[Dailydave] The audacity of thinking you're not owned

[Thomas Pollet]

Hi,

I have this theory

- suppose you want to spoof a nonexistant subdomain of a site, e.g.
pwned.paypal.com
- you get a user on a website to repeatedly request something on that
domain from within a web page
- as the domain does not exist, every request will result in a dns lookup
- while the dns request is ongoing, flood the client (and intermediate
dns in a recursive scheme) with fake responses.

on average this would "cost" about 200GB (for a 100 byte fake dns
response).

Regards,