Abstract
DNS rebinding attacks subvert the same-origin policy of browsers, converting them into open network proxies. Using DNS rebinding, an attacker can circumvent organizational and personal firewalls, send spam email, and defraud pay-per-click advertisers. We evaluate the cost effectiveness of mounting DNS rebinding attacks, finding that an attacker requires less than $100 to hijack 100,000 IP addresses. We analyze defenses to DNS rebinding attacks, including improvements to the classic “DNS pinning,” and recommend changes to browser plug-ins, firewalls, and Web servers. Our defenses have been adopted by plug-in vendors and by a number of open-source firewall implementations.
- Adobe. 2006. Adobe Flash Player 9 security. http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf.Google Scholar
- Adobe. 2008. Flash Player penetration. http://www.adobe.com/products/player_census/flash- player/.Google Scholar
- Alexa. 2007. Top sites. http://www.alexa.com/site/ds/top_sites?ts_mode=global.Google Scholar
- Anvil, K. 2007. Anti-DNS pinning + socket in flash. http://www.jumperz.net/.Google Scholar
- Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. DNS security introduction and requirements. RFC 4033.Google Scholar
- Bortz, A., Barth, A., and Jackson, C. 2007. Google dnswall. http://code.google.com/p/google-dnswall/.Google Scholar
- Cheshire, S., Aboba, B., and Guttman, E. 2005. Dynamic configuration of IPv4 link-local addresses. IETF RFC 3927.Google Scholar
- Cheswick, W. and Bellovin, S. 1996. A DNS filter and switch for packet-filtering gateways. In Proceedings of the USENIX Annual Technical Conference. Google Scholar
Digital Library
- Daswani, N. and Stoppelman, M. 2007. The anatomy of Clickbot.A. In Proceedings of 1st Workshop on Hot Topics in Understanding Botnets (HotBots). Google Scholar
Digital Library
- Dean, D., Felten, E. W., and Wallach, D. S. 1996. Java security: From HotJava to Netscape and beyond. In IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Edwards, D. 2005. Your MOMA knows best. http://xooglers.blogspot.com/2005/12/your-moma-knows-best.html.Google Scholar
- Fainelli, F. 2008. The OpenWrt embedded development framework. In Free and Open Source Software Developers' European Meeting.Google Scholar
- Fenzi, K. and Wreski, D. 2004. Linux security HOWTO. Google Scholar
Digital Library
- Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. Hypertext Transfer Protocol—HTTP/1.1. RFC 2616. Google Scholar
Digital Library
- Fisher, D. 2007. Personal communication.Google Scholar
- Fisher, D. et al. 2003. Problems with new DNS cache (“pinning” forever). https://bugzilla.mozilla.org/show_bug.cgi?id=162871.Google Scholar
- Gajek, S., Schwenk, J., and Xuan, C. 2008. On the insecurity of Microsoft's identity metasystem. Tech. Rep. HGI-TR-2008-003, Horst Görtz Institute for IT Security, Ruhr University Bochum. May. http://demo.nds.rub.de/cardspace/.Google Scholar
- Goodin, D. 2005. Calif. man pleads guilty to felony hacking. Assoc. Press.Google Scholar
- Gottschall, S. et al. 2008. Dd-wrt (version 24). http://www.dd-wrt.com/.Google Scholar
- Grimm, S. et al. 2002. Setting document.domain doesn't match an implicit parent domain. https://bugzilla.mozilla.org/show_bug.cgi?id=183143.Google Scholar
- Grossman, J. and Niedzialkowski, T. 2006. Hacking intranet Websites from the outside: JavaScript malware just got a lot more dangerous. In Blackhat USA. Invited talk.Google Scholar
- Haupt, E. 2008. dnswall FreeBSD port. http://www.freebsd.org/cgi/cvsweb.cgi/ports/dns/dnswall/.Google Scholar
- Hinden, R. and Deering, S. 2003. Internet protocol version 6 (IPv6) addressing architecture. IETF RFC 3513. Google Scholar
Digital Library
- Hinden, R. and Haberman, B. 2005. Unique local IPv6 unicast addresses. IETF RFC 4193.Google Scholar
- Jackson, C. and Barth, A. 2008. Beware of finer-grained origins. In Web 2.0 Security and Privacy.Google Scholar
- Johns, M. 2006. (Somewhat) breaking the same-origin policy by undermining DNS pinning. http://shampoo.antville.org/stories/1451301/.Google Scholar
- Johns, M. and Winter, J. 2007. Protecting the Intranet against “JavaScript Malware” and related attacks. In Proceedings of the GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Google Scholar
Digital Library
- Karlof, C. K., Shankar, U., Tygar, D., and Wagner, D. 2007. Dynamic pharming attacks and the locked same-origin policies for Web browsers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google Scholar
Digital Library
- Kelley, S. 2008. Dnsmasq (version 2.41). http://www.thekelleys.org.uk/dnsmasq/doc.html.Google Scholar
- Klein, A. 2006. Host header cannot be trusted as an anti anti DNS-pinning measure. http://www.securityfocus.com/archive/1/445490.Google Scholar
- Lam, V. T., Antonatos, S., Akritidis, P., and Anagnostakis, K. G. 2006. Puppetnets: Misusing Web browsers as a distributed attack infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google Scholar
Digital Library
- Maone, G. 2007a. DNS spoofing/pinning. http://sla.ckers.org/forum/read.php?6,4511,14500.Google Scholar
- Maone, G. 2007b. NoScript. http://noscript.net/.Google Scholar
- Megacz, A. 2002. XWT Foundation security advisory. http://www.megacz.com/research/sop.txt.Google Scholar
- Megacz, A. and Meketa, D. 2003. X-RequestOrigin. http://www.xwt.org/x-requestorigin.txt.Google Scholar
- Meyer, D. 1998. Administratively scoped IP multicast. IETF RFC 2365. Google Scholar
Digital Library
- Microsoft. 2004. Microsoft Web enterprise portal. http://www.microsoft.com/technet/itshowcase/content/MSWebTWP.mspx.Google Scholar
- Microsoft. 2008. Socket class (System.Net.Sockets). http://msdn.microsoft.com/en-us/library/system.net.sockets.socket(VS.95).aspx.Google Scholar
- Mitre. 2007a. CVE-2007-5273.Google Scholar
- Mitre. 2007b. CVE-2007-5274.Google Scholar
- Mitre. 2007c. CVE-2007-5275.Google Scholar
- Mitre. 2007d. CVE-2007-6244.Google Scholar
- Mitre. 2008. CVE-2008-1192.Google Scholar
- Mockapetris, P. 1987. Domain names—Implementation and specification. IETF RFC 1035. Google Scholar
Digital Library
- Nuuja, C. 2007. Personal communication.Google Scholar
- Ollmann, G. 2005. The pharming guide. http://www.ngssoftware.com/papers/ThePharmingGuide. pdf.Google Scholar
- Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and Lear, E. 1996. Address allocation for private Internets. IETF RFC 1918. Google Scholar
Digital Library
- Reynolds, J. and Postel, J. 1994. Assigned numbers. IETF RFC 1700.Google Scholar
- Roskind, J. 2001. Attacks against the Netscape browser. In RSA Conference. Invited talk.Google Scholar
- Ross, D. 2007. Notes on DNS pinning. http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns-pinning.aspx.Google Scholar
- Ruderman, J. 2001. JavaScript security: Same origin. http://www.mozilla.org/projects/security/components/same-origin.html.Google Scholar
- Soref, J. 2003. DNS: Spoofing and pinning. http://viper.haque.net/~timeless/blog/11/.Google Scholar
- Spamhaus. 2007. The Spamhaus block list. http://www.spamhaus.org/sbl/.Google Scholar
- Stamm, S., Ramzan, Z., and Jakobsson, M. 2006. Drive-By pharming. Tech. Rep. 641, Computer Science Department, Indiana University. December.Google Scholar
- Topf, J. 2001. HTML form protocol attack. http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.Google Scholar
- Veditz, D. et al. 2002. Document.domain abused to access hosts behind firewall. https://bugzilla.mozilla.org/show_bug.cgi?id=154930.Google Scholar
- Warner, B. 2004. Home PCs rented out in sabotage-for-hire racket. Reuters.Google Scholar
- Winter, J. and Johns, M. 2007. LocalRodeo: Client-Side protection against JavaScript Malware. http://databasement.net/labs/localrodeo/.Google Scholar
Index Terms
Protecting browsers from DNS rebinding attacks
Recommendations
DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityIn this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source ...
Protecting browsers from dns rebinding attacks
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityDNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash and Java. These attacks can ...
Recovering and Protecting against DNS Cache Poisoning Attacks
ICM '11: Proceedings of the 2011 International Conference of Information Technology, Computer Engineering and Management Sciences - Volume 02DNSSEC can provide a strong countermeasure to DNS Cache Poisoning Attacks, however, DNSSEC can't be actually deployed in a short time, it is still impossible to avoid poisoning attacks thoroughly, a majority of DNS servers are still hreatened from the ...






Comments