Re: [fw-wiz] Application-level Attacks

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 01/29/05

  • Next message: Crispin Cowan: "Re: [fw-wiz] Application-level Attacks"
    To: "Marcus J. Ranum" <mjr@ranum.com>
    Date: Sat, 29 Jan 2005 10:37:05 -0500 (EST)
    
    

    On Sat, 29 Jan 2005, Marcus J. Ranum wrote:

    > I'd tentatively offer the following description of application-level attacks as:
    >
    > Attacks that take advantage of software failures in the implementation of an
    > application (layer 7) protocol. By implication, application attacks are
    > specific to a given implementation of a protocol, for example, a buffer
    > overrun in HTTP request parsing, or a SQL injection attack. Note that
    > multiple implementations can share a common (independent or based
    > on shared library use) instance of a given bug.

    Hmmm, but an SQL injection attack isn't really a protocol issue- it's an
    unexpected input issue- and I think the distinction between boneheaded
    application developers and boneheaded library developers is relatively
    important.

    > Protocol level attacks take advantage of flaws in the implementation of
    > lower-level protocols. By implication, protocol level attacks are specific to
    > a given implementation of a protocol. For example, ICMP "ping of death"
    > attacks took advantage of how many ICMP implementations failed to
    > handle packets larger than allowed by the specification.
    >
    > Infrastructure or specification level attacks are another category I would
    > hold as separate, and they depend on failures of the protocol specification.
    > For example, FTP bounce attacks take advantage of fundamental
    > braindamage in how the FTP RFC defines FTP operation. Specification
    > flaws like this require the defending system to _break_ protocol compliance
    > (as the ftwk's FTP-gw did) in order to protect against the attack.
    >
    > So, I guess what I am saying is that, in Marcus-land, almost all
    > attacks are application level. :) They always have been.

    I tend to put them into "Human, protocol, application and transport"
    buckets, mostly because those are the places I get to apply controls. In
    reality many threats transit multiple of those, and some attacks take
    advantage in bugs in all of them, but I sill get to pick priority of my
    controls, so that's still how I separate them.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Crispin Cowan: "Re: [fw-wiz] Application-level Attacks"

    Relevant Pages

    • Re: how to react on ssh attacks?
      ... > I recently checked my log files of my ssh service (so far as I ... these attacks will get more sophisticated as time goes on - the ... Protocol 2,1 line in /etc/ssh/sshd_config to say Protocol 2 and then ... Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org ...
      (Fedora)
    • Re: [fw-wiz] Application-level Attacks
      ... I'd tentatively offer the following description of application-level attacks as: ... Attacks that take advantage of software failures in the implementation of an ... application protocol. ... protocol level attacks are specific to ...
      (Firewall-Wizards)
    • Re: hash function
      ... > because the PRF security condition does not guarantee security ... > I frequently see protocol designers who are not very clear on what ... > that the hash had better be collision-resistant. ... > against attacks that might not have been anticipated. ...
      (sci.crypt)
    • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
      ... attacks. ... firewall for open ports, or to block worms (TCP 1433/1434 as an ... It should be able to filter both inbound or outbound traffic by protocol ... Many NICs, of course, not only two. ...
      (comp.security.firewalls)
    • [REVS] Attacks on Kerberos V in a Windows 2000 Environment
      ... Beyond Security in Canada ... Microsoft introduced Kerberos V as ... which is a protocol used for ... SMB is used as an example in one of the attacks. ...
      (Securiteam)