Re: [fw-wiz] Application-level Attacks
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 01/29/05
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
- In reply to: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
- Reply: M. Dodge Mumford: "Re: [fw-wiz] Application-level Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Marcus J. Ranum" <mjr@ranum.com> Date: Sat, 29 Jan 2005 10:37:05 -0500 (EST)
On Sat, 29 Jan 2005, Marcus J. Ranum wrote:
> I'd tentatively offer the following description of application-level attacks as:
>
> Attacks that take advantage of software failures in the implementation of an
> application (layer 7) protocol. By implication, application attacks are
> specific to a given implementation of a protocol, for example, a buffer
> overrun in HTTP request parsing, or a SQL injection attack. Note that
> multiple implementations can share a common (independent or based
> on shared library use) instance of a given bug.
Hmmm, but an SQL injection attack isn't really a protocol issue- it's an
unexpected input issue- and I think the distinction between boneheaded
application developers and boneheaded library developers is relatively
important.
> Protocol level attacks take advantage of flaws in the implementation of
> lower-level protocols. By implication, protocol level attacks are specific to
> a given implementation of a protocol. For example, ICMP "ping of death"
> attacks took advantage of how many ICMP implementations failed to
> handle packets larger than allowed by the specification.
>
> Infrastructure or specification level attacks are another category I would
> hold as separate, and they depend on failures of the protocol specification.
> For example, FTP bounce attacks take advantage of fundamental
> braindamage in how the FTP RFC defines FTP operation. Specification
> flaws like this require the defending system to _break_ protocol compliance
> (as the ftwk's FTP-gw did) in order to protect against the attack.
>
> So, I guess what I am saying is that, in Marcus-land, almost all
> attacks are application level. :) They always have been.
I tend to put them into "Human, protocol, application and transport"
buckets, mostly because those are the places I get to apply controls. In
reality many threats transit multiple of those, and some attacks take
advantage in bugs in all of them, but I sill get to pick priority of my
controls, so that's still how I separate them.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
- In reply to: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Application-level Attacks"
- Reply: M. Dodge Mumford: "Re: [fw-wiz] Application-level Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
