What is a DNS Rebinding Attack? – GreenCloud
did you know DNS rebinding exploits a vulnerability in the browser's Same Origin Policy through malicious DNS queries to connect to local network resources, allowing a malicious website to attack the victims internal network. In this blog post, we explore the operation and impact of a DNS rebinding attack. Next, we examine widely accepted countermeasures against this type of attack and discuss their shortcomings.
What is a DNS Rebinding Attack?
A DNS rebinding attack is a type of DNS attack that manipulates the resolution of domain names. Hackers typically use DNS rebinding attacks to create a path between the victim's browser and the attacker's server, allowing the attacker to exploit vulnerabilities in the browser itself. Thus, a DNS rebinding attack is not an independent attack like other cyber attacks. When an attacker performs a DNS rebinding attack, they not only compromise the domain, but also hijack the domain's name server. Thus, using a DNS rebinding attack, an attacker can use various methods to deliver malicious content that can infect devices with malware and other viruses.
How does this work?
An attacker registers a domain (for example, anydomain.com) and assigns it to a DNS server controlled by the attacker. The server is configured to respond by logging in a very short time (TTL) and prevents response caching. When the victim browses the malicious domain, the attacker's DNS server responds with the IP address of the server that originally hosted the malicious client code.
For example, they can redirect a victim's browser to a website that contains malicious JavaScript or Flash scripts intended to be executed on the victim's computer.
The malicious client-side code makes additional entries to the original domain name (such as attacker.com). They are allowed same origin policy. However, when the victim's browser runs the script, it sends a new DNS request for the domain, and the attacker responds with a new IP address. For example, they could respond with an internal IP address or the target's IP address elsewhere on the Internet.
How to Mitigate DNS Rebinding Attacks
The content describes various mitigation strategies against DNS rebinding attacks, with a technical explanation of each. These strategies represent a multi-layered approach to defending against DNS rebinding attacks, each covering different aspects and phases of the attack, and each having their own limitations and challenges.
- Browser-based mitigations: Modern browsers use DNS pinning, ignoring DNS TTL and caching DNS resolution results for a fixed period of time. This prevents attackers from changing the IP address resolved through frequent DNS queries. This method primarily blocks traditional time-varying attacks, but can be bypassed by sending repeated requests until the cache expires or by using multiple A-record attacks. Therefore, browser-based mitigation can be avoided if an attacker can keep their website open in your browser long enough, which is especially risky when viewing long video content on an attacker's website.
- DNS-based reduction: DNS services such as OpenDNS reject DNS responses pointing to private (RFC 1918) and reverse IP addresses. DNS caching solutions (Dnsmasq, Unbound) implement similar policies. Not all non-routable IP addresses are blocked, and CNAME records can be used to bypass this restriction. False positives can block legitimate services that resolve internal IP addresses
- Server-based mitigation: Enabling HTTPS for private services and requiring proper domain validation for SSL certificates prevents attackers from establishing SSL connections. In private services, authentication with strong credentials adds another layer of protection. It depends on the developers of internal services, which makes it less scalable. In both home and enterprise environments, third-party software makes it difficult for network owners to implement this protection.
- Real-time DNS rebinding detection: It uses a sophisticated signature-based system that monitors DNS traffic to detect abnormal patterns that indicate DNS rebinding attacks. This system can identify malicious hostnames in real time and covers various DNS rebinding attacks. High detection accuracy, prevention of false positives using legitimate usage filters, and the ability to recognize attacks targeting both internal IP addresses and hostnames
The result
A DNS rebinding attack can compromise victims' browsers as traffic tunnels to access private services. With this technique, attackers can steal confidential information and send fake requests to victims' servers. Browsers, resolvers, and web applications have implemented various defense strategies to protect against it. However, there are advanced exploits that can bypass traditional defenses. In addition, as the internal network environment becomes more complex, it is more difficult to implement complete protection.