DNS rebinding

Template:Ref improve

DNS rebinding is a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS).

This attack can be used to breach a private network by causing the victim's web browser to access machines at private IP addresses and returning the results to the attacker. It can also be used to use the victim machine for spamming, distributed denial-of-service attacks and other malicious activities.

How DNS rebinding works

The attacker registers a domain (such as attacker.com) and delegates it to a DNS server he controls. The server is configured to respond with a very short time to live (TTL) record, preventing the response from being cached. When the victim browses to the malicious domain, the attacker's DNS server first responds with the IP address of a server hosting the malicious client-side code. For instance, he could point the victim's browser to a website that contains malicious JavaScript or Flash.

The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, he could reply with an internal IP address or the IP address of a target somewhere else on the Internet.

Protection

The following techniques attempt to prevent DNS rebinding attacks:Template:Citation needed

• Web browsers can implement DNS pinning: the IP address is locked to the value received in the first DNS response. This technique may block some legitimate uses of Dynamic DNS, and may not work against all attacks.
• Private IP addresses can be filtered out of DNS responses.
  • External public DNS servers with this filtering e.g. OpenDNS.<ref>opendns</ref>
  • Local sysadmins can configure the organization's local nameservers to block the resolution of external names into internal IP addresses.
  • DNS filtering in a firewall or daemon e.g. dnswall.<ref>google-dnswall</ref>
• Web servers can reject HTTP requests with an unrecognized Host header.
• Web servers can also require HTTPS to access secure content, possibly using HTTP Strict Transport Security.
• The Firefox NoScript extension provides partial protection (for private networks) using its ABE feature, which blocks web traffic from external addresses to local addresses.

See Also

• DNS hijacking
• DNS spoofing

References

     | references-column-width 
     | references-column-count references-column-count-{{#if:1|2}} }}
   | {{#if: 
     | references-column-width }} }}" style="{{#if: 2
   | {{#iferror: {{#ifexpr: 2 > 1 }}
     | Template:Column-width
     | Template:Column-count }}
   | {{#if: 
     | Template:Column-width }} }} list-style-type: {{#switch: 
   | upper-alpha
   | upper-roman
   | lower-alpha
   | lower-greek
   | lower-roman = {{{group}}}
   | #default = decimal}};">

External links

• Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh "Protecting Browsers from DNS Rebinding Attacks"
• DNS rebinding attack demonstration implemented in Flash (now obsolete)
• DNS rebinding security update for Adobe Flash Player
• DNS rebinding security update for the Sun JVM
• DNS Rebinding with Robert RSnake Hansen video explanation of the attack and the spamming/brute-force facets.