Protecting Browsers from DNS Rebinding Attacks

DNS rebinding attacks subvert the same-origin policy and convert browsers into open network proxies. These attacks can

circumvent firewalls to access internal documents and services
require less than $100 to temporarily hijack 100,000 IP addresses for sending spam and defrauding pay-per-click advertisers

For information about defenses, please read our paper:

pdf

Protecting Browsers from DNS Rebinding Attacks [BIBTEX]

Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh

In Proceedings of ACM CCS 07

Disclosure Timeline

April 28, 2007 Stanford security lab notifies vendors
July 24, 2007 Stanford paper and vulnerability check posted
August 15, 2007 Firewall defense tool dnswall and Firefox patch released
October 3, 2007 DNS rebinding fix for Java released by Sun
October 22, 2007 DNS rebinding protection patch for dnsmasq released
October 29, 2007 Stanford presentation at ACM CCS 07
December 3, 2007 DNS rebinding fix for Flash Player released by Adobe

Implementation

dnswall: daemon that filters out private IP addresses in DNS responses
prnetdb.c.patch: host name authorization check for Firefox

Related Work

LocalRodeo - RFC1918 Pinning for JavaScript (Martin Johns)
LiveConnect Rebinding (Martin Johns)
LiveConnect Rebinding (Kanatoko Anvil)
Flash Rebinding (Kanatoko Anvil)
Forcing Browsers to Unpin (Kanatoko Anvil)