Abstract
DNS rebinding attacks subvert the same-origin policy of browsers, converting them into open network proxies. Using DNS rebinding, an attacker can circumvent organizational and personal firewalls, send spam email, and defraud pay-per-click advertisers. We evaluate the cost effectiveness of mounting DNS rebinding attacks, finding that an attacker requires less than $100 to hijack 100,000 IP addresses. We analyze defenses to DNS rebinding attacks, including improvements to the classic “DNS pinning,” and recommend changes to browser plug-ins, firewalls, and Web servers. Our defenses have been adopted by plug-in vendors and by a number of open-source firewall implementations.
- Adobe. 2006. Adobe Flash Player 9 security. http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf.Google Scholar
- Adobe. 2008. Flash Player penetration. http://www.adobe.com/products/player_census/flash- player/.Google Scholar
- Alexa. 2007. Top sites. http://www.alexa.com/site/ds/top_sites?ts_mode=global.Google Scholar
- Anvil, K. 2007. Anti-DNS pinning + socket in flash. http://www.jumperz.net/.Google Scholar
- Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. DNS security introduction and requirements. RFC 4033.Google Scholar
- Bortz, A., Barth, A., and Jackson, C. 2007. Google dnswall. http://code.google.com/p/google-dnswall/.Google Scholar
- Cheshire, S., Aboba, B., and Guttman, E. 2005. Dynamic configuration of IPv4 link-local addresses. IETF RFC 3927.Google Scholar
- Cheswick, W. and Bellovin, S. 1996. A DNS filter and switch for packet-filtering gateways. In Proceedings of the USENIX Annual Technical Conference. Google ScholarDigital Library
- Daswani, N. and Stoppelman, M. 2007. The anatomy of Clickbot.A. In Proceedings of 1st Workshop on Hot Topics in Understanding Botnets (HotBots). Google ScholarDigital Library
- Dean, D., Felten, E. W., and Wallach, D. S. 1996. Java security: From HotJava to Netscape and beyond. In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Edwards, D. 2005. Your MOMA knows best. http://xooglers.blogspot.com/2005/12/your-moma-knows-best.html.Google Scholar
- Fainelli, F. 2008. The OpenWrt embedded development framework. In Free and Open Source Software Developers' European Meeting.Google Scholar
- Fenzi, K. and Wreski, D. 2004. Linux security HOWTO. Google ScholarDigital Library
- Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. Hypertext Transfer Protocol—HTTP/1.1. RFC 2616. Google ScholarDigital Library
- Fisher, D. 2007. Personal communication.Google Scholar
- Fisher, D. et al. 2003. Problems with new DNS cache (“pinning” forever). https://bugzilla.mozilla.org/show_bug.cgi?id=162871.Google Scholar
- Gajek, S., Schwenk, J., and Xuan, C. 2008. On the insecurity of Microsoft's identity metasystem. Tech. Rep. HGI-TR-2008-003, Horst Görtz Institute for IT Security, Ruhr University Bochum. May. http://demo.nds.rub.de/cardspace/.Google Scholar
- Goodin, D. 2005. Calif. man pleads guilty to felony hacking. Assoc. Press.Google Scholar
- Gottschall, S. et al. 2008. Dd-wrt (version 24). http://www.dd-wrt.com/.Google Scholar
- Grimm, S. et al. 2002. Setting document.domain doesn't match an implicit parent domain. https://bugzilla.mozilla.org/show_bug.cgi?id=183143.Google Scholar
- Grossman, J. and Niedzialkowski, T. 2006. Hacking intranet Websites from the outside: JavaScript malware just got a lot more dangerous. In Blackhat USA. Invited talk.Google Scholar
- Haupt, E. 2008. dnswall FreeBSD port. http://www.freebsd.org/cgi/cvsweb.cgi/ports/dns/dnswall/.Google Scholar
- Hinden, R. and Deering, S. 2003. Internet protocol version 6 (IPv6) addressing architecture. IETF RFC 3513. Google ScholarDigital Library
- Hinden, R. and Haberman, B. 2005. Unique local IPv6 unicast addresses. IETF RFC 4193.Google Scholar
- Jackson, C. and Barth, A. 2008. Beware of finer-grained origins. In Web 2.0 Security and Privacy.Google Scholar
- Johns, M. 2006. (Somewhat) breaking the same-origin policy by undermining DNS pinning. http://shampoo.antville.org/stories/1451301/.Google Scholar
- Johns, M. and Winter, J. 2007. Protecting the Intranet against “JavaScript Malware” and related attacks. In Proceedings of the GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Google ScholarDigital Library
- Karlof, C. K., Shankar, U., Tygar, D., and Wagner, D. 2007. Dynamic pharming attacks and the locked same-origin policies for Web browsers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Kelley, S. 2008. Dnsmasq (version 2.41). http://www.thekelleys.org.uk/dnsmasq/doc.html.Google Scholar
- Klein, A. 2006. Host header cannot be trusted as an anti anti DNS-pinning measure. http://www.securityfocus.com/archive/1/445490.Google Scholar
- Lam, V. T., Antonatos, S., Akritidis, P., and Anagnostakis, K. G. 2006. Puppetnets: Misusing Web browsers as a distributed attack infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Maone, G. 2007a. DNS spoofing/pinning. http://sla.ckers.org/forum/read.php?6,4511,14500.Google Scholar
- Maone, G. 2007b. NoScript. http://noscript.net/.Google Scholar
- Megacz, A. 2002. XWT Foundation security advisory. http://www.megacz.com/research/sop.txt.Google Scholar
- Megacz, A. and Meketa, D. 2003. X-RequestOrigin. http://www.xwt.org/x-requestorigin.txt.Google Scholar
- Meyer, D. 1998. Administratively scoped IP multicast. IETF RFC 2365. Google ScholarDigital Library
- Microsoft. 2004. Microsoft Web enterprise portal. http://www.microsoft.com/technet/itshowcase/content/MSWebTWP.mspx.Google Scholar
- Microsoft. 2008. Socket class (System.Net.Sockets). http://msdn.microsoft.com/en-us/library/system.net.sockets.socket(VS.95).aspx.Google Scholar
- Mitre. 2007a. CVE-2007-5273.Google Scholar
- Mitre. 2007b. CVE-2007-5274.Google Scholar
- Mitre. 2007c. CVE-2007-5275.Google Scholar
- Mitre. 2007d. CVE-2007-6244.Google Scholar
- Mitre. 2008. CVE-2008-1192.Google Scholar
- Mockapetris, P. 1987. Domain names—Implementation and specification. IETF RFC 1035. Google ScholarDigital Library
- Nuuja, C. 2007. Personal communication.Google Scholar
- Ollmann, G. 2005. The pharming guide. http://www.ngssoftware.com/papers/ThePharmingGuide. pdf.Google Scholar
- Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and Lear, E. 1996. Address allocation for private Internets. IETF RFC 1918. Google ScholarDigital Library
- Reynolds, J. and Postel, J. 1994. Assigned numbers. IETF RFC 1700.Google Scholar
- Roskind, J. 2001. Attacks against the Netscape browser. In RSA Conference. Invited talk.Google Scholar
- Ross, D. 2007. Notes on DNS pinning. http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns-pinning.aspx.Google Scholar
- Ruderman, J. 2001. JavaScript security: Same origin. http://www.mozilla.org/projects/security/components/same-origin.html.Google Scholar
- Soref, J. 2003. DNS: Spoofing and pinning. http://viper.haque.net/~timeless/blog/11/.Google Scholar
- Spamhaus. 2007. The Spamhaus block list. http://www.spamhaus.org/sbl/.Google Scholar
- Stamm, S., Ramzan, Z., and Jakobsson, M. 2006. Drive-By pharming. Tech. Rep. 641, Computer Science Department, Indiana University. December.Google Scholar
- Topf, J. 2001. HTML form protocol attack. http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.Google Scholar
- Veditz, D. et al. 2002. Document.domain abused to access hosts behind firewall. https://bugzilla.mozilla.org/show_bug.cgi?id=154930.Google Scholar
- Warner, B. 2004. Home PCs rented out in sabotage-for-hire racket. Reuters.Google Scholar
- Winter, J. and Johns, M. 2007. LocalRodeo: Client-Side protection against JavaScript Malware. http://databasement.net/labs/localrodeo/.Google Scholar
Index Terms
- Protecting browsers from DNS rebinding attacks
Recommendations
Robust defenses for cross-site request forgery
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityCross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the ...
Protecting browsers from dns rebinding attacks
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityDNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash and Java. These attacks can ...
Protecting browsers from cross-origin CSS attacks
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityCross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, ...
Comments