DNS rebinding
Encyclopedia
DNS rebinding is a form of computer attack
. In this attack, a malicious web page
causes visitors to run a client-side script
that attacks machines elsewhere on the network. In theory, the same-origin policy
prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. This is enforced by comparing domain name
s, so DNS rebinding circumvents this protection by abusing the Domain name system (DNS)
.
This attack can be used to breach a private network
by causing the victim's web browser to access machines at private IP address
es and returning the results to the attacker. It can also be used to leverage the victim machine for spamming, distributed denial of service attacks
and other malicious activities.
server he controls. The server is configured to respond with a very short time to live (TTL)
record, preventing the response from being cached. When the victim browses to the malicious domain, the attacker's DNS server first responds with the IP address
of a server hosting the malicious client-side code. For instance, he could point the victim's browser to a web site that contains malicious JavaScript
or Flash
.
The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, he could reply with an internal IP address or the IP address of a target somewhere else on the internet.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
. In this attack, a malicious web page
Web page
A web page or webpage is a document or information resource that is suitable for the World Wide Web and can be accessed through a web browser and displayed on a monitor or mobile device. This information is usually in HTML or XHTML format, and may provide navigation to other web pages via hypertext...
causes visitors to run a client-side script
Client-side scripting
Client-side scripting generally refers to the class of computer programs on the web that are executed client-side, by the user's web browser, instead of server-side...
that attacks machines elsewhere on the network. In theory, the same-origin policy
Same origin policy
In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but...
prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. This is enforced by comparing domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
s, so DNS rebinding circumvents this protection by abusing the Domain name system (DNS)
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
.
This attack can be used to breach a private network
Private network
In the Internet addressing architecture, a private network is a network that uses private IP address space, following the standards set by RFC 1918 and RFC 4193. These addresses are commonly used for home, office, and enterprise local area networks , when globally routable addresses are not...
by causing the victim's web browser to access machines at private IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es and returning the results to the attacker. It can also be used to leverage the victim machine for spamming, distributed denial of service attacks
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
and other malicious activities.
How DNS rebinding works
The attacker registers a domain (such as attacker.com) and delegates it to a DNSDomain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
server he controls. The server is configured to respond with a very short time to live (TTL)
Time to live
Time to live is a mechanism that limits the lifespan of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded. In computer networking, TTL prevents a data...
record, preventing the response from being cached. When the victim browses to the malicious domain, the attacker's DNS server first responds with the IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
of a server hosting the malicious client-side code. For instance, he could point the victim's browser to a web site that contains malicious JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
or Flash
Adobe Flash
Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...
.
The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, he could reply with an internal IP address or the IP address of a target somewhere else on the internet.
Protection
The following techniques attempt to prevent DNS rebinding attacks:- Web browsers can implement DNS pinning: the IP address is locked to the value received in the first DNS response. This technique may block some legitimate uses of Dynamic DNSDynamic DNSDynamic DNS or DDNS is a term used for the updating in real time of Internet Domain Name System name servers to keep up to date the active DNS configuration of their configured hostnames, addresses and other information....
. - Local sysadmins can configure the organization's local nameservers to block the resolution of external names into internal IP addresses.
- Web servers can reject HTTP requests with an unrecognized Host header.
External links
- Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh "Protecting Browsers from DNS Rebinding Attacks"
- NoScript - a Firefox extension which also partially protects from DNS rebinding
- DNS rebinding attack demonstration implemented in Flash (now obsolete)
- DNS rebinding security update for Adobe Flash Player
- DNS rebinding security update for the Sun JVM
- DNS Rebinding with Robert RSnake Hansen video explanation of the attack and the spamming/brute-force facets.