RE: [fw-wiz] Application-level Attacks

From: Ben Nagy (ben_at_iagu.net)
Date: 01/28/05

  • Next message: Joseph S D Yao: "Re: [fw-wiz] Multiple firewalls from different manufactureres"
    To: "'Crispin Cowan'" <crispin@immunix.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 28 Jan 2005 17:34:22 +0100
    
    

    > Shimon Silberschlag wrote:
    >
    > > Today, when attacks are shifting towards using the already
    > open ports
    > > on the firewall, at the application level,
    >
    > It is often said that contemporary attacks are migrating to
    > application-level attacks. Can someone point me to data
    > backing this claim?
    >
    > Thanks,
    > Crispin

    I usually talk about either the idea of 'blended threats' - viruses that
    infect via email or web, but then spread like worms once inside. Mydoom and
    friends are good examples, and there was a malware called Plexus in 2004
    which wasn't very successful but is a very clean example of this kind of
    attack.

    Then you can look at phishing, and also pretty much all the IE bugs,
    including the successful malware that hit the IFRAME bug and the current
    stuff that is hitting MS05-002.

    Now, Crispin, I know you know this, and so I suspect that you were looking
    more for data to justify the word "shifting" rather than the fact that these
    attacks exist, right? Well, that's where there are lots of counter examples,
    so I agree with your implied point that it might be a bogus assumption.

    There is still MASSES of traffic for blaster, sasser, sapphire/slammer, blah
    blah blah. Those are 'application-level' attacks in one sense, but for 100%
    of non-stupid organisations they will be pounding on closed firewall ports.
    The trouble is that they find other ways in.

    So. I would put it more like "_Successful_ attacks from the Internet to
    trusted networks are shifting to using ports that are open in the firewall.
    More traditional attacks are relying on the fact that the firewall doesn't
    cover all (or even most) of the attack vectors anymore."

    But, when you put it like that it turns out a little trite and obvious, so
    I'm now not sure if I won or lost. My gut feel, FWIW, is that if you measure
    "shifting" by volume then no they're not. If you measure it by focus,
    attacker R&D, risk posed to organisations and current trends, then yes they
    are. The "blended threat" is the killer malware of the moment, to my mind -
    one single user clicks on dancing_weasels.scr and then the whole WAN gets
    hosted using LSASS as an attack vector. Ow.

    Cheers,

    ben

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Joseph S D Yao: "Re: [fw-wiz] Multiple firewalls from different manufactureres"