第 7 层是 OSI 模型的一个层面,紧接在用户界面的下面,并且位于此模型的其他 6 层之上。在这一层中,数据以面向用户的应用程序可以使用的形式呈现。DDoS 攻击通常发生在第 7 层。
阅读本文后,您将能够:
复制文章链接
Layer 7 refers to the top layer in the 7-layer OSI Model of the Internet. It is also known as the "application layer." It is the top layer of the data processing that occurs just below the surface or behind the scenes of the software applications that users interact with. The HTTP requests and responses used to load webpages, for example, are layer 7 events.
DDoS attacks that take place at this level are known as layer 7 attacks or application layer attacks. DDoS attacks can also take place at layers 3 or 4 of the OSI Model.
OSI(开放系统互连)模型将网络系统的功能划分为 7 层,每一层均从其下一层抽取出来。在这个模型中,每个层仅与自身上方和下方的层交互。
It is worth keeping in mind that the OSI Model is purely theoretical, and it is designed to help describe what takes place in networking communications, not to describe the actual technology involved. Just because the OSI Model is only a conceptual framework does not mean it is not useful; referencing the model helps engineers, developers, and IT professionals pinpoint what a product or protocol does and where it belongs in the process of network communication.
At the bottom of the model is the physical layer (layer 1), or the pulses of electricity that communicate bits of information across the cables, routers, switches, and WiFi networks making up Internet infrastructure. At the top, in layer 7, are the protocols and services applications use in order to function. In between are various functionalities and protocols that data passes through over the course of network communications.
如需各层功能的更详尽细分,请参见“什么是 OSI 模型?”
尽管第 7 层被称为应用程序层,它不是应用程序本身的用户界面。而是,第 7 层提供了面向用户的软件应用程序用来呈现数据的功能和服务。如果应用程序是房屋,那么第 7 层就是地基,而不是房屋本身。
API calls and responses belong to this layer, and some of the main protocols used are HTTP and SMTP (Simple Mail Transfer Protocol, which email applications use).
Data from layer 7 gets passed down the stack, although layer 7 only interacts with layer 6. As data goes down through the stack, it is broken up into packets, and certain layers add headers and footers to each packet – for example, at layer 3, an IP header containing the destination and source IP addresses is added to each packet. At the bottom of the stack, data is converted into bits and transmitted across the physical Internet.
到达目的地后,数据从第 1 层开始沿着堆栈往上传递。在每一个层,对标头和标尾数据进行解释和剥离,并将数据放入可被下一层使用的格式。数据到达另一端的第 7 层后,便可供应用程序使用。(虽然要执行所有这些步骤,但整个过程仅需几毫秒。)
若要了解 OSI 模型的工作原理,至关重要的一点是,每一层仅与交互另一端的同一层进行通信。第 7 层数据仅由通信接收端的第 7 层解释;接收端的其他层仅将数据向上传递到第 7 层。类似地,附加到一端的第 3 层中的数据包的 IP 标头数据仅由另一端的第 3 层读取和解释。
第 7 层或应用程序层 DDoS 攻击试图通过大量流量(通常是 HTTP 流量)压垮网络或服务器资源。例如,每秒发送针对某个网页的数千个请求,直到服务器不堪重负并且无法响应所有请求为止。又如,反复调用某个 API,直到服务崩溃为止。
如需更多信息,请参见“应用程序层 DDoS 攻击”。
TCP/IP 网络概念模型是 OSI 模型的替代物。它将网络堆栈分为四层而不是七层,尽管它与 OSI 模型相似,但并不完全匹配。TCP/IP 模型没有“第 7 层”,但这是一个纯粹的语义差别,并不表示这两种模型有不同的网络功能。
TCP/IP 模型中的四个层分别是:
Cloudflare DDoS protection is built to protect against DDoS attacks no matter which OSI layer they target. By intelligently filtering and distributing network traffic across 310 data centers worldwide, the Cloudflare network is able to absorb massive amounts of layer 7 traffic. The Cloudflare network is shielded by these attacks when following Cloudflare best practices.