2.1.5 DoS Attacks on TCP/IP

The sheer number of DoS attacks makes the study of this topic challenging. However, the OSI reference model can help sort it out. The OSI reference model details each stage of the process required to connect a computer to the network. Developers and manufacturers use the OSI model as a common denominator to improve network communications.

The Internet is based on the Transmission Control Protocol/Internet Protocol, better known as TCP/IP. TCP/IP has four layers that can be mapped to the OSI reference model. The various types of DoS attacks can be mapped to the layers of the TCP/IP model to illustrate the effect.


DoS attacks exist for every part of the OSI protocol stack.
  1. Application Layer Attacks (TCP/IP Layer 4/OSI Layers 5 -7)
    A DoS attack against the Application layer is accomplished by making large amounts of legitimate requests to a service, such as a Web server, to the point that the server gets swamped and is unable to process further requests. Unlike many attacks, it is not necessary to break the server. Keeping it extremely busy is enough to prevent other users from having access to it.
  2. Transport Layer Attacks (TCP/IP Layer 3/OSI Layer 4)
    The TCP/IP protocol uses a system of requests and acknowledgments to handle exchanges. Requests from a client are followed by acknowledgements (ACK) from the server, and this exchange should be followed by a transaction of some kind. During the interval that the requests and acknowledgements are traveling over the network, the Transport layer tracks them, holding the connections open until the appropriate response is received. This creates an opening for what is called a SYN attack. In this attack, SYN packets, which kick off an exchange, are thrown at the server in such numbers that the memory requirements are overwhelmed. Until the bogus requests time out, the receiving device is unavailable.
  3. Network Layer Attacks (TCP/IP Layer 2/OSI Layer 3)
    To create a Network layer DoS attack, most attackers pound a target network with more data than it can handle. Falling behind, the target network begins to slow and drop packets, which may or may not cause a flood of retransmission requests. Bandwidth is soaked up, and the network becomes unusable for all users. An example would be a ping flood, in which so much ICMP traffic floods in that it plugs the WAN lines connecting the network to the outside world, denying all services.
  4. Data-Link Attacks (TCP/IP Layer 1/OSI Layer 2)
    Data-link layer DoS attacks are launched to interfere with hosts as they access the local network. Similar to a chatty NIC, the non-switched segment is flooded by repeated frame headers that do not have any payload. These headers are retransmitted to other hosts and quickly use up all the network bandwidth.
  5. Physical Layer Attacks (TCP/IP Layer 1/OSI Layer 1)
    To deny service at the physical layer means the attacker physically breaks something. Pulling a patch cord, turning off or stealing a piece of network equipment, inducing “backhoe fade” (destruction of cabling from heavy machinery), transmitting a wireless jamming signal, or doing anything that physically stops the flow of network signals is a physical DoS attack.