[dns-operations] All Too Quiet?

Richard Westlake r.westlake at mail.cryst.bbk.ac.uk
Wed Jul 30 12:18:24 UTC 2008


Unless I have missed something, how would we know if this vulnerability 
had been successfully exploited?
The poisoned cache entries could have been replaced by the real data by 
the time anyone checks them.

Consider a skilled attacker poisoning the cache of my.isp.com with false 
date for my.bank.com and then stealing account informing and passwords. If 
the web site looked the same would people notice the difference. The bad 
data could be long gone by the time this account information is sold, 
exploited and the fraud discovered
My.bank.com might notice that a lot of the customers affected by fraud 
used my.ips.com, but that could also be explained by philishing emails 
targeted at my.isp.com accounts.
The attack would probably involve sending forged my.bank.com emails to 
my.isp.com customers anyway. The attacker could even send some more 
traditional philishing emails at the same time to increase their wins and 
also mask the DNS attach.

The only clue might be the aaaa.my.bank.com aaab.my.bank.com 
aaac.my.bank.com URLs in some of the philishing emails.

Some DNS operators might be watching their name servers closely and see an 
attack attempt, however anyone clued up enough to watch for the attack is 
probably running patched servers.

How do you tell if an apparent attack is a researcher, mischief maker or 
fraudster?



Richard Westlake
----------------------------------------------------------------------
                Truth endures but spelling changes    --  Anon.
----------------------------------------------------------------------





More information about the dns-operations mailing list