Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 188.8.131.52.
Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 184.108.40.206, the attacker floods local DNS with crafted responses with IP address 220.127.116.11. The result is that 18.104.22.168 is stored in DNS cache. Meanwhile, 22.214.171.124 is associated with a malicious website www.maliciousexampsle.com
When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.
Skill or Knowledge Level: Medium
To overwrite/modify targeted cache
Configuration: Disable client side caching.
Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.
[R.141.1] [REF-6] "Wikipedia". DNS Cache Poisoning. The Wikimedia Foundation, Inc. 2011-07-10. <http://en.wikipedia.org/wiki/DNS_cache_poisoning>.
[R.141.2] [REF-7] "DNS Threats and DNS Weaknesses". DNS Threats & Weaknesses of the Domain Name System. DNSSEC. <http://www.dnssec.net/dns-threats.php>.
More information is available — Please select a different filter.