9-Lesson. Data protection at the network layer.
Topics to be considered during the lecture
Routing and its risks
Addressing
Fragmentation and its risks
Quality of Service security attacks
Network layer transmits the channel layer's function to all devices that connect to the network.
6/9/2021
Channel layer three functions
provides:
addressing,
fragmentation of data and quality of service. In the channel layer, these functions are provided only to the local network. The network layer distributes these functions among networks. If the channel layer is directed to physical connections, the network layer pays attention to network topology.
Network
layer
Routing
Network
Network routing enables establishing communication using two different layers of data links. Without network routing, the channel layer requires all nodes to communicate directly with all other nodes in the network. Due to mutual communication, large networks become a bottleneck. The network layer provides data exchange only when it is necessary for separate networks.
Network layer functions
Packetization
Fragmentation Routing
Logical addressing
How does the network
Routing
6
Routers
Routing table
Routing
indicators
Applying routes
Routing Threats
Direct routing
Attacks
1
3
5
4
2
Router table flooding
Router Looping attacks
Router table poisoning
Routing metric attacks
Routing risks
Directly to the router
attack
A direct attack on the router can be in the form of DoS or system compromise. DoS interferes with the router's core routing functions, which leads to network connectivity loss. Historically, these attacks were based on loading: a network on a specific interface
volume very large, then router
It cannot manage traffic, including traffic coming from other network interfaces.
Poisoning the router's table
Just like the ARP table at the channel layer, the routing table at the network layer is also unprotected against poisoning attacks. Some network
protocols network traffic
authenticate. Fake or corrupted
Network traffic can write, add, or delete entries in the routing table. The result may not differ much from a compromised router: the poisoned table can redirect traffic to another host, block traffic from specific hosts, or be reconfigured to create arbitrary new hidden subnets.
Filling the router's table
In routers usually routing
tables to store for large hard
Disks or RAM are not present. The size of the routing table is usually limited. Static
Devices that do not use routes need to manage route expiration
and must manage table filling. A malicious router can create fake data used to fill the routing table.
Routing risks
Attack on router metric
Attack
Dynamic indicators in the routing table related to the router’s metric
poisons. This attack
can redirect the preferred route to an undesired route
is possible.
Router flood attack
Many network protocols, when data is transmitted from one interface of a router to another interface, try to detect and eliminate network loops (loops). Network loops cause excessive consumption of network bandwidth and lead to the consumption of all available bandwidth during retransmission. Some protocols at the network layer provide a mechanism to discard packets that have timed out, and there are also many protocols that help detect network loops.
Direct attack on router
Router жадвалини захарлаш
Router table fill
Router public service
Addressing
14
Channel layer supports addressing for multi‑node networks. Each address must be unique and sequential. The channel layer uses the address only to identify the unique node in the network and for no other purposes. Addressing in the channel layer is similar to referring to people by their names
as if making a request. If there is only one person named Bart in a room, no confusion arises when someone mentions his name.
Address scheme risks
Presenting oneself as another person
At the OSI channel layer, conflicts may arise when two nodes share the same device address. The same applies to network‑layer addresses.
For example, a router may not know which device address to associate with a network address.
Address disruption If two nodes exist in a subnet with the same network address, the node that responds the fastest
may hold the network connection. If one node consistently responds more slowly, it will be blocked from all network traffic.
Dynamic allocation of usage
All addresses are allocated
when divided, new nodes
cannot be added to the network.
Allocation attack on all existing
requires marking addresses as allocated. One host can prevent other hosts from accessing the network by using a very large number of
address queries
creating separation
fake
is possible.
Address scheme risks
False release attack
A false release attack occurs when an attacker claims that a previously allocated address is its own and indicates that the address is free. As a result, the victim's node begins operating with an unassigned network address, which later, due to address reassignment, leaves it unprotected against spoofed attacks.
False dynamic allocation
attack
For a host to request a new network address, it must first contact the hosting server. Unfortunately, the server may be unavailable. VINES and DHCP servers resolve this issue by responding to address allocation queries. Attackers can configure their own distribution servers and respond to allocation requests faster than official servers. The allocation response usually includes a set of configuration data.
Fragment
Fragmentation risks
18
Fragment shortage attack
1
3
2
Recovering fragments
Maximum fragmented size
All fragmentation schemes face two main risks: lack of fragments and the volume of accumulated data. Additionally, the type of fragmentation management can lead to a lack of data segments.
19
Quality of Service
Provides six QoS functions for use by the network layer and transport layer. These services help ensure optimal data flow.
Connection management
Flow controlFlow management
Error status
Node error
Quality-of-Service services
QoS services
Re
install
Manage connection
Control flow
Manage flow
Error state
Shutdown state
Security
6/9/2021
layer offers many services, but the network transmission
does not describe how to protect. Moreover, the network
layer's
majority
protocols
network
its data
authentication
doing, checking or other protection
functions are not provided. The network layer faces general
threats, hearing, creating other similarities and adding
attacks
enter.
Many
network
protocols
by
information link stealing and repeated attacks such as lower‑layer threats are not reduced. Instead, security
measures
high
level
protocols
with
implementation
are deployed, it is assumed.
Several cryptographic solutions
exist, but a well‑chosen network architecture and filtering
programs
many
security
risk
reduces
possible.
Besides complexity, many OSI protocols are adjacent OSI
related to layers.
Network compatibility some security
solutions
variant
as
to be seen
obstacle
Security
6/9/2021
Thank you for your attention