The network layer of
the Open Systems Interconnection Model (OSI) helps
in providing the data routing paths for communication in the network. The
design of the network layer, network based application, network layer
protocols, etc. is a challenge due to their vulnerability to security attacks.
This paper looks
at the general
security vulnerabilities that are in the network or enabled through the
will discuss about the impact of few of the major vulnerabilities and
mitigation techniques that could be deployed.
The network layer is
the third level/layer of the Open Systems Interconnection Model (OSI Model),
which is the conceptual networking framework that helps in defining the
communication functions of a computing system no matter what the internal
makeup of the system is. The goal of the OSI model is to help bring a reference
model so that the diverse telecommunication systems can be interoperable with
standard protocols. The model has
vertical stacks of seven layers and each layer serves the layer above it. Figure 1 shows the OSI model layers. The
control is passed from the application layer at transmitter and proceeds to the
bottom layer and this happens the other way round at the receiving end which is
shown in Figure 2.
Figure 1: OSI Model Figure
2: Communication in OSI model
The network layer being the third layer helps in
providing the data routing paths for communication in the network. The data is
transmitted in logical paths or virtual circuits from node to node in the form
of packets/datagrams. The major functions of this network layer is routing and
forwarding. It includes addressing, error handling, congestion control, etc and
functions with the help of hardware devices such as routers, bridges, firewalls,
etc. The best possible and efficient route is identified from the routing table
and implemented with the physical medium. Every node in the
network is associated with an address and a transfer is permitted as long as
the address of the destination node is known and routing it through the
intermediate nodes. The data being transferred can be split into fragments at a
node and sent independently. The fragments could then be reassembled at the
final receiving machine.
NETWORK LAYER PROTOCOL:
network layer consists of routers which make the decisions of the route of the
packets based on the information given in the layer. Routers understand the
Network layer protocol i.e. the internet protocol (IP) and make routing
decisions based on the information from one logical network to another.
NETWORK LAYER VULNERABILITIES:
vulnerabilities are defined as the weakness in a network that could be
exploited by a threat. The common network vulnerabilities are route spoofing
which is propagation of false network topology, IP Address Spoofing which is
false source addressing on malicious packets and Identity & Resource ID
Vulnerability. The network security are commonly classified according to a taxonomy:
Header based, Protocol based, Authentication based and Traffic based. The
headers fields such the length, flags, ids, protocols and source IP address are
vulnerable to attacks since any changes/invalid data in the other fields cause
the packets to be rejected. Header Based attacks are potentially harmful due to
the fact that the IP packets could be created by any device in the Internet.
The two major types of header based attacks are based on the end fields and
transit field which are monitored by the routers. Most often the transit field
attacks cause the packets to be dropped by the routers. The ping of death is a
common end field attack where a malformed packet is introduced that can cause a
system crash. Mitigation of such attacks can be done by using firewalls and
other detection methods. Protocol based attacks in IP and ICMP cause misrouting
of packets. A common protocol based attack would be traceroute program which
uses IP and ICMP protocols to figure out routes to target machines. ARP cache
poisoning helps the attacker identify all the traffic from the victim as along
as the attacker is in the same network as the victim. Traffic-based attacks are
sniffing based attacks that more harmful. IP layer sniffing is done to sense
attacks especially those in coffee shops with free wireless internet access.
IP ADDRESS SPOOFING:
IP address spoofing
is one of the most frequently used network layer attack methods wherein IP packets are created from false source IP
address to disguise the identity of the sender/attacker and pretending to be sent
by another IP address. Hackers can perform malicious activities such as Man in the Middle (Met), Denial of Service (DoS) and
Dedicated Denial of Service (DDoS) attacks to maintain anonymity and cause
chaos on the internet. It could lead to Denial-of-Service to networks
and devices when overloaded by packets which could appear as originated from
legitimate source IP addresses. The victim could either be overloaded by
packets from multiple attackers or by spoofing the victim’s IP address and
sending out packets to other devices on the network to which the other devices
respond to with packets. Hence the victim is flooded with packets from other
devices which have received packet from the spoofed address of the victim.
Since IP address spoofing involves the attack causing authentication threat, it
is being mapped as authentication based attack.
The most common
mitigation methods against IP spoofing attacks is ensuring if firewalls and
routers are configured right and can handle/restrict traffic from internet.
This could be done by packet filtering. Ingress filtering helps in blocking
packets from outside the network with the source address inside the network.
Thus an internal machine cannot be spoofed by an external attacker. Egress
filtering is done on outgoing packets as well such that packets from source
address outside the network is blocked from inside. In this way an internal
attacker may not harm external machines too. A
second preventative mechanism is to implement authentication and encryption to
reduce the likelihood of threat. It is also good to design network protocols in
a way that doesn’t rely on the IP source address for authentication.
PING OF DEATH:
death is a type of denial of service attack which involves the attacker sending
malformed ping to another computer so as to crash or freeze it. These attacks
exploit the weakness that have been patched in the target systems. The maximum size for a packet of
including pings is 65,535 bytes. If the number of packets were larger than
that, then the target computer would ultimately crash as it can’t handle ping
packet larger than the maximum size as it violates the IP documentation. Hence
hackers cleverly bypass the rules of TCP/IP by sending the packets in
fragments. When rearranged at the receiving end, overall packet size exceeds
the maximum size which would cause the buffer to overflow and thus crash the
device. Ping attacks are especially effective because the identity of the
attacker can be crushed. Also, Ping of death does not require detailed
knowledge of the machine they attack, except the for IP address. It should be
noted that the vulnerability, although recognizing the PoD attack, can be used
for any IP packet – ICMP voice, TCP, UDP, and IPX. Since Ping of death involves
with the end fields of the header being attacked to crash the system, it is
being mapped into header based attack.
The methods that
could be used to mitigate POD is to block ICMP ping messages at the firewalls.
But this method could not be viable for long term. The other simple method is
to upgrade the devices since most devices
after 1998 are immune to this kind of attack.
DISTRIBUTED DENIAL OF SERVICE:
DDoS is one of the most harmful vulnerability to the
network layer. Hackers use this technique to attack the target from
overwhelming traffic, similar to ping of death only that multiple compromised
computers are being exploited to do this. By this way, the genuine requests are
rejected by the server and thus make it unavailable. The victims of this attack
is both the end target as well as the compromised systems. Attackers also make
use of botnets to cause distribute the DDoS attack. Hence it becomes hard to
block this attack by blocking any single IP address as the genuine requests are
indistinguishable from requests from compromised computers. The common types of
DDoS attacks are traffic attacks, bandwidth attacks and application attacks. In
traffic attacks, huge volume of packets which might be accompanied by malware
exploitation are sent to the target and thus the genuine requests get lost. In
the case of bandwidth attacks, the target is overloaded with massive junk data
which leads to loss of network bandwidth and denial of service. Application
attacks cause depletion of resources in the application layer which in turn
causes the targets system to be unavailable.
DDoS attacks are always a great threat to big businesses
and organizations since it could completely crash/shut down the website, which
could cause several millions dollars loss even for a short time. Hence DDoS
attacks are classified as traffic based attack since the mode of attack is by
flooding the service with a large number of packets that could completely shut
down a machine.
The ways DDoS could
be prevented is to first not to make enemies and keep a shrewd look on the
network all the time. It at all attacked the best way to deal with it is to
hire Security Company to assess and repair the damage or to get an IDS. The
other way would be to upgrade to the latest hardware and software. The internet
service provider could also help by filtering out the bulk of traffic based on
One of the other
things that we need to do to mitigate DDoS is to determine the normal
conditions for network traffic by defining the “traffic patterns” that are
required to detect and warn about the threats. It also requires identifying
inbound traffic to separate human traffic from human-like bots. This could be
done by comparing the signatures and examining the traffic features which
includes IP addresses, cookies, HTTP headers, etc. The other technique is
transmission of a network directed to a potential target network through high capacity
networks through “debug” filters. Manual option of mitigating DDoS is not
recommended anymore since the attackers could easily bypass the manually
activated DDoS mitigation software.
Network layer and
network layer based applications are prone to several types of vulnerabilities
as discussed in this paper. The various network security based taxonomy was
studied and also how the different vulnerabilities that were discussed could be
mapped to this taxonomy was understood. This helps in understanding the
characteristics and nature of the vulnerability, its impact and thus the
possible mitigation methods that could be deployed to overcome these attacks.
On the whole, this research paper puts together the major vulnerabilities the
network layer could experience and the mitigation techniques to help protect
the network layer from such attacks that aids security assessment.