Firewall Wizards mailing list archives
RE: Application-level Attacks
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 28 Jan 2005 17:34:22 +0100
Shimon Silberschlag wrote:Today, when attacks are shifting towards using the alreadyopen portson the firewall, at the application level,It is often said that contemporary attacks are migrating to application-level attacks. Can someone point me to data backing this claim? Thanks, Crispin
I usually talk about either the idea of 'blended threats' - viruses that infect via email or web, but then spread like worms once inside. Mydoom and friends are good examples, and there was a malware called Plexus in 2004 which wasn't very successful but is a very clean example of this kind of attack. Then you can look at phishing, and also pretty much all the IE bugs, including the successful malware that hit the IFRAME bug and the current stuff that is hitting MS05-002. Now, Crispin, I know you know this, and so I suspect that you were looking more for data to justify the word "shifting" rather than the fact that these attacks exist, right? Well, that's where there are lots of counter examples, so I agree with your implied point that it might be a bogus assumption. There is still MASSES of traffic for blaster, sasser, sapphire/slammer, blah blah blah. Those are 'application-level' attacks in one sense, but for 100% of non-stupid organisations they will be pounding on closed firewall ports. The trouble is that they find other ways in. So. I would put it more like "_Successful_ attacks from the Internet to trusted networks are shifting to using ports that are open in the firewall. More traditional attacks are relying on the fact that the firewall doesn't cover all (or even most) of the attack vectors anymore." But, when you put it like that it turns out a little trite and obvious, so I'm now not sure if I won or lost. My gut feel, FWIW, is that if you measure "shifting" by volume then no they're not. If you measure it by focus, attacker R&D, risk posed to organisations and current trends, then yes they are. The "blended threat" is the killer malware of the moment, to my mind - one single user clicks on dancing_weasels.scr and then the whole WAN gets hosted using LSASS as an attack vector. Ow. Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Application-level Attacks, (continued)
- RE: Application-level Attacks Bill Royds (Jan 30)
- Re: Application-level Attacks Danny (Jan 28)
- Re: Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Paul D. Robertson (Jan 28)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Paul D. Robertson (Jan 29)
- Re: Application-level Attacks Dean A Weber (Jan 28)
- Re: Application-level Attacks Dave Piscitello (Jan 28)
- Re: Application-level Attacks R. DuFresne (Jan 28)
- Message not available
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- RE: Application-level Attacks Ben Nagy (Jan 28)