ABSTRACT:The network layer ofthe Open Systems Interconnection Model (OSI) helpsin providing the data routing paths for communication in the network. Thedesign of the network layer, network based application, network layerprotocols, etc. is a challenge due to their vulnerability to security attacks.This paper looksat the generalsecurity vulnerabilities that are in the network or enabled through thenetwork, andwill discuss about the impact of few of the major vulnerabilities andmitigation techniques that could be deployed.
INTRODUCTION:The network layer isthe third level/layer of the Open Systems Interconnection Model (OSI Model),which is the conceptual networking framework that helps in defining thecommunication functions of a computing system no matter what the internalmakeup of the system is. The goal of the OSI model is to help bring a referencemodel so that the diverse telecommunication systems can be interoperable withstandard protocols. The model hasvertical stacks of seven layers and each layer serves the layer above it. Figure 1 shows the OSI model layers. Thecontrol is passed from the application layer at transmitter and proceeds to thebottom layer and this happens the other way round at the receiving end which isshown in Figure 2. Figure 1: OSI Model Figure2: Communication in OSI modelNETWORKLAYER: The network layer being the third layer helps inproviding the data routing paths for communication in the network. The data istransmitted in logical paths or virtual circuits from node to node in the formof packets/datagrams. The major functions of this network layer is routing andforwarding.
It includes addressing, error handling, congestion control, etc andfunctions with the help of hardware devices such as routers, bridges, firewalls,etc. The best possible and efficient route is identified from the routing tableand implemented with the physical medium. Every node in thenetwork is associated with an address and a transfer is permitted as long asthe address of the destination node is known and routing it through theintermediate nodes. The data being transferred can be split into fragments at anode and sent independently. The fragments could then be reassembled at thefinal receiving machine.NETWORK LAYER PROTOCOL: Thenetwork layer consists of routers which make the decisions of the route of thepackets based on the information given in the layer. Routers understand theNetwork layer protocol i.
e. the internet protocol (IP) and make routingdecisions based on the information from one logical network to another.NETWORK LAYER VULNERABILITIES:Securityvulnerabilities are defined as the weakness in a network that could beexploited by a threat. The common network vulnerabilities are route spoofingwhich is propagation of false network topology, IP Address Spoofing which isfalse source addressing on malicious packets and Identity & Resource IDVulnerability. The network security are commonly classified according to a taxonomy:Header based, Protocol based, Authentication based and Traffic based. Theheaders fields such the length, flags, ids, protocols and source IP address arevulnerable to attacks since any changes/invalid data in the other fields causethe packets to be rejected. Header Based attacks are potentially harmful due tothe fact that the IP packets could be created by any device in the Internet.
The two major types of header based attacks are based on the end fields andtransit field which are monitored by the routers. Most often the transit fieldattacks cause the packets to be dropped by the routers. The ping of death is acommon end field attack where a malformed packet is introduced that can cause asystem crash. Mitigation of such attacks can be done by using firewalls andother detection methods. Protocol based attacks in IP and ICMP cause misroutingof packets. A common protocol based attack would be traceroute program whichuses IP and ICMP protocols to figure out routes to target machines.
ARP cachepoisoning helps the attacker identify all the traffic from the victim as alongas the attacker is in the same network as the victim. Traffic-based attacks aresniffing based attacks that more harmful. IP layer sniffing is done to senseattacks especially those in coffee shops with free wireless internet access.IP ADDRESS SPOOFING: Description and Impact IP address spoofingis one of the most frequently used network layer attack methods wherein IP packets are created from false source IPaddress to disguise the identity of the sender/attacker and pretending to be sentby another IP address. Hackers can perform malicious activities such as Man in the Middle (Met), Denial of Service (DoS) andDedicated Denial of Service (DDoS) attacks to maintain anonymity and causechaos on the internet. It could lead to Denial-of-Service to networksand devices when overloaded by packets which could appear as originated fromlegitimate source IP addresses. The victim could either be overloaded bypackets from multiple attackers or by spoofing the victim’s IP address andsending out packets to other devices on the network to which the other devicesrespond to with packets. Hence the victim is flooded with packets from otherdevices which have received packet from the spoofed address of the victim.
Since IP address spoofing involves the attack causing authentication threat, itis being mapped as authentication based attack. Mitigation The most commonmitigation methods against IP spoofing attacks is ensuring if firewalls androuters are configured right and can handle/restrict traffic from internet.This could be done by packet filtering.
Ingress filtering helps in blockingpackets from outside the network with the source address inside the network.Thus an internal machine cannot be spoofed by an external attacker. Egressfiltering is done on outgoing packets as well such that packets from sourceaddress outside the network is blocked from inside. In this way an internalattacker may not harm external machines too.
Asecond preventative mechanism is to implement authentication and encryption toreduce the likelihood of threat. It is also good to design network protocols ina way that doesn’t rely on the IP source address for authentication. PING OF DEATH: Description and Impact Ping ofdeath is a type of denial of service attack which involves the attacker sendingmalformed ping to another computer so as to crash or freeze it. These attacksexploit the weakness that have been patched in the target systems. The maximum size for a packet ofincluding pings is 65,535 bytes. If the number of packets were larger thanthat, then the target computer would ultimately crash as it can’t handle pingpacket larger than the maximum size as it violates the IP documentation. Hencehackers cleverly bypass the rules of TCP/IP by sending the packets infragments. When rearranged at the receiving end, overall packet size exceedsthe maximum size which would cause the buffer to overflow and thus crash thedevice.
Ping attacks are especially effective because the identity of theattacker can be crushed. Also, Ping of death does not require detailedknowledge of the machine they attack, except the for IP address. It should benoted that the vulnerability, although recognizing the PoD attack, can be usedfor any IP packet – ICMP voice, TCP, UDP, and IPX.
Since Ping of death involveswith the end fields of the header being attacked to crash the system, it isbeing mapped into header based attack. Mitigation The methods thatcould be used to mitigate POD is to block ICMP ping messages at the firewalls.But this method could not be viable for long term.
The other simple method isto upgrade the devices since most devicesafter 1998 are immune to this kind of attack.DISTRIBUTED DENIAL OF SERVICE: Description and Impact DDoS is one of the most harmful vulnerability to thenetwork layer. Hackers use this technique to attack the target fromoverwhelming traffic, similar to ping of death only that multiple compromisedcomputers are being exploited to do this. By this way, the genuine requests arerejected by the server and thus make it unavailable.
The victims of this attackis both the end target as well as the compromised systems. Attackers also makeuse of botnets to cause distribute the DDoS attack. Hence it becomes hard toblock this attack by blocking any single IP address as the genuine requests areindistinguishable from requests from compromised computers. The common types ofDDoS attacks are traffic attacks, bandwidth attacks and application attacks. Intraffic attacks, huge volume of packets which might be accompanied by malwareexploitation are sent to the target and thus the genuine requests get lost. Inthe case of bandwidth attacks, the target is overloaded with massive junk datawhich leads to loss of network bandwidth and denial of service. Applicationattacks cause depletion of resources in the application layer which in turncauses the targets system to be unavailable.DDoS attacks are always a great threat to big businessesand organizations since it could completely crash/shut down the website, whichcould cause several millions dollars loss even for a short time.
Hence DDoSattacks are classified as traffic based attack since the mode of attack is byflooding the service with a large number of packets that could completely shutdown a machine. Mitigation The ways DDoS couldbe prevented is to first not to make enemies and keep a shrewd look on thenetwork all the time. It at all attacked the best way to deal with it is tohire Security Company to assess and repair the damage or to get an IDS. Theother way would be to upgrade to the latest hardware and software. The internetservice provider could also help by filtering out the bulk of traffic based onits origin. One of the otherthings that we need to do to mitigate DDoS is to determine the normalconditions for network traffic by defining the “traffic patterns” that arerequired to detect and warn about the threats.
It also requires identifyinginbound traffic to separate human traffic from human-like bots. This could bedone by comparing the signatures and examining the traffic features whichincludes IP addresses, cookies, HTTP headers, etc. The other technique istransmission of a network directed to a potential target network through high capacitynetworks through “debug” filters. Manual option of mitigating DDoS is notrecommended anymore since the attackers could easily bypass the manuallyactivated DDoS mitigation software.CONCLUSION:Network layer andnetwork layer based applications are prone to several types of vulnerabilitiesas discussed in this paper. The various network security based taxonomy wasstudied and also how the different vulnerabilities that were discussed could bemapped to this taxonomy was understood.
This helps in understanding thecharacteristics and nature of the vulnerability, its impact and thus thepossible mitigation methods that could be deployed to overcome these attacks.On the whole, this research paper puts together the major vulnerabilities thenetwork layer could experience and the mitigation techniques to help protectthe network layer from such attacks that aids security assessment.REFERENCES: