1 of 23

9-Lesson. Data protection at the network layer.

2 of 23

Topics to be considered during the lecture

Routing and its risks

Addressing

Fragmentation and its risks

Quality of Service security attacks

3 of 23

Network layer transmits the channel layer's function to all devices that connect to the network.

6/9/2021

Channel layer three functions

provides:

addressing,

fragmentation of data and quality of service. In the channel layer, these functions are provided only to the local network. The network layer distributes these functions among networks. If the channel layer is directed to physical connections, the network layer pays attention to network topology.

Network

layer

Routing

Network

Network routing enables establishing communication using two different layers of data links. Without network routing, the channel layer requires all nodes to communicate directly with all other nodes in the network. Due to mutual communication, large networks become a bottleneck. The network layer provides data exchange only when it is necessary for separate networks.

4 of 23

Network layer functions

Packetization

Fragmentation Routing

Logical addressing

5 of 23

How does the network

6 of 23

Routing

6

Routers

Routing table

Routing

indicators

Applying routes

7 of 23

Routing Threats

Direct routing

Attacks

1

3

5

4

2

Router table flooding

Router Looping attacks

Router table poisoning

Routing metric attacks

8 of 23

Routing risks

Directly to the router

attack

A direct attack on the router can be in the form of DoS or system compromise. DoS interferes with the router's core routing functions, which leads to network connectivity loss. Historically, these attacks were based on loading: a network on a specific interface

volume very large, then router

It cannot manage traffic, including traffic coming from other network interfaces.

Poisoning the router's table

Just like the ARP table at the channel layer, the routing table at the network layer is also unprotected against poisoning attacks. Some network

protocols network traffic

authenticate. Fake or corrupted

Network traffic can write, add, or delete entries in the routing table. The result may not differ much from a compromised router: the poisoned table can redirect traffic to another host, block traffic from specific hosts, or be reconfigured to create arbitrary new hidden subnets.

Filling the router's table

In routers usually routing

tables to store for large hard

Disks or RAM are not present. The size of the routing table is usually limited. Static

Devices that do not use routes need to manage route expiration

and must manage table filling. A malicious router can create fake data used to fill the routing table.

9 of 23

Routing risks

Attack on router metric

Attack

Dynamic indicators in the routing table related to the router’s metric

poisons. This attack

can redirect the preferred route to an undesired route

is possible.

Router flood attack

Many network protocols, when data is transmitted from one interface of a router to another interface, try to detect and eliminate network loops (loops). Network loops cause excessive consumption of network bandwidth and lead to the consumption of all available bandwidth during retransmission. Some protocols at the network layer provide a mechanism to discard packets that have timed out, and there are also many protocols that help detect network loops.

10 of 23

Direct attack on router

11 of 23

Router жадвалини захарлаш

12 of 23

Router table fill

13 of 23

Router public service

14 of 23

Addressing

14

Channel layer supports addressing for multi‑node networks. Each address must be unique and sequential. The channel layer uses the address only to identify the unique node in the network and for no other purposes. Addressing in the channel layer is similar to referring to people by their names

as if making a request. If there is only one person named Bart in a room, no confusion arises when someone mentions his name.

  1. Number‑based addressing (IP, IPX, X.25, VINES)
  2. Name‑based addressing (AX.25, NBRP)

15 of 23

Address scheme risks

Presenting oneself as another person

At the OSI channel layer, conflicts may arise when two nodes share the same device address. The same applies to network‑layer addresses.

For example, a router may not know which device address to associate with a network address.

Address disruption If two nodes exist in a subnet with the same network address, the node that responds the fastest

may hold the network connection. If one node consistently responds more slowly, it will be blocked from all network traffic.

Dynamic allocation of usage

All addresses are allocated

when divided, new nodes

cannot be added to the network.

Allocation attack on all existing

requires marking addresses as allocated. One host can prevent other hosts from accessing the network by using a very large number of

address queries

creating separation

fake

is possible.

16 of 23

Address scheme risks

False release attack

A false release attack occurs when an attacker claims that a previously allocated address is its own and indicates that the address is free. As a result, the victim's node begins operating with an unassigned network address, which later, due to address reassignment, leaves it unprotected against spoofed attacks.

False dynamic allocation

attack

For a host to request a new network address, it must first contact the hosting server. Unfortunately, the server may be unavailable. VINES and DHCP servers resolve this issue by responding to address allocation queries. Attackers can configure their own distribution servers and respond to allocation requests faster than official servers. The allocation response usually includes a set of configuration data.

17 of 23

Fragment

18 of 23

Fragmentation risks

18

Fragment shortage attack

1

3

2

Recovering fragments

Maximum fragmented size

All fragmentation schemes face two main risks: lack of fragments and the volume of accumulated data. Additionally, the type of fragmentation management can lead to a lack of data segments.

19 of 23

19

Quality of Service

Provides six QoS functions for use by the network layer and transport layer. These services help ensure optimal data flow.

Connection management

Flow controlFlow management

Error status

Node error

20 of 23

Quality-of-Service services

QoS services

Re

install

Manage connection

Control flow

Manage flow

Error state

Shutdown state

21 of 23

Security

6/9/2021

  • Network to ensure successful data transmission

layer offers many services, but the network transmission

does not describe how to protect. Moreover, the network

layer's

majority

protocols

network

its data

authentication

doing, checking or other protection

functions are not provided. The network layer faces general

threats, hearing, creating other similarities and adding

attacks

enter.

Many

network

protocols

by

information link stealing and repeated attacks such as lower‑layer threats are not reduced. Instead, security

measures

high

level

protocols

with

implementation

are deployed, it is assumed.

Several cryptographic solutions

exist, but a well‑chosen network architecture and filtering

programs

many

security

risk

reduces

possible.

Besides complexity, many OSI protocols are adjacent OSI

related to layers.

Network compatibility some security

solutions

variant

as

to be seen

obstacle

22 of 23

Security

  • Security protocols

  • Connection management
  • Network incompatibility Architecture
  • Server filtering

  • Inter-network screen and outbound traffic filtering

6/9/2021

23 of 23

Thank you for your attention