mailing list archives
RE: cache snooping attacks
From: krymson () gmail com
Date: 26 Dec 2007 18:31:07 -0000
Google should deliver some good info by searching for cache snooping attack. But in case you don't have access to
Google, a seminal paper by Luis Grangeia is available  along with other DNS topics . (Ok, maybe not seminal, but
he covered it so well, not much else needs to be said.)
In a nutshell, I ask your DNS server to resolve www.bankofamerica.com, but my request tells your DNS server not to look
it up. It will consult its cache only. If it returns a value, that means someone who uses your DNS server has
previously resolved the domain, most likely via web browsing.
How can I use this info? If I wanted to target you or your company specifically, I could find some sites your users
visit (like www.bankofamerica.com in the example), spoof email to them that looks like it is from that site, and
possibly trick your users into running an attachment, opening a rich email, or going to a link of my choosing.
Is DNS cache snooping a huge deal? Not really. It ranks up there with targeted and more exotic attacks. Unless you need
to worry about corporate espionage or national security, I doubt this is of huge concern. However, as automation
becomes more advanced and complex, this is an avenue that could someday be more used. Query a DNS server for a list of
bank domains it has cached, then bulk spam people from the DNS domain and hope your scattershot hits someone valid, who
also is gullible. Low yield, but once automated, could be enough to justify...
<- snip ->
tell me please, what is "dns cache snooping attacks" ?
Tell an example of the given attack?
- RE: cache snooping attacks krymson (Dec 26)