker. headers. Furthermore, IP address spoofing techniques can be
 SYN sets up a RECEIVED state. Then the victim receives classified into various categories, depending on what spoofed
a request to form a connection that allocates memory to it. IP source address is used in the attack packet.
 The server leaves this half-open connection in the backlog The DDoS TCP SYN flood attack is very dangerous to the
queue and a reply packet to the client with SYN and ACK victim server because it raises the amount of the traffic that is
flags after the server receives a request for connection, sent to the victim [21]. Chasing the distributed attack is a
which is a packet with SYN flag. tough task, which is the major reason that makes the defense
 The server sends the SYN ACK packet again until a against a TCP SYN DDoS attack very hard. User Datagram
timeout finishes when it does not receive any reply from Protocol (UDP) is a protocol in the transport layer and the
the client. It removes this half-opened connection from application layer uses this protocol widely, including DNS
the backlog queue. servers [23]. UDP is not like TCP; this protocol is
 The whole procedure of SYN requests may take about connectionless and there is no guarantee that data reach their
three minutes for operating systems. destination. Fig.8 represents the UDP header.
 TCP SYN flood attack produces a huge amount of half-
open connections that the server cannot handle; new
requests cannot be received.
 Connections remain at a SYN RECEIVED status until the
backlog queue becomes full.
 The operating system is able to serve only some of the
half opened connections, depending on the size of the
backlog. As an example, 2048 bytes is the default size of
the backlog queue of the Debian Squeeze. If it reaches
this size, the server cannot receive any connection
Fig. 8. UDP Header
requests. Fig.7. shows TCP SYN Flood DoS attack
network: In UDP flood DoS attacks, the attacker uses the UDP to
perform this type of attack [18]. Using the UDP protocol to
launch DoS attacks is not as simple as using the TCP protocol.
However, the UDP flood attack is executed by sending many
UDP packets to random ports of the victim [10].
Consequently, the target server will:
Examine the application which listens at the port.
On that port, if there is no application listening, the server
responds with an ICMP packet Destination Unreachable
message. Fig.9 shows the UDP Flood Attack.

Fig. 7. TCP SYN Flood DoS Attack

If the malicious client quickly sends SYN packets without

using the spoofing technique to spoof the IP source address, in
this case the attack is called a direct attack [22]. This attack
can be implemented by simply sending many TCP connection
requests. The operating system of the attacker may not reply to
the SYN-ACKs, where RSTs, ICMP, or ACKs messages may
move the Transmission Control Block (TCB) from the SYN-
RECEIVED state. The attacker can avoid responding to the
SYN-ACK packets by setting some of the firewall
Fig. 9. UDP Flood Attack
configurations by which the firewall can filter leaving packets

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.
 International Journal of Multidisciplinary Research and Publications
ISSN (Online): 2581-6187

E. Denial of Service Attack at the Network Layer attacker sends an enormous number of ICMP Echo packets to
Layer 3 of the OSI model is responsible for data packets‘ the victim server in order to exhaust all existing bandwidth
routing and switching to various networks and LANs. It and prevent legitimate users [24]. The ping command is one
depends on IP, ARP, RIP and ICMP protocols, relying on example of this attack. The ping command is mainly used for
routers [10]. DoS attacks at the Network layer include testing the connectivity of the network by examining whether
injecting the victim‘s network with a large amount of traffic a device can send and receive messages over the network. Fig.
that it cannot handle. As a result, the victim network begins to 11 represents the ICMP Flood Attack.
respond slowly or it neglects some packets. The loss of some
packets can cause an overflow of retransmitted packets and
causes extra traffic. Increasing the network traffic overfeeds
the network, and it becomes inaccessible for the legitimate
users [15]. There are several attacks at the Network Layer:
1- Smurf Attack
Smurf Attack is an old DoS attack where the attacker
sends an echo packet to a routing machine in the network, and
the source of the data is concealed. By using a broadcast
address, the request is sent to all machines over the network.
All machines that receive the echo packet send a reply to the
sender, which is the victim [6]. Smurfing considers internet
control message protocols (ICMP) and Internet protocols. A
network administrator uses an ICMP protocol for data
exchange, the network status, and pinging devices to define
their operational state. The machines that are operative send
back an echo packet as a response to ping requests. The Smurf
program generates a network packet that seems to have
originated from another address; this is called IP spoofing.
The packet includes an ICMP ping message, which is sent to Fig. 11. ICMP Flood Attack
all IP addresses in the network by using an IP broadcast. Thus, F. Denial of Service Attack at the Data Link Layer
the echo responses are sent to the IP address of the victim. Layer 2 ensures that the data is effectively handed over to
Many ping requests and echo replies make the network the physical layer [10]. The media access control (MAC) or
unavailable for real traffic [12]. Fig. 10 shows the Smurf link layer offers channel settlement neighbor-to-neighbor
Attack Smurf attack Steps: transmission. Cooperative systems, which depend on carrier
1- The attacker determines IP address of the victim. sense and allows nodes to sense other nodes are
2- The attacker identifies the intermediate site to help in communicating, are particularly susceptible to DoS attacks.
increasing attack. Attacks such us Collision, Unfairness and Exhaustion are
3- The attacker sends a huge amount of traffic to the based on attacking data frame detection, medium access
broadcast address at specific intermediate sites. control, multiplexing of data-streams and error control [17].
4- Intermediate sites offer broadcast to all hosts in a There are well-known attacks at Data Link Layer.
subnet. 1- Unfairness Attack
5- Hosts reply to the victim‘s address. Misusing a cooperating MAC layer priority system or
sporadic application of those attacks can result in an
Unfairness Attack, which is a weak format type of DoS attack
[26]. This menace may not completely block legal entry to the
channel, however this can reduce service by making clients
miss their deadlines in a real time MAC protocol. One
mechanism to prevent this menace is using small frames so
that a node may access the channel only for a short time. But,
this technique can increase framing overhead if the network
sends long messages. In addition, an attacker can fail this
defense by deception, where competing for access, for
example, by replying fast, whilst others delay in a random
way.
2- Collision Attack
A collision in one octet may only be needed for a
Fig. 10. Smurf Attack transmission to cause disruption [26]. Any change in the data
part may cause a mismatch in the checksum at the receiver
2- ICMP Flood Attack end. In some MAC protocols, a distorted ACK control
In ICMP Flood, also called a Ping flood, where the message can produce expensive exponential back off. At any

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.
 International Journal of Multidisciplinary Research and Publications
ISSN (Online): 2581-6187

layer, error-correcting codes offer a good method for bearing GHz bands. This interference can be performed using a
changing levels of distortion in messages. These codes can jammer. Outside the United States, it is legal to use frequency
function best as counters to probabilistic or environmental jammers. For example, in France, they allow using frequency
errors. In one encoding, attackers may distort more data than jammers to ban cell phone communications in restaurants and
the system can correct at a considerabl cost to the system. theatres. In Italy, jammers are used to decrease the probability
Codes for correcting errors themselves can cause further of academic dishonesty in exam rooms. In Mexico, jammers
communication and processing overhead. A network may are used to maintain the sacredness of religious occasions. In
employ collision detection to detect the attacking collisions, distributed networks, Miniature jammers are used in malicious
but it generates a link layer jamming process and no efficient and intentional disruptions of wireless communication.
defense is known. Appropriate communication still need Nowadays low-power tiny, jammers can be build using Nano
cooperation between machines, which are predictable to Electro Mechanical Systems (NEMS) and Micro Electro
prevent distortion of others‘ packets. Access may be denied Mechanical Systems (MEMS) which can be spread like ―dust‖
through the subservient node, where less energy is expended constructing a distributed jammer network. Such a jammer has
in fulltime jamming. a simple function in comparison to sensors (i.e., transmitting
3- Exhaustion Attack noise signals rather than: filtering, complex modulation, or
A simple implementation of link layer is attempting to various other type of signal processing functions). In Iraq, in
retransmit frequently, while even having been produced by a the second Gulf War, the United States used these techniques
late collision, including such a collision near the end of the [25]. At the Physical layer, there are two types of DoS attacks
frame [26]. An Exhaustion attack is an active DoS attack that [26]:
can exhaust the resources of the battery in neighboring Jamming attack: - which is a well-known attack on
devices. The attack compromises availableness at little wireless communication. The attack frequencies interfere with
expense to the attacker. The likelihood of unintended the regular frequencies that the nodes of the network used. An
collision, can be reduced by random back-offs; therefore, they attacker may interrupt the whole network with jamming nodes,
could not help in stopping such an attack. Each node is offered placing the network nodes out of service.
a slot to broadcast without needing adjudication for each Tampering attack: - A One cannot realistically expect
frame by using Time Division Multiplexing Technique. The access to many or hundreds of nodes that are spread over a
unlimited delay issue in a back-off algorithm could be wide area. These networks can be under true brute-force
resolved by using such a technique, however, it is still destruction. An attacker may replace or damage sensor and
vulnerable to collisions. A self-sacrificing node can take computation hardware; important information could be
advantage of the cooperating nature of most protocols at the hacked. Cryptographic keys can be used to obtain unlimited
MAC layer in an interrogation attack. For instance, Request- entree to higher levels of communication, where node
to-Send, Data/Ack and Clear-to-Send messages are used by destruction could become difficult to be differentiated from
IEEE 802.11 MAC protocols to detain data transmission and fail silent behaviour.
channel access. A node could frequently request to access the
channel by sending RTS, obtaining a CTS reply from the VI. CONCLUSION
targeted neighbor. The energy resources of both nodes can be Attackers attempt to launch DoS and DDoS attacks from
consumed by continuous transmission. The MAC admission different OSI model layers. They take advantage of the
can monitor the rate limit as a solution, thus additional security issues involves in this model. Engineers did not
requests are disregard on the network without sending costly consider security when they first developed the OSI model
radio transmissions. This limit should not be less than the layers. DoS attacks at Application layer are complex and
predictable maximum data rate that the network can support. disturbing than the other layers DoS attacks. HTTP GET and
Limiting the inessential replies that the protocol needs is an HTTP POST Attacks are the most popular DoS attacks at the
approach to prevent battery exhaustion attack. Engineers often Application layer. They misuse the HTTP GET and HTTP
code this ability into the system for generic effectiveness; POST protocols.
however, extra logic is needed for coding to deal with possible DoS attack at the presentation Layer includes the misuse of
attacks. the Secure Socket Layer (SSL) protocol. While DoS attacks at
the Session Layer abuse the of log-on and log-off protocols
G. Denial of Service Attack at the Physical layer
such as Telnet DoS attack. DoS attacks at the Transport layer
Jamming attacks are one of the most significant attacks in often involve misuse of TCP and UDP protocols. Layer 4 DoS
denial of service attacks [27]. Because wireless networks are attacks can be classified into flooding attacks and de-
dependent on radio channels, jamming attacks overlap with synchronization attack. The most common DoS and DDoS
the transmission channels by transmitting semi-valid packets attacks at the Transport layer are TCP SYN flood and UDP
to interrupt the transmission between genuine nodes. flood attacks. TCP SYN flood uses the weaknesses in the TCP
DoS attacks that target the network infrastructure have protocol. While UDP flood attacks use the UDP to perform
become more prevalent because of the increase in the number this type of attack but is not as simple as using the TCP
of wireless networks and the importance of such networks protocol. They can be executed by sending many UDP packets
[28]. Wireless transmissions are constantly very sensitive to to random ports of the target victim. Network layer DoS
interference. As an example, Microsoft's Xbox is able to attacks involve injecting the victim‘s network with a large
interfere with 802.11n networks because they both use 2.4

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.
 International Journal of Multidisciplinary Research and Publications
ISSN (Online): 2581-6187

amount of traffic that it cannot handle. Smurf Attack, ICMP [15] Kumar, G.: ‗Denial of service attacks–an updated perspective‘, Systems
science & control engineering, 2016, 4, (1), pp. 285-294.
Flood and Ping of Death are the most common attacks at this
[16] Tripathi, N., Hubballi, N., and Singh, Y.: ‗How secure are web servers?
layer. All these attacks based on the ICMP protocol An empirical study of slow HTTP DoS attacks and detection‘, (IEEE,
weaknesses. Data Link Layer includes attacks such as 2016), pp. 454-463.
Collision, Unfairness and Exhaustion which are based on [17] Xia, Y.: ‗Selective Dropping of Rate Limiting Against Denial of Service
Attacks‘, University of Dayton, 2016.
attacking data frame detection, medium access control,
[18] Shah, M., Soni, V., Shah, H., and Desai, M.: ‗TCP/IP network
multiplexing of data-streams and error control. protocols—security threats, flaws and defense methods‘ (IEEE, 2016),
pp. 2693-2699.
REFERENCES [19] Maregeli, C.N.: ‗A study on TCP-SYN attacks and their effects on a
[1] Razak, T.A.: ‗A study on IDS for preventing denial of service attack network infrastructure‘, 2010.
using outliers‘ techniques‘, (IEEE, 2016), pp. 768-775. [20] Rana, D.S., Garg, N., and Chamoli, S.K.: ‗A Study and Detection of
[2] Luo, S., Wu, J., Li, J., and Pei, B.: ‗A defense mechanism for distributed TCP SYN Flood Attacks with IP spoofing and its Mitigations‘,
denial of service attack in software-defined networks‘ (IEEE, 2015), pp. International Journal of Computer Technology and Applications, 2012,
325-329. 3, (4), pp. 1476-1480
[3] Loukas, G.: ‗Defence against denial of service in self-aware networks‘, [21] Bogdanoski, M., Toshe.vski, A., Bogatinov, D., and Bogdanoski, M.: ‗A
2006. novel approach for mitigating the effects of the TCP SYN flood DDoS
[4] Durcekova, V., Schwartz, L., and Shahmehri, N.: ‗Sophisticated denial attacks‘, World Journal of Modelling and Simulation, 2016, 12, (3), pp.
of service attacks aimed at application layer‘ (IEEE, 2012), pp. 55-60 217-230.
[5] Koc, L., and Carswell, A.D.: ‗Network intrusion detection using a hnb [22] Bogdanoski, M., Suminoski, T., and Risteski, A.: ‗Analysis of the SYN
binary classifier‘, (IEEE, 2015.), pp. 81-85. flood DoS attack‘, International Journal of Computer Network and
[6] Barki, L., Shidling, A., Meti, N., Narayan, D., and Mulla, M.M.: Information Security (IJCNIS), 2013, 5, (8), pp. 1-11.
‗Detection of distributed denial of service attacks in software defined [23] Saied, A.: ‗Distributed denial of service (ddos) attack detection and
networks‘ (IEEE, 2016), pp. 2576-2581. mitigation‘, King's College London, 2015.
[7] Katkar, V.D., and Bhatia, D.S.: ‗Experiments on detection of Denial of [24] Gupta, N., Jain, A., Saini, P., and Gupta, V.: ‗DDoS attack algorithm
Service attacks using REPTree‘, (IEEE, 2013), pp. 713-718. using ICMP flood‘, (IEEE, 2016), pp. 4082-4084.
[8] Tan, Z., Jamdagni, A., He, X., Nanda, P., and Liu, R.P.: ‗A system for [25] Shaker, K.: ‗Analyzing DoS and DDos Attacks to Identify Effective
denial-of-service attack detection based on multivariate correlation Mitigation Techniques‘, American International University-Bangladesh
analysis‘, IEEE transactions on parallel and distributed systems, 2013, (AIUB), 2014.
25, (2), pp. 447-456. [26] Wood, A.D., and Stankovic, J.A.: ‗Denial of service in sensor networks‘,
[9] Abliz, M.: ‗Internet denial of service attacks and defense mechanisms‘, computer, 2002, 35, (10), pp. 54-62.
University of Pittsburgh, Department of Computer Science, Technical [27] Bandaru, S.: ‗Investigating the Effect of Jamming Attacks on Wireless
Report, 2011, pp. 1-50. LANS‘, International Journal of Computer Applications, 2014, 99, (14),
[10] Muharish, E.Y.M.: ‗Packet filter approach to detect denial of service pp. 5-9.
attacks‘, 2016. [28] Akhter, S., Myers, J., Bowen, C., Ferzetti, S., Belko, P., and Hnatyshin,
[11] Kumar, G.: ‗Understanding denial of service (DoS) attacks using OSI V.: ‗Modeling DDoS Attacks with IP Spoofing and Hop-Count Defense
reference model‘, International Journal of Education and Science Measure Using OPNET Modeler‘, (2013).
Research, 2014, 1, (5). [29] Sabry, S.S., Qarabash, N.A., and Obaid, H.S.: ‗The Road to the Internet
[12] Sandeep, R.: ‗A study of DoS & DDoS-smurf attack and preventive of Things: a Survey‘, (IEEE, 2019), pp. 290-296.
measures‘, International Journal of Computer Science and Information [30] Anirudh, M., Thileeban, S.A., and Nallathambi, D.J.: ‗Use of honeypots
Technology Research, 2014, 2, pp. 1-6. for mitigating DoS attacks targeted on IoT networks‘, pp. 1-4.
[13] Panicker, A.: ‗Botnets and Distributed Denial of Service Attacks‘, 2008. [31] Obaid, H.S., Dheyab, S.A., and Sabry, S.S.: ‗The Impact of Data Pre-
[14] Kumar, S., Dalal, S., and Dixit, V.: ‗The OSI model: Overview on the Processing Techniques and Dimensionality Reduction on the Accuracy
seven layers of computer networks‘, International Journal of Computer of Machine Learning‘, (IEEE, 2019), pp. 279-283.
cience and Information Technology Research, 2014, 2, (3), pp. 461-466.

Hadeel S. Obaid and Esamaddin H. Abeed, ―DoS and DDoS Attacks at OSI Layers,‖ International Journal of Multidisciplinary Research and
Publications (IJMRAP), Volume 2, Issue 8, pp. 1-9, 2020.