Re: [fw-wiz] Application-level Attacks

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
• In reply to: vbwilliams_at_neb.rr.com: "Re: [fw-wiz] Application-level Attacks"
• Next in thread: Paul D. Robertson: "Re: [fw-wiz] Application-level Attacks"
• Reply: Paul D. Robertson: "Re: [fw-wiz] Application-level Attacks"
• Reply: Crispin Cowan: "Re: [fw-wiz] Application-level Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vbwilliams@neb.rr.com, firewall-wizards@honor.icsalabs.com
Date: Sat, 29 Jan 2005 04:22:50 -0500

I'd tentatively offer the following description of application-level attacks as:

Attacks that take advantage of software failures in the implementation of an
application (layer 7) protocol. By implication, application attacks are
specific to a given implementation of a protocol, for example, a buffer
overrun in HTTP request parsing, or a SQL injection attack. Note that
multiple implementations can share a common (independent or based
on shared library use) instance of a given bug.

Protocol level attacks take advantage of flaws in the implementation of
lower-level protocols. By implication, protocol level attacks are specific to
a given implementation of a protocol. For example, ICMP "ping of death"
attacks took advantage of how many ICMP implementations failed to
handle packets larger than allowed by the specification.

Infrastructure or specification level attacks are another category I would
hold as separate, and they depend on failures of the protocol specification.
For example, FTP bounce attacks take advantage of fundamental
braindamage in how the FTP RFC defines FTP operation. Specification
flaws like this require the defending system to _break_ protocol compliance
(as the ftwk's FTP-gw did) in order to protect against the attack.

So, I guess what I am saying is that, in Marcus-land, almost all
attacks are application level. :) They always have been.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
• In reply to: vbwilliams_at_neb.rr.com: "Re: [fw-wiz] Application-level Attacks"
• Next in thread: Paul D. Robertson: "Re: [fw-wiz] Application-level Attacks"
• Reply: Paul D. Robertson: "Re: [fw-wiz] Application-level Attacks"
• Reply: Crispin Cowan: "Re: [fw-wiz] Application-level Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: how to react on ssh attacks? ... > I recently checked my log files of my ssh service (so far as I ... these attacks will get more sophisticated as time goes on - the ... Protocol 2,1 line in /etc/ssh/sshd_config to say Protocol 2 and then ... Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org ... (Fedora) Re: hash function ... > because the PRF security condition does not guarantee security ... > I frequently see protocol designers who are not very clear on what ... > that the hash had better be collision-resistant. ... > against attacks that might not have been anticipated. ... (sci.crypt) Re: Lets talk about firewalls - what do we as a group think a firewall should be/have? ... attacks. ... firewall for open ports, or to block worms (TCP 1433/1434 as an ... It should be able to filter both inbound or outbound traffic by protocol ... Many NICs, of course, not only two. ... (comp.security.firewalls) [REVS] Attacks on Kerberos V in a Windows 2000 Environment ... Beyond Security in Canada ... Microsoft introduced Kerberos V as ... which is a protocol used for ... SMB is used as an example in one of the attacks. ... (Securiteam) Re: Countering chosen-plaintext attacks ... If you assume that attacks ... Those unknown attacks are ... That's not a 'protocol' in my understanding of the word. ... idea I had in my humble design WEAK4-EX. ... (sci.crypt)