Firewall Wizards mailing list archives
Re: Application-level Attacks
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 29 Jan 2005 10:37:05 -0500 (EST)
On Sat, 29 Jan 2005, Marcus J. Ranum wrote:
I'd tentatively offer the following description of application-level attacks as: Attacks that take advantage of software failures in the implementation of an application (layer 7) protocol. By implication, application attacks are specific to a given implementation of a protocol, for example, a buffer overrun in HTTP request parsing, or a SQL injection attack. Note that multiple implementations can share a common (independent or based on shared library use) instance of a given bug.
Hmmm, but an SQL injection attack isn't really a protocol issue- it's an unexpected input issue- and I think the distinction between boneheaded application developers and boneheaded library developers is relatively important.
Protocol level attacks take advantage of flaws in the implementation of lower-level protocols. By implication, protocol level attacks are specific to a given implementation of a protocol. For example, ICMP "ping of death" attacks took advantage of how many ICMP implementations failed to handle packets larger than allowed by the specification. Infrastructure or specification level attacks are another category I would hold as separate, and they depend on failures of the protocol specification. For example, FTP bounce attacks take advantage of fundamental braindamage in how the FTP RFC defines FTP operation. Specification flaws like this require the defending system to _break_ protocol compliance (as the ftwk's FTP-gw did) in order to protect against the attack. So, I guess what I am saying is that, in Marcus-land, almost all attacks are application level. :) They always have been.
I tend to put them into "Human, protocol, application and transport" buckets, mostly because those are the places I get to apply controls. In reality many threats transit multiple of those, and some attacks take advantage in bugs in all of them, but I sill get to pick priority of my controls, so that's still how I separate them. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Application-level Attacks vbwilliams (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Adam Shostack (Jan 30)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Paul D. Robertson (Jan 29)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Paul D. Robertson (Jan 29)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Paul D. Robertson (Jan 29)
- Re: Application-level Attacks M. Dodge Mumford (Jan 30)
- Re: Application-level Attacks Marcus J. Ranum (Jan 30)
- Re: Application-level Attacks Crispin Cowan (Jan 30)
- Re: Application-level Attacks Stephen P. Berry (Jan 30)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 30)