DNS rebinding

From Wikipedia, the free encyclopedia

DNS rebinding is a DNS-based attack on code embedded in web pages.

Contents 1 Usage 2 How DNS rebinding works 3 Protection 4 External links

[edit] Usage

Normally requests from code embedded in web pages (JavaScript, Java, Flash) are limited to the website they are originating from (same origin policy). DNS rebinding can improve the ability of JavaScript-based malware to penetrate private networks, by subverting the same origin policy.

[edit] How DNS rebinding works

The attacker registers a domain which is delegated to a DNS server he controls. The server is configured to respond with a very short TTL parameter, which prevents the response from being cached.

The first response contains the IP address of the server hosting the malicious code. Subsequent responses contain spoofed private network IP addresses (RFC1918), presumably behind a firewall, being target of the attacker.

Because both are fully valid DNS responses, they authorize the sandboxed script to access hosts inside the private network. By returning multiple short-lived IP addresses, the DNS server enables the script to scan the local network or perform other malicious activities.

[edit] Protection

The following techniques can be used to prevent DNS rebinding attacks:

• DNS pinning - fixating IP address on the value received in the first DNS response. This technique may block some legitimate uses of Dynamic DNS.
• Blocking resolution of external names into internal addresses at the organization's local nameservers
• Servers can reject HTTP requests with an unrecognized Host header

[edit] External links

• Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh "Protecting Browsers from DNS Rebinding Attacks"
• NoScript - a Firefox extension which also partially prevents from DNS rebinding
• DNS rebinding attack demonstration implemented in Flash (now obsolete)
• DNS rebinding security update for Adobe Flash Player
• DNS rebinding security update for the Sun JVM