Dailydave: Re: The audacity of thinking you're not owned

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Dailydave mailing list archives

Re: The audacity of thinking you're not owned

From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Mon, 14 Jul 2008 08:21:05 +0200

Hi,

I have this theory

- suppose you want to spoof a nonexistant subdomain of a site, e.g.
pwned.paypal.com
- you get a user on a website to repeatedly request something on that
domain from within a web page
- as the domain does not exist, every request will result in a dns lookup
- while the dns request is ongoing, flood the client (and intermediate
dns in a recursive scheme) with fake responses.

on average this would "cost" about 200GB (for a 100 byte fake dns
response).

Regards,
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

By Date By Thread

Current thread:

Re: The audacity of thinking you're not owned, (continued)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
  - Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
    - Re: The audacity of thinking you're not owned Parity (Jul 12)
    - Re: The audacity of thinking you're not owned Halvar Flake (Jul 13)
    - Re: The audacity of thinking you're not owned Jason Ross (Jul 13)
    - Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
    - Re: The audacity of thinking you're not owned Jon Oberheide (Jul 14)
    - Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)