Security Basics mailing list archives
RE: cache snooping attacks
From: krymson () gmail com
Date: 26 Dec 2007 18:31:07 -0000
Google should deliver some good info by searching for cache snooping attack. But in case you don't have access to Google, a seminal paper by Luis Grangeia is available [1] along with other DNS topics [2]. (Ok, maybe not seminal, but he covered it so well, not much else needs to be said.) In a nutshell, I ask your DNS server to resolve www.bankofamerica.com, but my request tells your DNS server not to look it up. It will consult its cache only. If it returns a value, that means someone who uses your DNS server has previously resolved the domain, most likely via web browsing. How can I use this info? If I wanted to target you or your company specifically, I could find some sites your users visit (like www.bankofamerica.com in the example), spoof email to them that looks like it is from that site, and possibly trick your users into running an attachment, opening a rich email, or going to a link of my choosing. Is DNS cache snooping a huge deal? Not really. It ranks up there with targeted and more exotic attacks. Unless you need to worry about corporate espionage or national security, I doubt this is of huge concern. However, as automation becomes more advanced and complex, this is an avenue that could someday be more used. Query a DNS server for a list of bank domains it has cached, then bulk spam people from the DNS domain and hope your scattershot hits someone valid, who also is gullible. Low yield, but once automated, could be enough to justify... [1] http://www.sysvalue.com/papers/DNS-Cache-Snooping/files/DNS_Cache_Snooping_1.1.pdf [2] http://www.dnssec.net/dns-threats <- snip -> tell me please, what is "dns cache snooping attacks" ? Tell an example of the given attack?
Current thread:
- RE: cache snooping attacks krymson (Dec 26)