Re: [fw-wiz] Application-level Attacks
From: Paul D. Robertson (paul_at_compuwar.net)
To: "Marcus J. Ranum" <firstname.lastname@example.org> Date: Sat, 29 Jan 2005 10:37:05 -0500 (EST)
On Sat, 29 Jan 2005, Marcus J. Ranum wrote:
> I'd tentatively offer the following description of application-level attacks as:
> Attacks that take advantage of software failures in the implementation of an
> application (layer 7) protocol. By implication, application attacks are
> specific to a given implementation of a protocol, for example, a buffer
> overrun in HTTP request parsing, or a SQL injection attack. Note that
> multiple implementations can share a common (independent or based
> on shared library use) instance of a given bug.
Hmmm, but an SQL injection attack isn't really a protocol issue- it's an
unexpected input issue- and I think the distinction between boneheaded
application developers and boneheaded library developers is relatively
> Protocol level attacks take advantage of flaws in the implementation of
> lower-level protocols. By implication, protocol level attacks are specific to
> a given implementation of a protocol. For example, ICMP "ping of death"
> attacks took advantage of how many ICMP implementations failed to
> handle packets larger than allowed by the specification.
> Infrastructure or specification level attacks are another category I would
> hold as separate, and they depend on failures of the protocol specification.
> For example, FTP bounce attacks take advantage of fundamental
> braindamage in how the FTP RFC defines FTP operation. Specification
> flaws like this require the defending system to _break_ protocol compliance
> (as the ftwk's FTP-gw did) in order to protect against the attack.
> So, I guess what I am saying is that, in Marcus-land, almost all
> attacks are application level. :) They always have been.
I tend to put them into "Human, protocol, application and transport"
buckets, mostly because those are the places I get to apply controls. In
reality many threats transit multiple of those, and some attacks take
advantage in bugs in all of them, but I sill get to pick priority of my
controls, so that's still how I separate them.
Paul D. Robertson "My statements in this message are personal opinions
email@example.com which may have no basis whatsoever in fact."
firewall-wizards mailing list