SlideShare a Scribd company logo

DNS Rebinding Attack

Felipe Japm
Felipe Japm

DNS Rebinding Attack / Presentation for the Seminar : Current Topics in Software Fault Tolerance

Technology
1 of 23
Download to read offline
Protecting Browsers from DNS Rebinding Attacks Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh Felipe Mattosinho
Outline Introduction How DNS Rebinding Works DNS Rebinding Vulnerabilities Attacks using DNS Rebinding Defenses Against Rebinding Related Work
Introduction Browsers and DNS Caching Why Browsers cache the DNS? Different browsers have different policies mechanism to cache. E.g : Firefox, Safari, Internet Explorer TTL hold the valid time of a dns entry Browsers „should“ cache until TTL expires
Introduction Browsers Same Origin Policy Browser attempts to stop client-side script from different origin The policy applies to network access and browser state such as the DOM interface, cookies, cache, history, and the password database Same origin means same protocol, domain name and port number Examples: Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
Introduction Browsers Same Origin Policy Access Within same origin: Plug-ins such as Flash Player and Java can access network sockets directly. Access between different origins: Flash Player permits its movies to read back HTTP responses with a XML policy. Prohibited Access: Internet Explorer 7: Firefox 2: Safari 2: FTP 21 , SMTP 25, FTP 21 , SMTP 25, Ports are not POP3 110, NNTP 119 POP3 110, NNTP 119 blocked IMAP 143 IMAP 143 + 51 additional ports
How DNS Rebinding Works Bob www.SE-ROCKS.com Win a car www.badguy.com ISP Malicious Javascript www.badguy.com : IP: 1.2.3.4 TTL 2s Alice
How DNS Rebinding Works Bob IP: 10.1.1.2 Javascript // Reconnect to www.badguy.com after 2s www.badguy.com : IP 10.1.1.3 Alice IP: 10.1.1.3
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Multiple A Records Multiple IP Address resolves to the same host. In 1996, the first attack aimed to confuse the security policy of the JVM. A Java applet, connects target and attacker web server. Time-Varying DNS In 2001, the original attack on Java was extended, this time using JavaScript. www.badguy.com is bound to a very short TTL. After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object connects to www.badguy.com that resolves to the target’s server.
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Pinning in Current Browsers Browser pins host name to IP Address. Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A records, the browser can try different IP addresses within 1 sec. Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the following html command <img src:http://badguy.com:81/> FireFox 1.5 and 2 caches DNS entries between 60 to 120 seconds Opera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12 minutes. Safari 2 pins DNS bindings for 1 second.
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Flash Player 9 Flash player is installed on 55.8% of web browsers( as of December 2006), according to Adobe. The experiments however showed 86.9%. Flash opens a port less then 1024 with www.badguy.com. Then flash automatically sends <policy-file-request />. The attacker will respond with the following XML: [JBB+07]
Attacks using DNS Rebinding Attacks Firewall Circumvention Spidering the Intranet Compromising unpatched machines Abusing internal open services IP Hijacking Committing Click Fraud Sending Spam Defeating IP-based Authentication Framing clients
Attacks using DNS Rebinding Experiment: Recruiting Browsers DNS Rebinding was tested running a Flash Player 9 advertisement Two machines ran during three successive nights. The attacker ran: 1. A custom authoritative DNS server 2. A custom Flash player policy server 3. An Apache Web server hosting the advertisement The target ran an Apache Server to log successful attacks
Attacks using DNS Rebinding Experiment: Recruiting Browsers The attack needed no user click The attack results: [JBB+07] [JBB+07]
Attacks using DNS Rebinding Experiment: Recruiting Browsers Relevant numbers about the attack: 1. 50,951 impressions from 44,924 unique IP address were acquired (40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other). 2. The rebinding experiment ran on the 44,301(86.9%) impressions that reported Flash Player 9. 3. The experiment was successful on 30,636(60.1%) impressions and 27,840 unique IP addresses. 4. The attack was less successfull on Mac Os.
Defenses Against Rebinding Fixing Firewall Circumvention Enterprise Blocking outbound traffic on port 53, a DNS server can be configured to not bound external names to internal IP Addresses. Use of dnswall to enforce policy. Consumer Consumer firewalls already expose a caching DNS resolver and can be augmented with dnswall. Software E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that bind to the loopback interface.
Defenses Against Rebinding Fixing Plug-ins Flash Player A policy based only if obtained for the same IP address and same host name. Requesting policy before opening sockets to any port. Java The connect method is used to obtain a proxied socket connection to an external machine Java LiveConnect Removing multi-pin vulnerabilities by using the same cache as the browser.
Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Checking Host Header Accepting only expected Host headers. Finer-grained Origins Refine origin by adding information such as the server IP address or a public key. IP Addresses: It is robust however some applications may fail such as Gmail. Public Keys: Can lead to a problem that two HTTPS pages served from the same domain to read each other’s state.
Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Smarter Pinning Robustness X Security Extending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78. The developers of the NoScript for Firefox are planning this pinning heuristic
Defenses Against Rebinding Fixing Browsers(Default-Deny Sockets) Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re-pin. Pinning Pitfalls Common Pin Database: Sharing the same database Cache:Browser’s cache and all plug-in caches must be modified to prevent rebinding attacks. Document.domain
Defenses Against Rebinding Fixing Browsers(Default-Allow Sockets) Host Name Authorization „Honest Machines“ do not advertise host name controlled by attackers. [JBB+07] Policy mechanism steps: 1. Resolve the host name auth.ip.in-addr.arpa 2. Does the host name exists? 3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in- addr.arpa 4. Determine if the host name is authorized
Related Work Using Browsers as Bots Can be used for distributed denial of service attack Sender Policy Framework Stores policy information in DNS
References [1] Adobe. Adobe Player Penetration. http://www.adobe.com/products/player_census/flashplayer [2] Dan Kaminisky.Black ops 2007, designing reviewing the web. PowerPoint. www.doxpara.com/slides/DMK_BO2K7_Web.ppt [3] Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System [4] Google Safe Browsing for Firefox, 2005 http://www.google.com/tools/firefox/safebrowsing [5] J. Ruderman. JavaScript Security:Same origin. http://www.mozilla.org/projects/security/components/same- origin.html Supervisor: Gert Pfeifer [6]D. Ross Notes on DNS pinning http://blogs.msdn.com/dross/archive/2007/07/09/notes-on- dns.pinning.aspx, 2007
THANK YOU! QUESTIONS?!

Recommended

XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Neo4j: Import and Data Modelling
Neo4j: Import and Data ModellingNeo4j: Import and Data Modelling
Neo4j: Import and Data ModellingNeo4j
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP TutorialLorna Mitchell
 
Internet Cookies
Internet CookiesInternet Cookies
Internet Cookiesanita gouda
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookieswww.netgains.org
 

Recommended

XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Neo4j: Import and Data Modelling
Neo4j: Import and Data ModellingNeo4j: Import and Data Modelling
Neo4j: Import and Data ModellingNeo4j
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP TutorialLorna Mitchell
 
Internet Cookies
Internet CookiesInternet Cookies
Internet Cookiesanita gouda
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookieswww.netgains.org
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Password management
Password managementPassword management
Password managementPortalGuard dba PistolStar, Inc.
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functionsMazin Alwaaly
 
An overview of Neo4j Internals
An overview of Neo4j InternalsAn overview of Neo4j Internals
An overview of Neo4j InternalsTobias Lindaaker
 
Design and Simulation Triple-DES
Design and Simulation Triple-DESDesign and Simulation Triple-DES
Design and Simulation Triple-DESchatsiri
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstaten|u - The Open Security Community
 
The Yubikey
The YubikeyThe Yubikey
The YubikeyDavid Page
 
Secure communication
Secure communicationSecure communication
Secure communicationTushar Swami
 
An Introduction to Microsoft Edge
An Introduction to Microsoft EdgeAn Introduction to Microsoft Edge
An Introduction to Microsoft EdgeChris Love
 
PHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsPHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsVibrant Technologies & Computers
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithmArpana shree
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Email security
Email securityEmail security
Email securitykumarviji
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdfKhaledMohamed767546
 
Caching
CachingCaching
CachingNascenia IT
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docxProtecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docxamrit47
 

More Related Content

What's hot

Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functionsMazin Alwaaly
 
An overview of Neo4j Internals
An overview of Neo4j InternalsAn overview of Neo4j Internals
An overview of Neo4j InternalsTobias Lindaaker
 
Design and Simulation Triple-DES
Design and Simulation Triple-DESDesign and Simulation Triple-DES
Design and Simulation Triple-DESchatsiri
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Secure communication
Secure communicationSecure communication
Secure communicationTushar Swami
 
An Introduction to Microsoft Edge
An Introduction to Microsoft EdgeAn Introduction to Microsoft Edge
An Introduction to Microsoft EdgeChris Love
 
Email security
Email securityEmail security
Email securitykumarviji
 

What's hot (20)

Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Password management
Password managementPassword management
Password management
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functions
 
An overview of Neo4j Internals
An overview of Neo4j InternalsAn overview of Neo4j Internals
An overview of Neo4j Internals
 
Design and Simulation Triple-DES
Design and Simulation Triple-DESDesign and Simulation Triple-DES
Design and Simulation Triple-DES
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Introduction to ASP.Net Viewstate
Introduction to ASP.Net ViewstateIntroduction to ASP.Net Viewstate
Introduction to ASP.Net Viewstate
 
The Yubikey
The YubikeyThe Yubikey
The Yubikey
 
Secure communication
Secure communicationSecure communication
Secure communication
 
An Introduction to Microsoft Edge
An Introduction to Microsoft EdgeAn Introduction to Microsoft Edge
An Introduction to Microsoft Edge
 
PHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsPHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and Sessions
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Sql injection
Sql injectionSql injection
Sql injection
 
Email security
Email securityEmail security
Email security
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdf
 
Caching
CachingCaching
Caching
 

Similar to DNS Rebinding Attack

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docxProtecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docxamrit47
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 
Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009ClubHack
 
Dns server
Dns serverDns server
Dns serverMuuluu
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksKhajornchol Puwarang
 
Ferris Bueller’s Guide to Abuse Domain Permutations
Ferris Bueller’s Guide to Abuse Domain PermutationsFerris Bueller’s Guide to Abuse Domain Permutations
Ferris Bueller’s Guide to Abuse Domain PermutationsBishop Fox
 

Similar to DNS Rebinding Attack (20)

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docxProtecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
 
Dns
DnsDns
Dns
 
DNS.pptx
DNS.pptxDNS.pptx
DNS.pptx
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Dns security
Dns securityDns security
Dns security
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoning
 
Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
Dns server
Dns serverDns server
Dns server
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
Ferris Bueller’s Guide to Abuse Domain Permutations
Ferris Bueller’s Guide to Abuse Domain PermutationsFerris Bueller’s Guide to Abuse Domain Permutations
Ferris Bueller’s Guide to Abuse Domain Permutations
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

DNS Rebinding Attack

  • 1. Protecting Browsers from DNS Rebinding Attacks Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh Felipe Mattosinho
  • 2. Outline Introduction How DNS Rebinding Works DNS Rebinding Vulnerabilities Attacks using DNS Rebinding Defenses Against Rebinding Related Work
  • 3. Introduction Browsers and DNS Caching Why Browsers cache the DNS? Different browsers have different policies mechanism to cache. E.g : Firefox, Safari, Internet Explorer TTL hold the valid time of a dns entry Browsers „should“ cache until TTL expires
  • 4. Introduction Browsers Same Origin Policy Browser attempts to stop client-side script from different origin The policy applies to network access and browser state such as the DOM interface, cookies, cache, history, and the password database Same origin means same protocol, domain name and port number Examples: Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
  • 5. Introduction Browsers Same Origin Policy Access Within same origin: Plug-ins such as Flash Player and Java can access network sockets directly. Access between different origins: Flash Player permits its movies to read back HTTP responses with a XML policy. Prohibited Access: Internet Explorer 7: Firefox 2: Safari 2: FTP 21 , SMTP 25, FTP 21 , SMTP 25, Ports are not POP3 110, NNTP 119 POP3 110, NNTP 119 blocked IMAP 143 IMAP 143 + 51 additional ports
  • 6. How DNS Rebinding Works Bob www.SE-ROCKS.com Win a car www.badguy.com ISP Malicious Javascript www.badguy.com : IP: 1.2.3.4 TTL 2s Alice
  • 7. How DNS Rebinding Works Bob IP: 10.1.1.2 Javascript // Reconnect to www.badguy.com after 2s www.badguy.com : IP 10.1.1.3 Alice IP: 10.1.1.3
  • 8. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Multiple A Records Multiple IP Address resolves to the same host. In 1996, the first attack aimed to confuse the security policy of the JVM. A Java applet, connects target and attacker web server. Time-Varying DNS In 2001, the original attack on Java was extended, this time using JavaScript. www.badguy.com is bound to a very short TTL. After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object connects to www.badguy.com that resolves to the target’s server.
  • 9. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Pinning in Current Browsers Browser pins host name to IP Address. Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A records, the browser can try different IP addresses within 1 sec. Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the following html command <img src:http://badguy.com:81/> FireFox 1.5 and 2 caches DNS entries between 60 to 120 seconds Opera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12 minutes. Safari 2 pins DNS bindings for 1 second.
  • 10. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Flash Player 9 Flash player is installed on 55.8% of web browsers( as of December 2006), according to Adobe. The experiments however showed 86.9%. Flash opens a port less then 1024 with www.badguy.com. Then flash automatically sends <policy-file-request />. The attacker will respond with the following XML: [JBB+07]
  • 11. Attacks using DNS Rebinding Attacks Firewall Circumvention Spidering the Intranet Compromising unpatched machines Abusing internal open services IP Hijacking Committing Click Fraud Sending Spam Defeating IP-based Authentication Framing clients
  • 12. Attacks using DNS Rebinding Experiment: Recruiting Browsers DNS Rebinding was tested running a Flash Player 9 advertisement Two machines ran during three successive nights. The attacker ran: 1. A custom authoritative DNS server 2. A custom Flash player policy server 3. An Apache Web server hosting the advertisement The target ran an Apache Server to log successful attacks
  • 13. Attacks using DNS Rebinding Experiment: Recruiting Browsers The attack needed no user click The attack results: [JBB+07] [JBB+07]
  • 14. Attacks using DNS Rebinding Experiment: Recruiting Browsers Relevant numbers about the attack: 1. 50,951 impressions from 44,924 unique IP address were acquired (40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other). 2. The rebinding experiment ran on the 44,301(86.9%) impressions that reported Flash Player 9. 3. The experiment was successful on 30,636(60.1%) impressions and 27,840 unique IP addresses. 4. The attack was less successfull on Mac Os.
  • 15. Defenses Against Rebinding Fixing Firewall Circumvention Enterprise Blocking outbound traffic on port 53, a DNS server can be configured to not bound external names to internal IP Addresses. Use of dnswall to enforce policy. Consumer Consumer firewalls already expose a caching DNS resolver and can be augmented with dnswall. Software E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that bind to the loopback interface.
  • 16. Defenses Against Rebinding Fixing Plug-ins Flash Player A policy based only if obtained for the same IP address and same host name. Requesting policy before opening sockets to any port. Java The connect method is used to obtain a proxied socket connection to an external machine Java LiveConnect Removing multi-pin vulnerabilities by using the same cache as the browser.
  • 17. Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Checking Host Header Accepting only expected Host headers. Finer-grained Origins Refine origin by adding information such as the server IP address or a public key. IP Addresses: It is robust however some applications may fail such as Gmail. Public Keys: Can lead to a problem that two HTTPS pages served from the same domain to read each other’s state.
  • 18. Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Smarter Pinning Robustness X Security Extending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78. The developers of the NoScript for Firefox are planning this pinning heuristic
  • 19. Defenses Against Rebinding Fixing Browsers(Default-Deny Sockets) Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re-pin. Pinning Pitfalls Common Pin Database: Sharing the same database Cache:Browser’s cache and all plug-in caches must be modified to prevent rebinding attacks. Document.domain
  • 20. Defenses Against Rebinding Fixing Browsers(Default-Allow Sockets) Host Name Authorization „Honest Machines“ do not advertise host name controlled by attackers. [JBB+07] Policy mechanism steps: 1. Resolve the host name auth.ip.in-addr.arpa 2. Does the host name exists? 3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in- addr.arpa 4. Determine if the host name is authorized
  • 21. Related Work Using Browsers as Bots Can be used for distributed denial of service attack Sender Policy Framework Stores policy information in DNS
  • 22. References [1] Adobe. Adobe Player Penetration. http://www.adobe.com/products/player_census/flashplayer [2] Dan Kaminisky.Black ops 2007, designing reviewing the web. PowerPoint. www.doxpara.com/slides/DMK_BO2K7_Web.ppt [3] Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System [4] Google Safe Browsing for Firefox, 2005 http://www.google.com/tools/firefox/safebrowsing [5] J. Ruderman. JavaScript Security:Same origin. http://www.mozilla.org/projects/security/components/same- origin.html Supervisor: Gert Pfeifer [6]D. Ross Notes on DNS pinning http://blogs.msdn.com/dross/archive/2007/07/09/notes-on- dns.pinning.aspx, 2007