Firewall Wizards mailing list archives

RE: Application-level Attacks

From: "Ben Nagy" <ben () iagu net>
Date: Fri, 28 Jan 2005 17:34:22 +0100

Shimon Silberschlag wrote:

Today, when attacks are shifting towards using the already

open ports

on the firewall, at the application level,


It is often said that contemporary attacks are migrating to 
application-level attacks. Can someone point me to data 
backing this claim?

Thanks,
    Crispin


I usually talk about either the idea of 'blended threats' - viruses that
infect via email or web, but then spread like worms once inside. Mydoom and
friends are good examples, and there was a malware called Plexus in 2004
which wasn't very successful but is a very clean example of this kind of
attack.

Then you can look at phishing, and also pretty much all the IE bugs,
including the successful malware that hit the IFRAME bug and the current
stuff that is hitting MS05-002.

Now, Crispin, I know you know this, and so I suspect that you were looking
more for data to justify the word "shifting" rather than the fact that these
attacks exist, right? Well, that's where there are lots of counter examples,
so I agree with your implied point that it might be a bogus assumption.

There is still MASSES of traffic for blaster, sasser, sapphire/slammer, blah
blah blah. Those are 'application-level' attacks in one sense, but for 100%
of non-stupid organisations they will be pounding on closed firewall ports.
The trouble is that they find other ways in.

So. I would put it more like "_Successful_ attacks from the Internet to
trusted networks are shifting to using ports that are open in the firewall.
More traditional attacks are relying on the fact that the firewall doesn't
cover all (or even most) of the attack vectors anymore."

But, when you put it like that it turns out a little trite and obvious, so
I'm now not sure if I won or lost. My gut feel, FWIW, is that if you measure
"shifting" by volume then no they're not. If you measure it by focus,
attacker R&D, risk posed to organisations and current trends, then yes they
are. The "blended threat" is the killer malware of the moment, to my mind -
one single user clicks on dancing_weasels.scr and then the whole WAN gets
hosted using LSASS as an attack vector. Ow.

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Application-level Attacks, (continued)
- - - RE: Application-level Attacks Bill Royds (Jan 30)
    - Re: Application-level Attacks Danny (Jan 28)
    - Re: Application-level Attacks Crispin Cowan (Jan 28)
    - Re: Application-level Attacks Paul D. Robertson (Jan 28)
    - Re: Application-level Attacks Marcus J. Ranum (Jan 29)
    - Re: Application-level Attacks Paul D. Robertson (Jan 29)
    - Re: Application-level Attacks Dean A Weber (Jan 28)
    - Re: Application-level Attacks Dave Piscitello (Jan 28)
    - Re: Application-level Attacks R. DuFresne (Jan 28)
    - Message not available
    - Re: Application-level Attacks Marcus J. Ranum (Jan 29)
    - RE: Application-level Attacks Ben Nagy (Jan 28)
- Re: Exchange 2003 OWA security questions Kevin (Jan 21)
- RE: Exchange 2003 OWA security questions Smith, Aaron (Jan 21)