A good example of an attack against the code responsible for processing network layer communications is an exploit for a specific vulnerability in the Internet Group Management Protocol (IGMP) handling code in the Linux kernel. Kernel versions from 2.4.22-2.4.28, and 2.6-2.6.9 are vulnerable and can be exploited both remotely and by local users (some security vulnerabilities are only locally exploitable, so this is a nasty bug). A successful exploit over the network from a remote system could result in a kernel crash, as discussed in more detail at http://isec.pl/vulnerabilities/isec-0018-igmp.txt. Kernel code sometimes contains security bugs, and these bugs can exist all the way down at the network layer processing code or within device drivers.
Agreeing on definitions for network layer responses is as useful as agreeing on definitions for network layer attacks. Because such responses should not involve information that resides at the transport layer or above, we are limited to the manipulation of network layer headers in one of three ways:
• A filtering operation conducted by a device such as a firewall or router to block the source IP address of an attacker
• Reconfiguration of a routing protocol to deny the ability of an attacker to route packets to an intended target by means of route blackholing— packets are sent into the void and are never heard from again
• Applying thresholding logic to the amount of traffic that is allowed to pass through a firewall or router based on utilized bandwidth
A response that is purely at the network layer can be used to combat an attack that is detected at the application layer, but such a response should not involve things like generating a TCP RST packet for example—this would be a transport layer response, as we'll see in Chapter 3.
Was this article helpful?