Protecting Browsers from DNS Rebinding Attacks
DNS rebinding attacks subvert the same-origin policy
and convert browsers into open network proxies.
- circumvent firewalls to access internal documents and services
- require less than $100 to temporarily hijack 100,000 IP addresses for sending spam and defrauding pay-per-click advertisers
For information about defenses, please read our paper:
|
In Proceedings of ACM CCS 07
|
DNS Rebinding Demo
Use the DNS rebinding technique
This page tries to detect the techniques that might work in your browser and displays them in the dropdown list. If you cannot select a particular technique, a demo is not available for your browser. A technique may not work even though it is selectable; for example, the Flash attacks won't work if you have a patched version of Flash. If you don't have a proxy but want to try the Java proxy technique, you can use proxy.dnsrebinding.net as your browser proxy (port 3128), but it will only proxy connections to dnsrebinding.net so you will need to turn off the proxy for the browser time delay technique, and stop using it when you leave this page.
First, we use JavaScript generate a random nonce for your request, to distinguish your DNS requests from other users. The unique nonce for your next request will be .
Then, we load an iframe on http:// .1.4. .0.. .dnsrebinding.net/dnsrebinding/connect.php. The DNS server for dnsrebinding.net (which we control) initially resolves this name to , which is an attack server we control. Our attack DNS server keeps a record of this lookup so that it can respond differently on subsequent requests.
Our attack server at uses the browser to open a socket to the same DNS name, which triggers a second DNS lookup Our attack DNS server recognizes a second request using this nonce and returns a CNAME (target) instead of an address record for (attacker).
At this point, the attack code has an open socket to (target) and can send and receive arbitrary data. To demonstrate the attack, we have implemented simple versions of wget and telnet.
Although an attacker could easily exfiltrate the data, for your privacy this demo does not record any of the information transmitted between you and the target. Communication between your browser and the target is over a direct network connection and will not, in general, pass through Stanford's network.
Disclosure Timeline
- April 28, 2007 Stanford security lab notifies vendors
- July 24, 2007 Stanford paper and vulnerability check posted
- August 15, 2007 Firewall defense tool dnswall and Firefox patch released
- October 3, 2007 DNS rebinding fix for Java released by Sun
- October 22, 2007 DNS rebinding protection patch for dnsmasq released
- October 29, 2007 Stanford presentation at ACM CCS 07
- December 3, 2007 DNS rebinding fix for Flash Player released by Adobe
Implementation
- dnswall: daemon that filters out private IP addresses in DNS responses
- prnetdb.c.patch: host name authorization check for Firefox
Related Work
- LocalRodeo - RFC1918 Pinning for JavaScript (Martin Johns)
- LiveConnect Rebinding (Martin Johns)
- LiveConnect Rebinding (Kanatoko Anvil)
- Flash Rebinding (Kanatoko Anvil)
- Forcing Browsers to Unpin (Kanatoko Anvil)