Firewall Wizards mailing list archives
Re: Application-level Attacks
From: Adam Shostack <adam () homeport org>
Date: Fri, 28 Jan 2005 11:45:55 -0500
On Fri, Jan 28, 2005 at 09:24:12PM +0530, Devdas Bhagat wrote: | On 27/01/05 18:56 -0800, Crispin Cowan wrote: | > Shimon Silberschlag wrote: | > | > > Today, when attacks are shifting towards using the already open ports | > > on the firewall, at the application level, | > | > It is often said that contemporary attacks are migrating to | > application-level attacks. Can someone point me to data backing this claim? | | Or the reverse, data showing that older attacks were not application | layer attacks (packet flooding and the rare ping of death attact excepted). I think that older attacks were not application-layer from a business perspective; they may have been at one layer or another of the technical stack, but they rarely attacked core business functionality. I think that a combination of technical factors (more money moved through internet systems) and social ones (attackers who are in it for the money) combine to make a new type of attack. Richard Bejtlich asked some similar questions at: http://taosecurity.blogspot.com/2005/01/application-vulnerabilities-are-not.html, and I responded at http://www.emergentchaos.com/archives/000840.html:
I think that Richard is both right, in that there's no big technical shift, and wrong, in that the attacks will mature. As I said a few days ago, the attackers will become more clever in using the attacks to make money. There's also a perception issue, a blowback, if you will, of the success of database-driven vulnerability scanners like ISS and Nessus. These scanners are very effective at finding instances of the sorts of vulnerabilities that get CVE entries. They are less effective, if they even try, at finding vulnerabilities in your locally developed application. Here tools like those from Kavado and SPI Dynamics do much better. Rather than working from a database of flaws, they inspect a web application for classes of flaw, by running attacks against the site in a controlled way. So the success of the database-driven scanners is that people think that they can run those scanners and learn how an attacker can get in. And that's correct. But no tool will give you a complete list. And so I expect that what the SANS folks are talking about is a rise in attacks against the business infrastructure, rather than the technical infrastructure. If they're not, they should be.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Exchange 2003 OWA security questions, (continued)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
- Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
- Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Frank Knobbe (Jan 28)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Adam Shostack (Jan 30)
- Re: Application-level Attacks Frederick M Avolio (Jan 30)
- Re: Application-level Attacks Adam Shostack (Jan 30)
- RE: Application-level Attacks Bill Royds (Jan 30)
- Re: Application-level Attacks Danny (Jan 28)
- Re: Application-level Attacks Crispin Cowan (Jan 28)