Re: Application-level Attacks

[Devdas Bhagat <devdas () dvb homelinux org>]

On 28/01/05 11:45 -0500, Adam Shostack wrote:
> On Fri, Jan 28, 2005 at 09:24:12PM +0530, Devdas Bhagat wrote:
> | On 27/01/05 18:56 -0800, Crispin Cowan wrote:
> | > Shimon Silberschlag wrote:
> | > 
> | > > Today, when attacks are shifting towards using the already open ports 
> | > > on the firewall, at the application level,
> | > 
> | > It is often said that contemporary attacks are migrating to 
> | > application-level attacks. Can someone point me to data backing this claim?
> | 
> | Or the reverse, data showing that older attacks were not application
> | layer attacks (packet flooding and the rare ping of death attact excepted).
>
> I think that older attacks were not application-layer from a business
> perspective; they may have been at one layer or another of the
> technical stack, but they rarely attacked core business
> functionality.  I think that a combination of technical factors (more

Was that because all that core business functionality was not on the
Internet?
From

"We have Internet connectivity, but we are only using it for email, and
to put up a mostly static website for our customers, but nothing which
is so critical that we cannot stand a bit of downtime".

to

"We have Internet connectivity and the bulk of our data entry is done
through web applications and we get direct input from our business
partners and sales people over the web, and email is now a business
critical application and downtime is absolutely unacceptable.
Oh, and the ordinary customer must also have a good "web experience" so
we must not put in anything which could hamper the customer"

is a significant shift in business process and thought.

The exposure of applications has increased, but ye olde Sendmail bug
and the BIND exploit du jour and the Internet Explorer sieve are still
application layer bugs.

We have more applications exposed to the Internet, more complex
applications at that, and of course we have more bugs because of that.

> money moved through internet systems) and social ones (attackers who
> are in it for the money) combine to make a new type of attack.

Money was always a large reason for exploiting systems. Social
engineering predates the Internet.

It isn't a new type of attack, just a facet of attackers gaining
popularity in the general press.

<snip>
> list. And so I expect that what the SANS folks are talking about is
> a rise in attacks against the business infrastructure, rather than
> the technical infrastructure. If they're not, they should be.

How many of the previous attacks were not against the business
infrastructure (regardless of the attackers intent, if it impacted
business in any way, it was an attack on the business infrastructure)?

Also, what proportion of the total attacks was against the business
infrastructure then, and what is it now? (suitably accounting for the
rise in logs analysis, IDS and IPS and awareness that such things are
actually happening)

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards