Understanding the Network Stack
When data travels across the internet, it passes through multiple layers of protocols. Each layer has a specific job — from the physical cables carrying electrical signals to the application logic rendering a web page. Understanding these layers helps you make sense of concepts like Layer 4 firewalls, Layer 7 DDoS protection, and why TCP behaves differently from UDP.
The OSI Model in Practice
The OSI (Open Systems Interconnection) model describes seven layers of network communication. In practice, you mostly deal with layers 3, 4, and 7:
| Layer | Name | What it does | Examples |
|---|---|---|---|
| 7 | Application | The protocol your software speaks | HTTP, HTTPS, DNS, SMTP, SSH |
| 6 | Presentation | Data encoding, encryption | TLS/SSL, compression |
| 5 | Session | Connection management | Session establishment |
| 4 | Transport | Reliable or fast delivery between endpoints | TCP, UDP |
| 3 | Network | Routing packets between networks | IP (IPv4, IPv6), ICMP |
| 2 | Data Link | Communication within a local network | Ethernet, Wi-Fi (MAC addresses) |
| 1 | Physical | Raw data transmission over cables or wireless | Electrical signals, fiber optics |
Layers 1 through 3 are handled by your hosting infrastructure. As a server administrator, you primarily interact with layers 4 and 7.
Layer 4: Transport
The transport layer is responsible for getting data between two endpoints reliably (or quickly). The two main protocols are TCP and UDP.
TCP (Transmission Control Protocol)
TCP is a connection-oriented protocol. Before data flows, the two sides perform a three-way handshake to establish a connection:
- SYN — the client sends a synchronization request
- SYN-ACK — the server acknowledges and sends its own SYN
- ACK — the client confirms, and the connection is open
TCP guarantees:
- Ordered delivery — packets arrive in the correct sequence
- Reliability — lost packets are retransmitted automatically
- Flow control — the sender adjusts speed to avoid overwhelming the receiver
- Error checking — corrupted packets are detected and retransmitted
Most internet traffic uses TCP: web browsing (HTTP/HTTPS), email (SMTP, IMAP), file transfers (FTP, SFTP), SSH, and database connections.
UDP (User Datagram Protocol)
UDP is a connectionless protocol. There is no handshake — the sender simply transmits packets (datagrams) without waiting for acknowledgment.
UDP provides:
- Speed — no handshake overhead, lower latency
- Simplicity — minimal protocol headers
UDP does not guarantee:
- Delivery (packets can be lost)
- Order (packets may arrive out of sequence)
- Duplicate detection
UDP is used where speed matters more than reliability: DNS queries, video streaming, online gaming, VoIP, and VPN tunnels (WireGuard, OpenVPN).
When to Care
If you are configuring a firewall, you need to specify whether a rule applies to TCP, UDP, or both. For example:
- SSH uses TCP port 22
- HTTP uses TCP port 80
- HTTPS uses TCP port 443
- DNS uses UDP (and sometimes TCP) port 53
- WireGuard VPN uses UDP port 51820
Layer 7: Application
The application layer is where protocols define the structure and meaning of the data being exchanged. When you open a website, your browser speaks HTTP (or HTTPS) to the web server. When you send email, your mail client speaks SMTP.
Why Layer 7 Matters for Security
Layer 7 attacks target the application itself rather than the network infrastructure. A Layer 7 DDoS attack might:
- Send millions of legitimate-looking HTTP requests to overwhelm a web server
- Target expensive API endpoints that consume significant server resources
- Exploit slow HTTP connections (Slowloris) to exhaust connection pools
These attacks are harder to detect because each individual request looks normal. Mitigation requires inspecting the content and behavior of requests, not just counting packets.
Layer 4 attacks, by contrast, flood the network with raw traffic (SYN floods, UDP floods, amplification attacks). They are blocked by examining packet headers without needing to understand the application protocol.
For more on how these protections work on Sitequest, see DDoS Protection.
How Layers Relate to Sitequest Features
| Feature | Layer | What it does |
|---|---|---|
| Firewall | 4 | Filters traffic by port, protocol (TCP/UDP), and source IP |
| DDoS Protection — L4 | 3–4 | Blocks volumetric and protocol-level floods |
| DDoS Protection — L7 | 7 | Inspects HTTP requests to filter application-layer attacks |
| SSH / VNC | 7 | Application protocols for server access |
| Monitoring | 3–4 | Measures ICMP ping (L3) and TCP port reachability (L4) |
Ports
A port is a number (0 to 65535) that identifies a specific service running on a server. While an IP address identifies the machine, the port identifies which program should handle the incoming data.
Well-known ports:
| Port | Protocol | Service |
|---|---|---|
| 22 | TCP | SSH |
| 53 | UDP/TCP | DNS |
| 80 | TCP | HTTP |
| 443 | TCP | HTTPS |
| 25 | TCP | SMTP (email sending) |
| 3306 | TCP | MySQL |
| 5432 | TCP | PostgreSQL |
When you add a firewall rule, you specify which port (or port range) to allow or block, and whether it applies to TCP or UDP traffic.
Putting It Together
When you type https://example.com in your browser:
- DNS (L7 over UDP/L4) — your device resolves
example.comto an IP address - IP routing (L3) — packets are routed across the internet to the server's IP
- TCP handshake (L4) — your browser establishes a reliable connection on port 443
- TLS handshake (L6) — encryption is negotiated for HTTPS
- HTTP request (L7) — your browser sends
GET /and the server responds with HTML
If the server has a firewall, the TCP connection at step 3 is only allowed because port 443 is open. If Layer 7 DDoS protection is active, the HTTP request at step 5 is inspected before being forwarded to the application.
Next Steps
- Configure your firewall to control which ports are open
- Set up DDoS protection at Layer 4 and Layer 7
- Learn what an IP address is for a primer on IPv4, IPv6, and CIDR