[Dailydave] The audacity of thinking you're not owned
Jon Oberheide
jon at oberheide.org
Mon Jul 14 10:20:57 EDT 2008
On Mon, 2008-07-14 at 08:21 +0200, Thomas Pollet wrote:
> - suppose you want to spoof a nonexistant subdomain of a site, e.g.
> pwned.paypal.com
> - you get a user on a website to repeatedly request something on that
> domain from within a web page
> - as the domain does not exist, every request will result in a dns lookup
Not necessarily. DNS has all sorts of wonderfully quirky features, one
of them being negative caching [1]. So your NXDOMAIN/SERVFAIL/whatever
responses for a RR can be cached too.
> - while the dns request is ongoing, flood the client (and intermediate
> dns in a recursive scheme) with fake responses.
Even if you did succeed, all you'd be left with pwned.paypal.com which
might be more effective than heyipromisethisispaypal.com in your
phishing emails, but has no where near the impact of arbitrary RR
poisoning.
Regards,
Jon Oberheide
[1] http://www.ietf.org/rfc/rfc2308.txt
--
Jon Oberheide <jon at oberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080714/80dbc87d/attachment.pgp
More information about the Dailydave
mailing list