Re: Application-level Attacks

["Marcus J. Ranum" <mjr () ranum com>]

I'd tentatively offer the following description of application-level attacks as:

Attacks that take advantage of software failures in the implementation of an
application (layer 7) protocol. By implication, application attacks are
specific to a given implementation of a protocol, for example, a buffer
overrun in HTTP request parsing, or a SQL injection attack. Note that
multiple implementations can share a common (independent or based
on shared library use) instance of a given bug.

Protocol level attacks take advantage of flaws in the implementation of
lower-level protocols. By implication, protocol level attacks are specific to
a given implementation of a protocol. For example, ICMP "ping of death"
attacks took advantage of how many ICMP implementations failed to
handle packets larger than allowed by the specification.

Infrastructure or specification level attacks are another category I would
hold as separate, and they depend on failures of the protocol specification.
For example, FTP bounce attacks take advantage of fundamental
braindamage in how the FTP RFC defines FTP operation. Specification
flaws like this require the defending system to _break_ protocol compliance
(as the ftwk's FTP-gw did) in order to protect against the attack.

So, I guess what I am saying is that, in Marcus-land, almost all
attacks are application level. :)   They always have been.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards