• Pharming:
  • Re-directing one site's traffic to another site
• DNS Spoofing/Poisoning:
  • A pharming technique that exploits weaknesses in DNS

• Recursive Queries:
  • If the DNS server does not know the answer it will ask another DNS server
  • The answer may be cached
• Transport Protocol:
  • DNS often uses a connectionless transport protocol that is easy to spoof (specifically, UDP)

• Step 1:
  • Make a query that (hopefully) server A can only answer by querying server B
• Step 2:
  • Send spoofed responses to server A that appear to come from server B (in response to server A's query)

• Source IP address
  
  Known
• Destination (i.e. authoritative server) IP address
  
  Knowable
• Source port
  
  Unknown
• Destination port
  
  Known (i.e., port 53)
• Transaction ID
  
  Unknown

• Source port
  • 16 bits
  • May not be random
• Transaction ID
  • 16 bits
  • Generated using a pseudo-random number generator

• Source port
  • \(2^{16} = 65536\) possibilities, each of which are equally likely
• Transaction ID
  • \(2^{16} = 65536\) possibilities, each of which are equally likely
• Probability of a "Correct" Response:
  • Since the two events are independent, \(P\{\text{CorrectResponse}\} = P\{\text{CorrectPort}\} \cdot P\{\text{CorrectID}\} = \frac{1}{65536} \cdot \frac{1}{65536} = \frac{1}{4294967296}\) (i.e., about 1 in 4 billion)

• The Probability of One Attack Being Successful Depends On:
  • The amount of time between the request to the authoritative server and the response from the authoritative server (which is on the order of 0.1 sec)
  • The rate at which the attacker can transmit spoofed responses (which is probably on the order of 100000 per sec)
• The Probability of An Attacker Being Successful Depends On:
  • The amount of time the attacker is willing to devote to the effort

• The Idea:
  • Make more than one DNS query that will need to be re-sent to the authoritative server
• The Rationale:
  • The probability that one of the fake responses will correctly spoof one of the requests is higher (i.e., the Birthday "Paradox")

What is the probability that a member of a group of size \(n\) has the same birthday as you?

Assuming all birthdays are equally likely, the probability that an individual has the same birthday as you is \(\frac{1}{365}\). Hence, the probability of the complement (i.e., the individual doesn't have the same birthday as you) is \(1 - \frac{1}{365} = \frac{364}{365}\).

So, assuming independence, the probability that \(n\) people don't have the same birthday as you is \((\frac{364}{365})^n\).

Hence, the probability of the complement is \(1 - (\frac{364}{365})^n\).

So, the probability that someone has the same birthday as you for \(n=10\) is about 0.027, for \(n=30\) is about 0.079 and for \(n=50\) is about 0.128.

What is the probability that any two people in a group of size \(n\) have the same birthday?

Let \(B_i\) denote the birthday of individual \(i\) and suppose we know the birthday of individual \(1\). Then, as we just saw, the probability that individual \(2\) has the same birthday as individual \(1\) is \(P\{B_2 = B_1\} = \frac{1}{365}\). Hence, the probability of the complement is given by \(P\{B_2 \neq B_1\} = 1 - \frac{1}{365} = \frac{364}{365}\).

The probability that 3's birthday is the same as 1's or 2's, given that 1 and 2 do not have the same birthday, is given by:

\[P\{B_3 = B_2 \text{ or } B_3 = B_1 | B_2 \neq B_1\} = \frac{1}{365} + \frac{1}{365} = \frac{2}{365}\]

Hence, the probability of the complement is given by:

\[P\{B_3 \neq B_2 \neq B_1 | B_2 \neq B_1\} = 1 - \frac{2}{365} = \frac{363}{365}\]

and:

\[P\{B_3 \neq B_2 \neq B_1\} = P\{B_3 \neq B_2 \neq B_1 | B_2 \neq B_1\} \cdot P\{B_2 \neq B_1\} = \frac{364}{365} \cdot \frac{363}{365}\]

Generalizing, the probability that \(n\) individuals have different birthdays is given by:

\[\frac{364 \cdot 363 \cdot (365-n+1)}{365^{n-1}}\]

Multiplying by \(\frac{365}{365}=1\), this probability is given by:

\[\frac{365 \cdot 364 \cdot 363 \cdot (365-n+1)}{365^{n}}\]

This can be re-written as:

\[\frac{365!}{(365-n)!} \cdot \frac{1}{365^n}\]

Thus, the probability of the complement (i.e., that any two people share a birthday) is just:

\[1 - \left(\frac{365!}{(365-n)!} \cdot \frac{1}{365^n}\right)\]

So, the probability that any two people share a birthday for \(n=10\) is about 0.117, for \(n=30\) is about 0.706 and for \(n=50\) is about 0.970.

• Domain Hijacking:
  • Domain name registrations expire
  • If the legitimate owner of a domain name forgets to re-register, another party can register the name and direct traffic to its servers
• Use of Similar Domain Names/Typosquatting:
  • Register domain names that are similar to the domain name of a "well-known" site (e.g., common misspellings, names involving nearby letters)
• Bitsquatting:
  • Register domain names that are one bit different from the domain name of a "well-known" site
  • This is tantamount to typosquatting but is motivated by hardware/transmission errors rather than human errors (e.g., a transmission error in one bit changes microsoft.com to micro3oft.com)