Protecting Browsers from DNS Rebinding Attacks
Collin Jackson
Stanford University
[email protected]
Adam Barth
Stanford University
[email protected]
Andrew Bortz
Stanford University
[email protected]
Weidong Shao
Stanford University
[email protected]
Dan Boneh
Stanford University
[email protected]
ABSTRACT
DNS rebinding attacks subvert the same-origin policy of
browsers and convert them into open network proxies. We
survey new DNS rebinding attacks that exploit the inter-
action between browsers and their plug-ins, such as Flash
Player and Java. These attacks can be used to circumvent
firewalls and are highly cost-e↵ective for sending spam e-
mail and defrauding pay-per-click advertisers, requiring less
than $100 to temporarily hijack 100,000 IP addresses. We
show that the classic defense against these attacks, called
“DNS pinning,” is ine↵ective in modern browsers. The pri-
mary focus of this work, however, is the design of strong
defenses against DNS rebinding attacks that protect mod-
ern browsers: we suggest easy-to-deploy patches for plug-ins
that prevent large-scale exploitation, provide a defense tool,
dnswall, that prevents firewall circumvention, and detail
two defense options, policy-based pinning and host name
authorization.
Categories and Subject Descriptors
K.6.5 [Management of Computing and Information
Systems]: Security and Protection
General Terms
Security, Design, Experimentation
Keywords
Same-Origin Policy, DNS, Firewall, Spam, Click Fraud
1. INTRODUCTION
Users who visit web pages trust their browser to prevent
malicious web sites from leveraging their machines to attack
others. Organizations that permit JavaScript and other ac-
tive content through their firewall rely on the browser to
protect internal network resources from attack. To achieve
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
CCS’07, October 29–November 2, 2007, Alexandria, Virginia, USA.
Copyright 2007 ACM 978-1-59593-703-2/07/0011 ...$5.00.
these security goals, modern browsers implement the same-
origin policy that attempts to isolate distinct “origins,” pro-
tecting sites from each other.
DNS rebinding attacks subvert the same-origin policy by
confusing the browser into aggregating network resources
controlled by distinct entities into one origin, e↵ectively con-
verting browsers into open proxies. Using DNS rebinding,
an attacker can circumvent firewalls to spider corporate in-
tranets, exfiltrate sensitive documents, and compromise un-
patched internal machines. An attacker can also hijack the
IP address of innocent clients to send spam e-mail, commit
click fraud, and frame clie ...
A Survey on CDN Vulnerability to DoS AttacksIJCNCJournal
This document summarizes research on vulnerabilities in content delivery networks (CDNs) to denial-of-service (DoS) attacks, specifically forwarding loop attacks. CDNs improve website performance but expose nodes to disproportionate traffic from requests circulating endlessly between nodes. The paper analyzes vulnerabilities in commercial CDNs and proposes defensive strategies. Key findings include that adding random search strings to URLs forces edge servers to retrieve content from origin servers, rather than caches. This can be exploited to amplify attacks by overloading origin servers with traffic even if the attacking client reduces its own bandwidth.
A Survey on CDN Vulnerability to DoS AttacksIJCNCJournal
Content Delivery Networks (CDN), or ”content distribution networks” have been introduced to improve performance, scalability, and security of data distributed through the web. To reduce the response time of a web page when certain content is requested, the CDN redirects requests from users’ browsers to geographically distributed surrogate nodes, thus having a positive impact on the response time and network load. As a side effect, the surrogate servers manage possible attacks, especially denial of service attacks, by distributing the considerable amount of traffic generated by malicious activities among different data centers. Some CDNs provide additional services to normalize traffic and filter intrusion attacks, thus further mitigating the effects of possible unpleasant scenarios. Despite the presence of these native protective mechanisms, a malicious user can undermine the stability of a CDN by generating a disproportionate amount of traffic within a CDN thanks to endless cycles of requests circulating between nodes of the same network or between several distinct networks. We refer in particular to Forwarding Loops Attacks, a collection of techniques that can alter the regular forwarding process inside CDNs. In this paper, we analyze the vulnerability of some commercial CDNs to this type of attacks and then propose some possible useful defensive strategies.
This document summarizes information about cross-site scripting (XSS) and denial of service (DoS) attacks against web applications. It describes persistent and non-persistent XSS, how stored XSS works, and discusses the IE8 XSS filter and its flaws. It also outlines how HTTP TRACE methods can be abused and explains common DoS attack techniques like SYN flooding and ping flooding that aim to overload server resources and prevent legitimate access. The document provides references for further reading on web application vulnerabilities and exploits.
Nowadays DNS is used to load balance, failover, and geographically redirect connections. DNS has become so pervasive it is hard to identify a modern TCP/IP connection that does not use DNS in some way. Unfortunately, due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don't spend much time worrying about it. If DNS is maliciously attacked — altering the addresses it gives out or taken offline the damage will be enormous. Whether conducted for political motives, financial gain, or just the notoriety of the attacker, the damage from a DNS attack can be devastating for the target.
In this research we will review different DNS advanced attacks and analyze them. We will survey some of the most DNS vulnerabilities and ways of DNS attacks protection.
This document provides an overview of distributed denial of service (DDoS) attacks and best practices for building DDoS resiliency on Amazon Web Services (AWS). It describes common infrastructure layer attacks like SYN floods and application layer attacks like HTTP floods. It also outlines mitigation techniques like using AWS infrastructure and services that are DDoS resilient by design, implementing defense at the infrastructure and application layers, reducing attack surfaces, obfuscating AWS resources, and improving visibility and support. The paper includes a reference architecture that leverages these techniques to help protect application availability against DDoS attacks.
Using the Web or another research tool, search for alternative means.pdffms12345
Using namespace std;
The expansion of a steel bridge as it heated to a final Celsius temperature, Tf, from an initial
temperature T0 , can be approximated using the following formula:
Increase in length= a* L*(Tf-T0). Where a is the coefficient of expansion that is for steel is
11.7e-6, L is the length of bridge at temperature T0.
Using this formula, write a C++ program that displays a table of expansion length for a steel
bridge that’s 7365 meters long at 0 degrees Celsius, as the temperature increases to 40 degrees in
5 degree increments.
Solution
#include
using namespace std;
float Length(int Tf)
{
const float a = 11.7E-6;
const float L = 7365;
const float To=0;
return a*L*(Tf-To);
}
int main(int argc, char const *argv[])
{
cout<<\"Intitial Temperature\\tFinal Temperature\\tIncreased Length\ \";
for (int i=1;i<=8;i++)
cout<<0<<\" degrees\\t\\t\"<.
The document discusses browser security. It begins by explaining how initial web protocols assumed cooperation but security became important as usage increased. It then discusses how browsers work, including how they access web pages using HTTP and display content. The document outlines some threats to browser security like zero-day exploits, cross-site scripting, and phishing. It also discusses the security versus usability tradeoff in browser design.
This document discusses implementing a moving target defense framework using crossfire DDoS protection to defend against DDoS attacks. It proposes two approaches: 1) regularly changing the IP addresses of web servers that a reverse proxy forwards requests to, and 2) regularly changing the communication ports used between the reverse proxy and web servers. The implementation has four major components: a client, DNS resolver, two web servers, and a reverse proxy server. Scripts are used to automatically switch the reverse proxy configuration and ports in use on a regular basis without the client's knowledge to introduce unpredictability and uncertainty for attackers.
A Survey on CDN Vulnerability to DoS AttacksIJCNCJournal
This document summarizes research on vulnerabilities in content delivery networks (CDNs) to denial-of-service (DoS) attacks, specifically forwarding loop attacks. CDNs improve website performance but expose nodes to disproportionate traffic from requests circulating endlessly between nodes. The paper analyzes vulnerabilities in commercial CDNs and proposes defensive strategies. Key findings include that adding random search strings to URLs forces edge servers to retrieve content from origin servers, rather than caches. This can be exploited to amplify attacks by overloading origin servers with traffic even if the attacking client reduces its own bandwidth.
A Survey on CDN Vulnerability to DoS AttacksIJCNCJournal
Content Delivery Networks (CDN), or ”content distribution networks” have been introduced to improve performance, scalability, and security of data distributed through the web. To reduce the response time of a web page when certain content is requested, the CDN redirects requests from users’ browsers to geographically distributed surrogate nodes, thus having a positive impact on the response time and network load. As a side effect, the surrogate servers manage possible attacks, especially denial of service attacks, by distributing the considerable amount of traffic generated by malicious activities among different data centers. Some CDNs provide additional services to normalize traffic and filter intrusion attacks, thus further mitigating the effects of possible unpleasant scenarios. Despite the presence of these native protective mechanisms, a malicious user can undermine the stability of a CDN by generating a disproportionate amount of traffic within a CDN thanks to endless cycles of requests circulating between nodes of the same network or between several distinct networks. We refer in particular to Forwarding Loops Attacks, a collection of techniques that can alter the regular forwarding process inside CDNs. In this paper, we analyze the vulnerability of some commercial CDNs to this type of attacks and then propose some possible useful defensive strategies.
This document summarizes information about cross-site scripting (XSS) and denial of service (DoS) attacks against web applications. It describes persistent and non-persistent XSS, how stored XSS works, and discusses the IE8 XSS filter and its flaws. It also outlines how HTTP TRACE methods can be abused and explains common DoS attack techniques like SYN flooding and ping flooding that aim to overload server resources and prevent legitimate access. The document provides references for further reading on web application vulnerabilities and exploits.
Nowadays DNS is used to load balance, failover, and geographically redirect connections. DNS has become so pervasive it is hard to identify a modern TCP/IP connection that does not use DNS in some way. Unfortunately, due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don't spend much time worrying about it. If DNS is maliciously attacked — altering the addresses it gives out or taken offline the damage will be enormous. Whether conducted for political motives, financial gain, or just the notoriety of the attacker, the damage from a DNS attack can be devastating for the target.
In this research we will review different DNS advanced attacks and analyze them. We will survey some of the most DNS vulnerabilities and ways of DNS attacks protection.
This document provides an overview of distributed denial of service (DDoS) attacks and best practices for building DDoS resiliency on Amazon Web Services (AWS). It describes common infrastructure layer attacks like SYN floods and application layer attacks like HTTP floods. It also outlines mitigation techniques like using AWS infrastructure and services that are DDoS resilient by design, implementing defense at the infrastructure and application layers, reducing attack surfaces, obfuscating AWS resources, and improving visibility and support. The paper includes a reference architecture that leverages these techniques to help protect application availability against DDoS attacks.
Using the Web or another research tool, search for alternative means.pdffms12345
Using namespace std;
The expansion of a steel bridge as it heated to a final Celsius temperature, Tf, from an initial
temperature T0 , can be approximated using the following formula:
Increase in length= a* L*(Tf-T0). Where a is the coefficient of expansion that is for steel is
11.7e-6, L is the length of bridge at temperature T0.
Using this formula, write a C++ program that displays a table of expansion length for a steel
bridge that’s 7365 meters long at 0 degrees Celsius, as the temperature increases to 40 degrees in
5 degree increments.
Solution
#include
using namespace std;
float Length(int Tf)
{
const float a = 11.7E-6;
const float L = 7365;
const float To=0;
return a*L*(Tf-To);
}
int main(int argc, char const *argv[])
{
cout<<\"Intitial Temperature\\tFinal Temperature\\tIncreased Length\ \";
for (int i=1;i<=8;i++)
cout<<0<<\" degrees\\t\\t\"<.
The document discusses browser security. It begins by explaining how initial web protocols assumed cooperation but security became important as usage increased. It then discusses how browsers work, including how they access web pages using HTTP and display content. The document outlines some threats to browser security like zero-day exploits, cross-site scripting, and phishing. It also discusses the security versus usability tradeoff in browser design.
This document discusses implementing a moving target defense framework using crossfire DDoS protection to defend against DDoS attacks. It proposes two approaches: 1) regularly changing the IP addresses of web servers that a reverse proxy forwards requests to, and 2) regularly changing the communication ports used between the reverse proxy and web servers. The implementation has four major components: a client, DNS resolver, two web servers, and a reverse proxy server. Scripts are used to automatically switch the reverse proxy configuration and ports in use on a regular basis without the client's knowledge to introduce unpredictability and uncertainty for attackers.
Study of flooding based ddos attacks and their effect using deter testbedeSAT Journals
Abstract Today, Internet is the primary medium for communication which is used by number of users across the Network. At the same time, its commercial nature is causing increase vulnerability to enhance cyber crimes and there has been an enormous increase in the number of DDOS (distributed denial of service attack) attacks on the internet over the past decade. Whose impact can be proportionally severe. With little or no advance warning, a DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. Network resources such as network bandwidth, web servers and network switches are mostly the victims of DDoS attacks. In this paper different types of DDoS attacks has been studied, a dumb-bell topology have been created and effect of UDP flooding attacks has been analyzed on web service by using attack tools available in DETER testbed. Throughput of web server is analyzed with and without DDoS attacks.
Study of flooding based d do s attacks and their effect using deter testbedeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A Proxy Server is computer that functions as an intermediary between a web browser (such as Internet
Explorer) and the Internet. Proxy servers help improve web performance by storing a copy of frequently
used webpages. When a browser requests a webpage stored in the proxy server's collection (its cache),
it is provided by the proxy server, which is faster than going to the web. Proxy servers also help improve
security by filtering out some web content and malicious software.
A Proxy Server is a server (a computer system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers.
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...IJNSA Journal
Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. While the detection process is on, the sessions from the legitimate sources are not disrupted and the load on the server is restored to the normal level by blocking the traffic from the attacking sources. To cater to different scenarios, the detection algorithm has various modules with varying level of computational and memory overheads for
their execution. While the approximate modules are fast in detection and involve less overhead, they provide lower level of detection accuracy. The accurate modules employ complex detection logic and hence involve more overhead for their execution. However, they have very high detection accuracy. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
1. The document proposes a framework to improve web services security called Robust Encryption and Decryption (RED). RED includes a common set of encryption algorithms deployed in browsers and web servers.
2. The framework also defines a Standard Encryption Syntax (SES) to allow web applications to communicate with RED for encrypting and decrypting content. Developers can select algorithms from RED and reference them using SES tags.
3. The framework aims to provide stronger encryption than SSL/TLS but with less complexity, cost, and performance impact. It could help secure communication against various network attacks.
The document discusses Azure DDoS Protection Standard. It notes that DDoS attacks are increasing in frequency, size, and sophistication. Azure DDoS Protection Standard provides continuous monitoring, edge mitigation to protect datacenter bandwidth, regional failover, and global mitigation capacity of over 25 Tbps. It is designed to provide automatic network layer attack protection and analytics for virtual network resources.
This document proposes a system called FireCol, which stands for a collaborative protection network for detecting flooding DDoS attacks. FireCol uses a distributed network of intrusion prevention systems located at internet service providers that form virtual protection rings around hosts. These systems collaborate by exchanging selected traffic information to detect DDoS attacks close to the source. The document outlines the architecture of FireCol and experimental results showing its effectiveness at detecting attacks with low overhead. Future work is mentioned to extend FireCol's capabilities.
This document discusses DNS rebinding attacks and defenses against them. DNS rebinding works by resolving a domain name to the attacker's IP address for a short time, then rebinding it to the target's IP. This allows the attacker to circumvent the same-origin policy and run code on the target's machine. Experiments showed the attack could recruit over 30,000 browsers to a botnet without any user interaction using Flash. Defenses include smarter pinning in browsers, host name authorization, and policy-based approaches. Plug-ins also need to consult server policies before opening sockets.
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
Distributed Denial of Service (DDoS) attacks today
have been amplified into gigabits volume with
broadband Internet access; at the same time, the us
e of more powerful botnets and common DDoS
mitigation and protection solutions implemented in
small and large organizations’ networks and servers
are no longer effective. Our survey provides an in-
depth study on the current largest DNS reflection a
ttack
with more than 300 Gbps on Spamhaus.org. We have re
viewed and analysed the current most popular
DDoS attack types that are launched by the hacktivi
sts. Lastly, effective cloud-based DDoS mitigation
and
protection techniques proposed by both academic res
earchers and large commercial cloud-based DDoS
service providers are discussed
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
Distributed Denial of Service (DDoS) attacks today
have been amplified into gigabits volume with
broadband Internet access; at the same time, the us
e of more powerful botnets and common DDoS
mitigation and protection solutions implemented in
small and large organizations’ networks and servers
are no longer effective. Our survey provides an in-
depth study on the current largest DNS reflection a
ttack
with more than 300 Gbps on Spamhaus.org. We have re
viewed and analysed the current most popular
DDoS attack types that are launched by the hacktivi
sts. Lastly, effective cloud-based DDoS mitigation
and
protection techniques proposed by both academic res
earchers and large commercial cloud-based DDoS
service providers are discussed
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSIJNSA Journal
Distributed Denial of Service (DDoS) attacks today have been amplified into gigabits volume with broadband Internet access; at the same time, the use of more powerful botnets and common DDoS mitigation and protection solutions implemented in small and large organizations’ networks and servers are no longer effective. Our survey provides an in-depth study on the current largest DNS reflection attack with more than 300 Gbps on Spamhaus.org. We have reviewed and analysed the current most popular DDoS attack types that are launched by the hacktivists. Lastly, effective cloud-based DDoS mitigation and protection techniques proposed by both academic researchers and large commercial cloud-based DDoS service providers are discussed.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Encountering distributed denial of service attack utilizing federated softwar...IJECEIAES
This research defines the distributed denial of service (DDoS) problem in software-defined-networks (SDN) environments. The proposes solution uses Software defined networks capabilities to reduce risk, introduces a collaborative, distributed defense mechanism rather than server-side filtration. Our proposed network detection and prevention agent (NDPA) algorithm negotiates the maximum amount of traffic allowed to be passed to server by reconfiguring network switches and routers to reduce the ports' throughput of the network devices by the specified limit ratio. When the passed traffic is back to normal, NDPA starts network recovery to normal throughput levels, increasing ports' throughput by adding back the limit ratio gradually each time cycle. The simulation results showed that the proposed algorithms successfully detected and prevented a DDoS attack from overwhelming the targeted server. The server was able to coordinate its operations with the SDN controllers through a communication mechanism created specifically for this purpose. The system was also able to determine when the attack was over and utilize traffic engineering to improve the quality of service (QoS). The solution was designed with a sophisticated way and high level of separation of duties between components so it would not be affected by the design aspect of the network architecture.
The document discusses denial of service (DoS) and distributed denial of service (DDoS) attacks. It defines DoS as an attack that renders a system unable to provide normal services by flooding it with traffic. DDoS uses multiple compromised systems to launch a coordinated DoS attack against one or more targets, multiplying the attack effectiveness. Attacks are classified by the system targeted (clients, routers, firewalls, servers), part of the system (hardware, OS, TCP/IP stack), and whether they exploit bugs or just overload resources. Common DDoS tools like Trinoo and TFN are mentioned. Protection from these large-scale attacks remains a challenge.
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
This document discusses DNS spoofing/poisoning attacks. It begins by explaining how DNS works, translating domain names to IP addresses. It then discusses different types of DNS attacks, focusing on DNS spoofing/poisoning. The document outlines how DNS spoofing occurs by tampering with DNS resolvers or using malicious DNS servers. It explains the goals of attackers, such as launching denial of service attacks or redirecting users to fake websites. The document also provides ways to exploit DNS spoofing through amplification attacks and discusses recommendations for preventing DNS spoofing, such as checking and flushing DNS settings on Windows systems.
This is a presentation i made about Denial of Service or a Distributed Denial of Service (DoS / DDoS) and the latest methods used to crash anything online and the future of such attacks which can disrupt the whole internet . Such attacks which are in TB's and can be launched from just single computer. And, there is not much that can be done to prevent them.
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
This document discusses the Heartbleed vulnerability in OpenSSL and its potential impacts. Heartbleed is a bug in the OpenSSL cryptography library that exposes the contents of the server's memory, including private keys and user session cookies. An attacker can exploit Heartbleed to steal sensitive data from vulnerable servers or impersonate services. The vulnerability had widespread implications because OpenSSL is used to secure a majority of websites. While patching servers and changing passwords addressed direct theft of information, Heartbleed also weakened the security of encrypted communications and online identities.
This document summarizes a research paper that proposed and evaluated methods for mitigating denial of service (DoS) and distributed denial of service (DDoS) attacks on virtual machines. The paper implemented iptables connection limits on the host machine to prevent excessive connections from attacking IPs. It also tuned network performance by adjusting the receiving window size to maximize bandwidth utilization. The experimental results showed that the iptables security measures protected against DoS/DDoS attacks while window scaling optimization improved network performance during attacks.
APA, The assignment require a contemporary approach addressing Race,.docxamrit47
APA, The assignment require a contemporary approach addressing Race, Gender, and Crime. All work will include an introduction and a cogent thesis. The literature review will include a body of knowledge inclusive of in text citations, and supporting relevant references. The paper should end with discussions that highlight the future of the CJS. A conclusion of the literature review will end the written assignment. The assignment will consist of 2000 words. Reference page along with 6 peer reviewed references and course textbook.
.
APA style and all questions answered ( no min page requirements) .docxamrit47
APA style and all questions answered ( no min page requirements)
Diagnostic Techniques -
Pick any two diseases that require diagnostic tests to identify them from the body system. Use one of the body systems: cardiovascular, respiratory, renal, hepatobiliary, lymphatic, reproductive or nervous systems. For each of the diseases, explain:
Why is a particular test recommended?
How does the test work?
What information is obtained from the diagnostic test regarding the disease?
Does the diagnosis need confirmation with another diagnostic test?
.
More Related Content
Similar to Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
Study of flooding based ddos attacks and their effect using deter testbedeSAT Journals
Abstract Today, Internet is the primary medium for communication which is used by number of users across the Network. At the same time, its commercial nature is causing increase vulnerability to enhance cyber crimes and there has been an enormous increase in the number of DDOS (distributed denial of service attack) attacks on the internet over the past decade. Whose impact can be proportionally severe. With little or no advance warning, a DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. Network resources such as network bandwidth, web servers and network switches are mostly the victims of DDoS attacks. In this paper different types of DDoS attacks has been studied, a dumb-bell topology have been created and effect of UDP flooding attacks has been analyzed on web service by using attack tools available in DETER testbed. Throughput of web server is analyzed with and without DDoS attacks.
Study of flooding based d do s attacks and their effect using deter testbedeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A Proxy Server is computer that functions as an intermediary between a web browser (such as Internet
Explorer) and the Internet. Proxy servers help improve web performance by storing a copy of frequently
used webpages. When a browser requests a webpage stored in the proxy server's collection (its cache),
it is provided by the proxy server, which is faster than going to the web. Proxy servers also help improve
security by filtering out some web content and malicious software.
A Proxy Server is a server (a computer system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers.
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...IJNSA Journal
Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. While the detection process is on, the sessions from the legitimate sources are not disrupted and the load on the server is restored to the normal level by blocking the traffic from the attacking sources. To cater to different scenarios, the detection algorithm has various modules with varying level of computational and memory overheads for
their execution. While the approximate modules are fast in detection and involve less overhead, they provide lower level of detection accuracy. The accurate modules employ complex detection logic and hence involve more overhead for their execution. However, they have very high detection accuracy. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
1. The document proposes a framework to improve web services security called Robust Encryption and Decryption (RED). RED includes a common set of encryption algorithms deployed in browsers and web servers.
2. The framework also defines a Standard Encryption Syntax (SES) to allow web applications to communicate with RED for encrypting and decrypting content. Developers can select algorithms from RED and reference them using SES tags.
3. The framework aims to provide stronger encryption than SSL/TLS but with less complexity, cost, and performance impact. It could help secure communication against various network attacks.
The document discusses Azure DDoS Protection Standard. It notes that DDoS attacks are increasing in frequency, size, and sophistication. Azure DDoS Protection Standard provides continuous monitoring, edge mitigation to protect datacenter bandwidth, regional failover, and global mitigation capacity of over 25 Tbps. It is designed to provide automatic network layer attack protection and analytics for virtual network resources.
This document proposes a system called FireCol, which stands for a collaborative protection network for detecting flooding DDoS attacks. FireCol uses a distributed network of intrusion prevention systems located at internet service providers that form virtual protection rings around hosts. These systems collaborate by exchanging selected traffic information to detect DDoS attacks close to the source. The document outlines the architecture of FireCol and experimental results showing its effectiveness at detecting attacks with low overhead. Future work is mentioned to extend FireCol's capabilities.
This document discusses DNS rebinding attacks and defenses against them. DNS rebinding works by resolving a domain name to the attacker's IP address for a short time, then rebinding it to the target's IP. This allows the attacker to circumvent the same-origin policy and run code on the target's machine. Experiments showed the attack could recruit over 30,000 browsers to a botnet without any user interaction using Flash. Defenses include smarter pinning in browsers, host name authorization, and policy-based approaches. Plug-ins also need to consult server policies before opening sockets.
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
Distributed Denial of Service (DDoS) attacks today
have been amplified into gigabits volume with
broadband Internet access; at the same time, the us
e of more powerful botnets and common DDoS
mitigation and protection solutions implemented in
small and large organizations’ networks and servers
are no longer effective. Our survey provides an in-
depth study on the current largest DNS reflection a
ttack
with more than 300 Gbps on Spamhaus.org. We have re
viewed and analysed the current most popular
DDoS attack types that are launched by the hacktivi
sts. Lastly, effective cloud-based DDoS mitigation
and
protection techniques proposed by both academic res
earchers and large commercial cloud-based DDoS
service providers are discussed
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
Distributed Denial of Service (DDoS) attacks today
have been amplified into gigabits volume with
broadband Internet access; at the same time, the us
e of more powerful botnets and common DDoS
mitigation and protection solutions implemented in
small and large organizations’ networks and servers
are no longer effective. Our survey provides an in-
depth study on the current largest DNS reflection a
ttack
with more than 300 Gbps on Spamhaus.org. We have re
viewed and analysed the current most popular
DDoS attack types that are launched by the hacktivi
sts. Lastly, effective cloud-based DDoS mitigation
and
protection techniques proposed by both academic res
earchers and large commercial cloud-based DDoS
service providers are discussed
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSIJNSA Journal
Distributed Denial of Service (DDoS) attacks today have been amplified into gigabits volume with broadband Internet access; at the same time, the use of more powerful botnets and common DDoS mitigation and protection solutions implemented in small and large organizations’ networks and servers are no longer effective. Our survey provides an in-depth study on the current largest DNS reflection attack with more than 300 Gbps on Spamhaus.org. We have reviewed and analysed the current most popular DDoS attack types that are launched by the hacktivists. Lastly, effective cloud-based DDoS mitigation and protection techniques proposed by both academic researchers and large commercial cloud-based DDoS service providers are discussed.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Encountering distributed denial of service attack utilizing federated softwar...IJECEIAES
This research defines the distributed denial of service (DDoS) problem in software-defined-networks (SDN) environments. The proposes solution uses Software defined networks capabilities to reduce risk, introduces a collaborative, distributed defense mechanism rather than server-side filtration. Our proposed network detection and prevention agent (NDPA) algorithm negotiates the maximum amount of traffic allowed to be passed to server by reconfiguring network switches and routers to reduce the ports' throughput of the network devices by the specified limit ratio. When the passed traffic is back to normal, NDPA starts network recovery to normal throughput levels, increasing ports' throughput by adding back the limit ratio gradually each time cycle. The simulation results showed that the proposed algorithms successfully detected and prevented a DDoS attack from overwhelming the targeted server. The server was able to coordinate its operations with the SDN controllers through a communication mechanism created specifically for this purpose. The system was also able to determine when the attack was over and utilize traffic engineering to improve the quality of service (QoS). The solution was designed with a sophisticated way and high level of separation of duties between components so it would not be affected by the design aspect of the network architecture.
The document discusses denial of service (DoS) and distributed denial of service (DDoS) attacks. It defines DoS as an attack that renders a system unable to provide normal services by flooding it with traffic. DDoS uses multiple compromised systems to launch a coordinated DoS attack against one or more targets, multiplying the attack effectiveness. Attacks are classified by the system targeted (clients, routers, firewalls, servers), part of the system (hardware, OS, TCP/IP stack), and whether they exploit bugs or just overload resources. Common DDoS tools like Trinoo and TFN are mentioned. Protection from these large-scale attacks remains a challenge.
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
This document discusses DNS spoofing/poisoning attacks. It begins by explaining how DNS works, translating domain names to IP addresses. It then discusses different types of DNS attacks, focusing on DNS spoofing/poisoning. The document outlines how DNS spoofing occurs by tampering with DNS resolvers or using malicious DNS servers. It explains the goals of attackers, such as launching denial of service attacks or redirecting users to fake websites. The document also provides ways to exploit DNS spoofing through amplification attacks and discusses recommendations for preventing DNS spoofing, such as checking and flushing DNS settings on Windows systems.
This is a presentation i made about Denial of Service or a Distributed Denial of Service (DoS / DDoS) and the latest methods used to crash anything online and the future of such attacks which can disrupt the whole internet . Such attacks which are in TB's and can be launched from just single computer. And, there is not much that can be done to prevent them.
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
This document discusses the Heartbleed vulnerability in OpenSSL and its potential impacts. Heartbleed is a bug in the OpenSSL cryptography library that exposes the contents of the server's memory, including private keys and user session cookies. An attacker can exploit Heartbleed to steal sensitive data from vulnerable servers or impersonate services. The vulnerability had widespread implications because OpenSSL is used to secure a majority of websites. While patching servers and changing passwords addressed direct theft of information, Heartbleed also weakened the security of encrypted communications and online identities.
This document summarizes a research paper that proposed and evaluated methods for mitigating denial of service (DoS) and distributed denial of service (DDoS) attacks on virtual machines. The paper implemented iptables connection limits on the host machine to prevent excessive connections from attacking IPs. It also tuned network performance by adjusting the receiving window size to maximize bandwidth utilization. The experimental results showed that the iptables security measures protected against DoS/DDoS attacks while window scaling optimization improved network performance during attacks.
Similar to Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx (20)
APA, The assignment require a contemporary approach addressing Race,.docxamrit47
APA, The assignment require a contemporary approach addressing Race, Gender, and Crime. All work will include an introduction and a cogent thesis. The literature review will include a body of knowledge inclusive of in text citations, and supporting relevant references. The paper should end with discussions that highlight the future of the CJS. A conclusion of the literature review will end the written assignment. The assignment will consist of 2000 words. Reference page along with 6 peer reviewed references and course textbook.
.
APA style and all questions answered ( no min page requirements) .docxamrit47
APA style and all questions answered ( no min page requirements)
Diagnostic Techniques -
Pick any two diseases that require diagnostic tests to identify them from the body system. Use one of the body systems: cardiovascular, respiratory, renal, hepatobiliary, lymphatic, reproductive or nervous systems. For each of the diseases, explain:
Why is a particular test recommended?
How does the test work?
What information is obtained from the diagnostic test regarding the disease?
Does the diagnosis need confirmation with another diagnostic test?
.
Apa format1-2 paragraphsreferences It is often said th.docxamrit47
Apa format
1-2 paragraphs
references
It is often said that people today are no longer loyal to organizations. Yet employees are loyal to their direct supervisor. This discussion question asks you to evaluate and apply your understanding of followership theory. Reflect on any techniques for understanding, achieving, and positively applying organizational and personal power and influence as a follower.
When effective leaders leave an organization to move on to another organization, they often take at least one or two employees. Employees who respect a leader and have generated a relationship and bond want to work under that leader. One indicator of effective leaders is communication skills in which a leader is attuned to the needs of each employee.
REAL-LIFE APPLICATION: Discuss a leader with whom you are familiar and who has the loyalty of his or her direct reports. Alternatively, you might interview a friend or family member about their experiences or you may research a well-known leader. Address the following in your response.
Evaluate how this leader earns respect and loyalty from his or her employees.
If you were in a leadership position, what methods would you implement to inspire, motivate, and empower your employees?
Support your discussion with at least one scholarly article and, if relevant, credible media reports, and cite each source using APA style.
.
APA format2-3 pages, double-spaced1. Choose a speech to review. It.docxamrit47
APA format2-3 pages, double-spaced
1. Choose a speech to review. It can be any type (informative, persuasive, special occasion). It should be between 7-20 minutes. You may search Youtube for videos of speeches (TED talks, commencement speeches, public addresses by government etc).
Copy the link of the video you've chosen to your submission form.
2. Analyze the speech content and speaker delivery, paying attention to:
what the message is
how the message is organized
nonverbal cues (tone, pitch, pauses, gestures etc)
the context in which the message is being delivered
3. Provide your opinion on the speech and speaker delivery.
What do you think the intention of the speaker is?
Does the effect on the audience seem to follow that intention?
What did you like about the speech?
Is it appropriate for the context; why?
Be sure to attach your essay as a .doc or .rtf file and make sure to proofread for spelling and grammar errors.
.
APA format httpsapastyle.apa.orghttpsowl.purd.docxamrit47
APA format
https://apastyle.apa.org/
https://owl.purdue.edu/owl/research_and_citation/apa_style/apa_formatting_and_style_guide/general_format.html
Min number of pages are 30 pages
Must have
Contents with page numbers
Abstract
Introduction
The problem
Are there any sub-problems?
Is there any issue need to be present in relation to the problem?
The solutions
Steps of the solutions
Compare the solution to other solution
Any suggestion to improve the solution
Conclusion
References
Research Paper topic:
Computer Security Objects Register
https://csrc.nist.gov/Projects/Computer-Security-Objects-Register
The Computer Security Objects Register (CSOR) specifies names that uniquely identify CSOs. These unique names are used to reference these objects in abstract specifications and during the negotiation of security services for a transaction or application.
The studies must look at different algorithms used CSOR and the benefits of using CSOR
.
APA format2-3 pages, double-spaced1. Choose a speech to review. .docxamrit47
APA format2-3 pages, double-spaced
1. Choose a speech to review. It can be any type (informative, persuasive, special occasion). It should be between 7-20 minutes. You may search Youtube for videos of speeches (TED talks, commencement speeches, public addresses by government etc).
Copy the link of the video you've chosen to your submission form.
2. Analyze the speech content and speaker delivery, paying attention to:
what the message is
how the message is organized
nonverbal cues (tone, pitch, pauses, gestures etc)
the context in which the message is being delivered
3. Provide your opinion on the speech and speaker delivery.
What do you think the intention of the speaker is?
Does the effect on the audience seem to follow that intention?
What did you like about the speech?
Is it appropriate for the context; why?
Be sure to attach your essay as a .doc or .rtf file and make sure to proofread for spelling and grammar errors.
.
APA Formatting AssignmentUse the information below to create.docxamrit47
APA Formatting Assignment
Use the information below to create a reference list using proper APA formatting
1)
Authors: Christina Jane Jones, Helen Smith and Carrie Llewellyn
Title: Evaluating the effectiveness of health belief model interventions in improving adherence: a
systematic review
Publication Year: 2014
Journal: Health Psychology Review, Vol. 8, No. 3, 253_269
DOI: 10.1080/17437199.2013.802623
2)
Authors: Mohammad Bagherniya, Ali Taghipour, Manoj Sharma, Amirhossein Sahebkar, Isobel R.
Contento, Seyed Ali Keshavarz, Firoozeh Mostafavi Darani and Mohammad Safarian
Title: Obesity intervention programs among adolescents using social cognitive theory: a systematic
literature review
Publication Year: 2018
Journal: Health Education Research, Vol. 33, No. 1, 26_39
3)
Authors: Christine Y. K. Lau, Kris Y. W. Lok, Marie Tarrant
Title: Breastfeeding Duration and the Theory of Planned Behavior and Breastfeeding Self-Efficacy
Framework: A Systematic Review of Observational Studies
Publication Year: 2018
Journal: Maternal and Child Health Journal, Vol. 22, 327_342
DOI: 10.1007/s10995-018-2453-x
4)
Authors: Amy E. Bodde, Dong-Chul Seo
Title: A review of social and environmental barriers to physical activity for adults with intellectual
disabilities
Publication Year: 2009
Journal: Disability and Health Journal, Vol. 2, 57_66
5)
Authors: Linda Irvine, Ambrose J. Melson, Brian Williams, Falko F. Sniehotta, Gerry Humphris, Iain K.
Crombie
Title: Design and development of a complex narrative intervention delivered by text messages to reduce
binge drinking among socially disadvantaged men
Publication Year: 2018
Journal: Pilot and Feasibility Studies, Vol. 4, No.105, 1_11
.
APA style300 words10 maximum plagiarism Mrs. Smith was.docxamrit47
APA style
300 words
10% maximum plagiarism
Mrs. Smith was a 73-year-old widow who lived alone with no significant social support. She had been suffering from emphysema for several years and had had frequent hospitalizations for respiratory problems. On the last hospital admission, her pneumonia quickly progressed to organ failure. Death appeared to be imminent, and she went in and out of consciousness, alone in her hospital room. The medical-surgical nursing staff and the nurse manager focused on making Mrs. Smith’s end-of-life period as comfortable as possible. Upon consultation with the vice president for nursing, the nurse manager and the unit staff nurses decided against moving Mrs. Smith to the palliative care unit, although considered more economical, because of the need to protect and nurture her because she was already experiencing signs and symptoms of the dying process. Nurses were prompted by an article they read on human caring as the “language of nursing practice” (Turkel, Ray, & Kornblatt, 2012) in their weekly caring practice meetings.
The nurse manager reorganized patient assignments. She felt that the newly assigned clinical nurse leader who was working between both the medical and surgical units could provide direct nurse caring and coordination at the point of care (Sherman, 2012). Over the next few hours, the clinical nurse leader and a staff member who had volunteered her assistance provided personal care for Mrs. Smith. The clinical nurse leader asked the nurse manager whether there was a possibility that Mrs. Smith had any close friends who could “be there” for her in her final moments. One friend was discovered and came to say goodbye to Mrs. Smith. With help from her team, the clinical nurse leader turned, bathed, and suctioned Mrs. Smith. She spoke quietly, prayed, and sang hymns softly in Mrs. Smith’s room, creating a peaceful environment that expressed compassion and a deep sense of caring for her. The nurse manager and nursing unit staff were calmed and their “hearts awakened” by the personal caring that the clinical nurse leader and the volunteer nurse provided. Mrs. Smith died with caring persons at her bedside, and all members of the unit staff felt comforted that she had not died alone.
Davidson, Ray, and Turkel (2011) note that caring is complex, and caring science includes the art of practice, “an aesthetic which illuminates the beauty of the dynamic nurse-patient relationship, that makes possible authentic spiritual-ethical choices for transformation—healing, health, well-being, and a peaceful death” (p. xxiv). As the clinical nurse leader and the nursing staff in this situation engaged in caring practice that focused on the well-being of the patient, they simultaneously created a caring-healing environment that contributed to the well-being of the whole—the emotional atmosphere of the unit, the ability of the clinical nurse leader and staff nurses to practice caringly and competently, and the qualit.
APA format1. What are the three most important takeawayslessons.docxamrit47
APA FORMAT
1. What are the three most important takeaways/lessons from the material provided in this module? (150 words or more)
2. Drawing on the material that was provided what else would like to know? What other related questions/ideas/topics would you like to explore in the future? (100 words or more)
3. What is lobbying? What role does it play in the relationship between government and business? (100 words or more)
.
APA General Format Summary APA (American Psychological.docxamrit47
APA General Format
Summary
APA (American Psychological Association) style is most commonly used to cite sources within
the social sciences. This resource, revised according to the 6th edition, second printing of the
APA manual, offers examples for the general format of APA research papers, in-text citations,
endnotes/footnotes, and the reference page. For more information, please consult the Publication
Manual of the American Psychological Association, (6th ed., 2nd printing).
Contributors: Joshua M. Paiz, Elizabeth Angeli, Jodi Wagner, Elena Lawrick, Kristen Moore,
Michael Anderson, Lars Soderlund, Allen Brizee, Russell Keck
Last Edited: 2016-05-13 12:06:24
Please use the example at the bottom of this page to cite the Purdue OWL in APA.
To see a side-by-side comparison of the three most widely used citation styles, including a chart
of all APA citation guidelines, see the Citation Style Chart.
You can also watch our APA vidcast series on the Purdue OWL YouTube Channel.
General APA Guidelines
Your essay should be typed, double-spaced on standard-sized paper (8.5" x 11") with 1" margins
on all sides. You should use a clear font that is highly readable. APA recommends using 12 pt.
Times New Roman font.
Include a page header (also known as the "running head") at the top of every page. To create
a page header/running head, insert page numbers flush right. Then type "TITLE OF YOUR
PAPER" in the header flush left using all capital letters. The running head is a shortened
version of your paper's title and cannot exceed 50 characters including spacing and punctuation.
Major Paper Sections
Your essay should include four major sections: The Title Page, Abstract, Main Body,
and References.
Title Page
The title page should contain the title of the paper, the author's name, and the institutional
affiliation. Include the page header (described above) flush left with the page number flush right
at the top of the page. Please note that on the title page, your page header/running head should
look like this:
Running head: TITLE OF YOUR PAPER
Pages after the title page should have a running head that looks like this:
TITLE OF YOUR PAPER
http://owl.english.purdue.edu/owl/resource/949/01/
http://www.youtube.com/playlist?list=PL8F43A67F38DE3D5D&feature=edit_ok
http://www.youtube.com/user/OWLPurdue
After consulting with publication specialists at the APA, OWL staff learned that the APA 6th
edition, first printing sample papers have incorrect examples of Running heads on pages after
the title page. This link will take you to the APA site where you can find a complete list of all the
errors in the APA's 6th edition style guide.
Type your title in upper and lowercase letters centered in the upper half of the page. APA
recommends that your title be no more than 12 words in length and that it should not contain
abbreviations or words that serve no purpose. Your title may take up one or two l.
Appearance When I watched the video of myself, I felt that my b.docxamrit47
Appearance
When I watched the video of myself, I felt that my black straight skirt, closed toed shoes and white collared shirt gave a professional appearance and more credibility with the audience. My hair was a little too casual. I wished I had that one strand tacked back so it would have stayed out of my eyes. This made it hard for the audience to see my face and was distracting when I had to keep tucking it back. My earrings were small so the audience would watch me and not my jewelry. I wasn’t standing up straight and it made me look less confident. I need to remember to have better posture when speaking.Organizational Pattern
My introduction was slow and clear and the story was suspenseful enough to grab their attention. It was a little confusing at the beginning because I didn’t preview the main points but because I transitioned well between the steps by saying, “Now that you have completed step 1, selecting the pattern, you are ready to move to step two, preparing the wood” the audience was able to follow. I remembered to state my research source for two of the steps but forgot the third. It made the third step seem shallower and I think I lost credibility. My word choice was good. I made sure to use a variety of descriptive words for the types of wood, explained new vocabulary and repeated phrases to help the audience remember the steps. For some reason the ending was weak. I didn’t tie it to the introduction or have a good ending sentence. It would have been a good idea to remind them of the beginning story and how woodworking affects their everyday life.Vocal Qualities
During my speech I had such a dry mouth that I messed up on the pronunciation of some of the words like saying “exspecially” instead of “especially.” This sounded less professional to the audience. I had good projection so that even the back row could hear without straining. My pitch variation is getting better but I still keep using the same rhythm with my pauses. This make me sound more monotone, like I’m reading the speech rather than just having a conversation. I’ll need to practice changing my rate and pauses. I also noticed many of my sentences end in an up-pitch, like I’m asking a question. If I bring some of those down it will make me appear more confident rather than questioning. It is hard to get rid of those filler words. “Like” and “so” are two of my favorites but it does make me sound like a teenager. I had no idea I said them so much.Delivery
There weren’t many gestures, which made me look stiff and nervous. I just held my note cards and stood in one spot the whole time. I need to do more with my hands and maybe move a little more in the space. I really admire the people in class who have such a good flow with their delivery from gestures to using the space around them purposefully. I felt I held my note cards too close to my face and had my head down most of the time. While watching the video, I noticed I looked at my cards and the poster a l.
apa format1-2 paragraphsreferencesFor this week’s .docxamrit47
apa format
1-2 paragraphs
references
For this week’s discussion, choose a current social movement from anywhere in the world. Then, using the required readings, videos, and your own research, discuss the “role these leaders” play in your chosen social movement. In addition, describe any group or collective processes that you discovered. Use specific examples to make major points.
Support your writing with at least two scholarly sources that are
in addition
to required reading.
.
APA Format, with 2 references for each question and an assignment..docxamrit47
APA Format, with 2 references for each question and an assignment.
1. Some say that analytics in general dehumanize managerial
activities, and others say they do not. Discuss arguments
for both points of view.
3. What are some of the major privacy concerns in employing
intelligent systems on mobile data?
4. Identify some cases of violations of user privacy from
current literature and their impact on data science as a
profession.
Ex.2. Search the Internet to find examples of how intelligent
systems can facilitate activities such as empowerment,
mass customization, and teamwork.
Reflective Assignment:
What has been significant about this course that will help you perform data science tasks in the future.
.
APA-formatted 8-10 page research paper which examines the potential .docxamrit47
APA-formatted 8-10 page research paper which examines the potential psychological impact of long-term exposure to mass media messages on the major issues surrounding political advertising and political campaigns in the United States and why it is currently relevant and impacts society.
12 Point Times New Roman Font
Double Spaced
Please include research that supports ideas and topics related to political advertising and political campaigns in the United States.
.
APA STYLE 1.Define the terms multiple disabilities and .docxamrit47
APA STYLE
1.Define the terms
multiple disabilities
and
deaf-blindness
as described in the Individuals with Disabilities Act (IDEA)
2.Identify three types of educational assessments for students with severe and multiple disabilities.
3.Identify the features of effective services and supports for children with severe and multiple disabilities during a) early childhood years and b) elementary school years.
4. Distinguish between the term
deaf
and
hard of hearing
5.
Identify 4 approaches to teaching communication skills to people with a hearing loss.
6.
What are the distinctive features of refractive eye problems, muscle disorders of the eye and receptive eye problems?
7.Describe two content areas that should be included in educational programs for students with vision loss.
8. Identify several disabilities that may accompany cerebral palsy.
9.What is spina bifida myelomeningocele?
10.Describe the physical limitations associated with muscular distrophy
11.Describe the AIDS disease stages through which individuals with the syndrome move
12.Identify present and future interventions for the treatment of children and youth with cystic fibrosis.
.
APA STYLE follow this textbook answer should be summarize for t.docxamrit47
APA STYLE
follow this textbook answer should be summarize for this below text
Study all types of Distributive Justice (6 or 7 total)
Summarize each in
one sentence
. Produce examples for each.
Don't use
any other text or article except this one.
There are different theories of how to make the basic distribution. Among them are:
1. Scope and Role of Distributive Principles
2. Strict Egalitarianism
3. The Difference Principle
4. Equality of Opportunity and Luck Egalitarianism
5. Welfare-Based Principles
6. Desert-Based Principles
7. Libertarian Principles
8. Feminist Principles
There are different theories of how to make the basic distribution. Among them are:
Strict Egalitarianism
One of the simplest principles of distributive justice is that of strict, or radical, equality. The principle says that every person should have the same level of material goods and services. The principle is most commonly justified on the grounds that people are morally equal and that equality in material goods and services is the best way to give effect to this moral ideal.
The Difference Principle
The most widely discussed theory of distributive justice in the past four decades has been that proposed by John Rawls in
A Theory of Justice
, (Rawls 1971), and
Political Liberalism
, (Rawls 1993). Rawls proposes the following two principles of justice:
· 1. Each person has an equal claim to a fully adequate scheme of equal basic rights and liberties, which scheme is compatible with the same scheme for all; and in this scheme the equal political liberties, and only those liberties, are to be guaranteed their fair value.
· 2. Social and economic inequalities are to satisfy two conditions: (a) They are to be attached to positions and offices open to all under conditions of fair equality of opportunity; and (b), they are to be to the greatest benefit of the least advantaged members of society. (Rawls 1993, pp. 5–6. The principles are numbered as they were in Rawls' original
A Theory of Justice
.)
Equality of Opportunity and Luck Egalitarianism
Dworkin proposed that people begin with equal resources but be allowed to end up with unequal economic benefits as a result of their own choices. What constitutes a just material distribution is to be determined by the result of a thought experiment designed to model fair distribution. Suppose that everyone is given the same purchasing power and each uses that purchasing power to bid, in a fair auction, for resources best suited to their life plans. They are then permitted to use those resources as they see fit. Although people may end up with different economic benefits, none of them is given less consideration than another in the sense that if they wanted somebody else's resource bundle they could have bid for it instead.
In Dworkin's proposal we see his attitudes to ‘ambitions’ and ‘endowments’ which have become a central feature of luck egalitarianism (though under a wide variety of al.
APA7Page length 3-4, including Title Page and Reference Pag.docxamrit47
APA7
Page length: 3-4, including Title Page and Reference Page.
Discuss and explore the synergy that RFID technology & Time Based Competition has had on the grocery retail industry. Are the two concepts compatible? And then explain. Provide real-world scenarios, which reflect Time Base Competition.
video on
RFID in Logistics
.
APA format, 2 pagesThree general sections 1. an article s.docxamrit47
This document outlines the three main sections required for an APA format summary of a research article that is 2 pages in length: 1) A summary of the article, 2) An explanation of how the article relates to psychology and human behavior, specifically discussing the meaning and implications of the results, 3) A reaction to the article providing thoughts on whether the results were interesting, surprising, or common sense.
APA Style with minimum of 450 words, with annotations, quotation.docxamrit47
APA Style with minimum of 450 words, with annotations, quotations and 3 references.
. Mass vaccination after a disaster:
There was a natural disaster that occurred and has led to an infectious disease outbreak (your choice of one that is vaccine-preventable). Those affected by the disaster are settled in temporary locations with high population densities, inadequate food and shelter, unsafe water, poor sanitation and infrastructure that has been compromised or destroyed. There is a vaccine available for the infectious disease but there are not enough doses to give to all who are at-risk due to the natural disaster.
You are the public health official in charge of infectious disease prevention. Devise a plan to administer the vaccine to the population. Will you use a lottery system or target specific sub-populations? How will you track and monitor those who are vaccinated? Use the attributes of the infectious disease to provide reasoning behind your plan. What other prevention techniques that can be used to supplement the vaccination plan?
.
APA FORMAT1. What are the three most important takeawayslesson.docxamrit47
APA FORMAT
1. What are the three most important takeaways/lessons from the material provided in this online course (the entire quarter) and why? (150 words or more)
2. How did the material provided in this course assist your growth as a student and as an individual, in general? (150 words or more).
.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumMJDuyan
(𝐓𝐋𝐄 𝟏𝟎𝟎) (𝐋𝐞𝐬𝐬𝐨𝐧 𝟏)-𝐏𝐫𝐞𝐥𝐢𝐦𝐬
𝐃𝐢𝐬𝐜𝐮𝐬𝐬 𝐭𝐡𝐞 𝐄𝐏𝐏 𝐂𝐮𝐫𝐫𝐢𝐜𝐮𝐥𝐮𝐦 𝐢𝐧 𝐭𝐡𝐞 𝐏𝐡𝐢𝐥𝐢𝐩𝐩𝐢𝐧𝐞𝐬:
- Understand the goals and objectives of the Edukasyong Pantahanan at Pangkabuhayan (EPP) curriculum, recognizing its importance in fostering practical life skills and values among students. Students will also be able to identify the key components and subjects covered, such as agriculture, home economics, industrial arts, and information and communication technology.
𝐄𝐱𝐩𝐥𝐚𝐢𝐧 𝐭𝐡𝐞 𝐍𝐚𝐭𝐮𝐫𝐞 𝐚𝐧𝐝 𝐒𝐜𝐨𝐩𝐞 𝐨𝐟 𝐚𝐧 𝐄𝐧𝐭𝐫𝐞𝐩𝐫𝐞𝐧𝐞𝐮𝐫:
-Define entrepreneurship, distinguishing it from general business activities by emphasizing its focus on innovation, risk-taking, and value creation. Students will describe the characteristics and traits of successful entrepreneurs, including their roles and responsibilities, and discuss the broader economic and social impacts of entrepreneurial activities on both local and global scales.
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
Temple of Asclepius in Thrace. Excavation resultsKrassimira Luka
The temple and the sanctuary around were dedicated to Asklepios Zmidrenus. This name has been known since 1875 when an inscription dedicated to him was discovered in Rome. The inscription is dated in 227 AD and was left by soldiers originating from the city of Philippopolis (modern Plovdiv).
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
Communicating effectively and consistently with students can help them feel at ease during their learning experience and provide the instructor with a communication trail to track the course's progress. This workshop will take you through constructing an engaging course container to facilitate effective communication.
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
1. Protecting Browsers from DNS Rebinding Attacks
Collin Jackson
Stanford University
[email protected]
Adam Barth
Stanford University
[email protected]
Andrew Bortz
Stanford University
[email protected]
Weidong Shao
Stanford University
[email protected]
Dan Boneh
Stanford University
[email protected]
ABSTRACT
DNS rebinding attacks subvert the same-origin policy of
browsers and convert them into open network proxies. We
survey new DNS rebinding attacks that exploit the inter-
action between browsers and their plug-ins, such as Flash
2. Player and Java. These attacks can be used to circumvent
firewalls and are highly cost-e↵ ective for sending spam e-
mail and defrauding pay-per-click advertisers, requiring less
than $100 to temporarily hijack 100,000 IP addresses. We
show that the classic defense against these attacks, called
“DNS pinning,” is ine↵ ective in modern browsers. The pri-
mary focus of this work, however, is the design of strong
defenses against DNS rebinding attacks that protect mod-
ern browsers: we suggest easy-to-deploy patches for plug-ins
that prevent large-scale exploitation, provide a defense tool,
dnswall, that prevents firewall circumvention, and detail
two defense options, policy-based pinning and host name
authorization.
Categories and Subject Descriptors
K.6.5 [Management of Computing and Information
Systems]: Security and Protection
General Terms
Security, Design, Experimentation
Keywords
Same-Origin Policy, DNS, Firewall, Spam, Click Fraud
1. INTRODUCTION
Users who visit web pages trust their browser to prevent
malicious web sites from leveraging their machines to attack
others. Organizations that permit JavaScript and other ac-
tive content through their firewall rely on the browser to
protect internal network resources from attack. To achieve
Permission to make digital or hard copies of all or part of this
work for
personal or classroom use is granted without fee provided that
copies are
3. not made or distributed for profit or commercial advantage and
that copies
bear this notice and the full citation on the first page. To copy
otherwise, to
republish, to post on servers or to redistribute to lists, requires
prior specific
permission and/or a fee.
CCS’07, October 29–November 2, 2007, Alexandria, Virginia,
USA.
Copyright 2007 ACM 978-1-59593-703-2/07/0011 ...$5.00.
these security goals, modern browsers implement the same-
origin policy that attempts to isolate distinct “origins,” pro-
tecting sites from each other.
DNS rebinding attacks subvert the same-origin policy by
confusing the browser into aggregating network resources
controlled by distinct entities into one origin, e↵ ectively con-
verting browsers into open proxies. Using DNS rebinding,
an attacker can circumvent firewalls to spider corporate in-
tranets, exfiltrate sensitive documents, and compromise un-
patched internal machines. An attacker can also hijack the
IP address of innocent clients to send spam e-mail, commit
click fraud, and frame clients for misdeeds. DNS rebinding
vulnerabilities permit the attacker to read and write directly
on network sockets, subsuming the attacks possible with ex-
isting JavaScript-based botnets [24], which can send HTTP
requests but cannot read back the responses.
To mount a DNS rebinding attack, the attacker need only
register a domain name, such as attacker.com, and attract
web tra�c, for example by running an advertisement. In
the basic DNS rebinding attack, the attacker answers DNS
queries for attacker.com with the IP address of his or her
own server with a short time-to-live (TTL) and serves vis-
iting clients malicious JavaScript. To circumvent a firewall,
4. when the script issues a second request to attacker.com, the
attacker rebinds the host name to the IP address of a tar-
get server that is inaccessible from the public Internet. The
browser believes the two servers belong to the same origin
because they share a host name, and it allows the script to
read back the response. The script can easily exfiltrate the
response, enabling the attacker to read arbitrary documents
from the internal server, as shown in Figure 1.
To mount this attack, the attacker did not compromise
any DNS servers. The attacker simply provided valid, au-
thoritative responses for attacker.com, a domain owned by
the attacker. This attack is very di↵ erent from “pharm-
ing” [34], where the attacker must compromise a host name
owned by the target by subverting a user’s DNS cache or
server. DNS rebinding requires no such subversion. Conse-
quently, DNSSEC provides no protection against DNS re-
binding attacks: the attacker can legitimately sign all DNS
records provided by his or her DNS server in the attack.
DNS rebinding attacks have been known for a decade [8,
36]. A common defense implemented in several browsers is
DNS pinning: once the browser resolves a host name to an
IP address, the browser caches the result for a fixed dura-
tion, regardless of TTL. As a result, when JavaScript con-
nects to attacker.com, the browser will connect back to the
attacker’s server instead of the internal server.
Attacker
web
server
Target
server
5. Browser
client
Figure 1: Firewall Circumvention Using Rebinding
Pinning is no longer an e↵ ective defense against DNS re-
binding attacks in current browsers because of vulnerabil-
ities introduced by plug-ins. These plug-ins provide addi-
tional functionality, including socket-level network access,
to web pages. The browser and each plug-in maintain sep-
arate pin databases, creating a new class of vulnerabilities
we call multi-pin vulnerabilities that permit an attacker to
mount DNS rebinding attacks. We demonstrate, for exam-
ple, how to exploit the interaction between the browser and
Java LiveConnect to pin the browser to one IP address while
pinning Java to another IP address, permitting the attacker
to read and write data directly on sockets to a host and
port of the attacker’s choice despite strong pinning by each
component.
Our experiments show how an attacker can exploit multi-
pin vulnerabilities to cheaply and e�ciently assemble a tem-
porary, large-scale bot network. Our findings suggest that
nearly 90% of web browsers are vulnerable to rebinding at-
tacks that only require a few hundreds of milliseconds to
conduct (see Table 1). These attacks do not require users
to click on any malicious links: users need only view an at-
tacker’s web advertisement. By spending less than $100 on
advertising, an attacker can hijack 100,000 unique IP ad-
dress to send spam, commit click fraud, or otherwise misuse
as open network proxies.
The bulk of our work focuses on designing robust defenses
to DNS rebinding attacks that protect current and future
browsers and plug-ins:
6. 1. To combat firewall circumvention, we recommend or-
ganizations deploy DNS resolvers that prevent external
names from resolving to internal addresses. We pro-
vide an open-source implementation of such a resolver
in 300 lines of C called dnswall [15].
2. For Flash Player, Java, and LiveConnect, we suggest
specific, easy-to-deploy patches to prevent multi-pin
vulnerabilities, mitigating large-scale exploitation of
DNS rebinding for firewall circumvention and IP hi-
jacking.
Technology Attack Time
LiveConnect (JVM loaded) 47.8 ± 10.3 ms
Flash Player 9 192 ± 5.7 ms
Internet Explorer 6 (no plug-ins) 1000 ms
Internet Explorer 7 (no plug-ins) 1000 ms
Firefox 1.5 and 2 (no plug-ins) 1000 ms
Safari 2 (no plug-ins) 1000 ms
LiveConnect 1294 ± 37 ms
Opera 9 (no plug-ins) 4000 ms
Table 1: Time Required for DNS Rebinding Attack
by Technology (95% Confidence)
3. We propose two options for protecting browsers from
DNS rebinding: smarter pinning that provides better
security and robustness, and a backwards-compatible
use of the DNS system that fixes rebinding vulnerabil-
ities at their root (which we implemented as a 72-line
patch to Firefox 2).
The remainder of the paper is organized as follows. Sec-
tion 2 describes existing browser policy for network access.
Section 3 details DNS rebinding vulnerabilities, including
7. standard DNS rebinding and current multi-pin vulnerabili-
ties. Section 4 explains two classes of attacks that use these
vulnerabilities, firewall circumvention and IP hijacking, and
contains our experimental results. Section 5 proposes de-
fenses against both classes of attacks. Section 6 describes
related work. Section 7 concludes.
2. NETWORK ACCESS IN THE BROWSER
To display web pages, browsers are instructed to make
network requests by static content such as HTML and by
active content such as JavaScript, Flash Player, Java, and
CSS. Browsers restrict this network access in order to to pre-
vent web sites from making malicious network connections.
The same-origin policy provides partial resource isolation
by restricting access according to origin, specifying when
content from one origin can access a resource in another ori-
gin. The policy applies to both network access and browser
state such as the Document Object Model (DOM) interface,
cookies, cache, history, and the password database [20]. The
attacks described in this paper circumvent the same origin-
policy for network access.
Access Within Same Origin. Within the same origin,
both content and browser scripts can read and write net-
work resources using the HTTP protocol. Plug-ins, such as
Flash Player and Java, can access network sockets directly,
allowing them to make TCP connections and, in some cases,
send and receive UDP packets as well. Java does not restrict
access based on port number, but Flash Player permits ac-
cess to port numbers less than 1024 only if the machine
authorizes the connection in an XML policy served from a
port number less than 1024.
Access Between Di↵ erent Origins. In general, con-
8. tent from one origin can make HTTP requests to servers
in another origin, but it cannot read responses, e↵ ectively
restricting access to “send-only.” Flash Player permits its
movies to read back HTTP responses from di↵ erent origins,
provided the remote server responds with an XML policy
authorizing the movie’s origin. Flash Player also permits
reading and writing data on TCP connections to arbitrary
port numbers, again provided the remote server responds
with a suitable XML policy on an appropriate port.
By convention, certain types of web content are assumed
to be public libraries, such as JavaScript, CSS, Java ap-
plets, and SWF movies. These files may be included across
domains. For example, one origin can include a CSS file
from another origin and read its text. Scripts can also read
certain properties of other objects loaded across domains,
such as the height and width of an image.
Prohibited Access. Some types of network access are pro-
hibited even within the same origin. Internet Explorer 7
blocks port numbers 19 (chargen), 21 (FTP), 25 (SMTP),
110 (POP3), 119 (NNTP), and 143 (IMAP), Firefox 2 blocks
those plus 51 additional port numbers, but Safari 2 does not
block any ports. Some of these port restrictions are designed
to prevent malicious web site operators from leveraging vis-
iting browsers to launch distributed denial of service or to
send spam e-mail, whereas others prevent universal cross-
site scripting via the HTML Form Protocol Attack [41].
Origin Definition. Di↵ erent definitions of “origin” are
used by di↵ erent parts of the browser. For network access,
browsers enforce the same-origin policy [38] based on three
components of the Uniform Resource Locator (URL) from
9. which it obtained the content. A typical URL is composed
of the below components:
scheme://hostname:port/path
Current browsers treat two objects as belonging to the same
origin if, and only if, their URLs contain the same scheme,
host name, and port number (e.g., http://amazon.com/ is
a di↵ erent origin than http://amazon.co.uk/, even though
the two domains are owned by the same company). Other
resources use fewer components of the URL. For example,
cookies use only the host name.
Objects on the Internet, however, are not accessed by host
name. To connect to a server, the browser must first trans-
late a host name into an IP address and then open a socket
to that IP address. If one host name resolves to multiple IP
addresses owned by multiple entities, the browser will treat
them as if they were the same origin even though they are,
from an ownership point-of-view, di↵ erent.
3. DNS REBINDING VULNERABILITIES
The network access policy in web browsers is based on
host names, which are bound by the Domain Name Sys-
tem (DNS) to IP addresses. An attacker mounting a DNS
rebinding attack attempts to subvert this security policy by
binding his or her host name to both the attack and target
server’s IP addresses.
3.1 Standard Rebinding Vulnerabilities
A standard rebinding attack uses a single browser tech-
nology (e.g. JavaScript, Java, or Flash Player) to connect
to multiple IP addresses with the same host name.
10. Multiple A Records. When a client resolves a host name
using DNS, the authoritative server can respond with mul-
tiple A records indicating the IP addresses of the host. The
first attack using DNS rebinding [8] in 1996 leveraged this
property to confuse the security policy of the Java Virtual
Machine (JVM):
1. A client visits a malicious web site, attacker.com, con-
taining a Java applet. The attacker’s DNS server binds
attacker.com to two IP addresses: the attacker’s web
server and the target’s web server.
2. The client executes the attacker’s applet, which opens
a socket to the target. The JVM permits this connec-
tion, because the target’s IP address is contained in
the DNS record for attacker.com.
Current versions of the JVM are not vulnerable to this at-
tack because the Java security policy has been changed. Ap-
plets are now restricted to connecting to the IP address from
which they were loaded. (Current attacks on Java are de-
scribed in Section 3.2.)
In the JavaScript version of this attack, the attacker sends
some JavaScript to the browser that instructs the browser
to connect back to attacker.com. The attacker’s server
refuses this second TCP connection, forcing the browser to
switch over to the victim IP address [21]. By using a RST
packet to refuse the connection, the attacker can cause some
browsers to switch to the new IP address after one second.
Subsequent XMLHttpRequests issued by the attacker’s code
will connect to the new IP address.
Time-Varying DNS. In 2001, the original attack on Java
was extended [36] to use use time-varying DNS:
11. 1. A client visits a malicious web site, attacker.com,
containing JavaScript. The attacker’s DNS server is
configured to bind attacker.com to the attacker’s IP
address with a very short TTL.
2. The attacker rebinds attacker.com to the target’s IP
address.
3. The malicious script uses frames or XMLHttpRequest
to connect to attacker.com, which now resolves to the
IP address of the target’s server.
Because the connection in Step 3 has the same host name
as the original malicious script, the browser permits the at-
tacker to read the response from the target.
Pinning in Current Browsers. Current browsers defend
against the standard rebinding attack by “pinning” host
names to IP address, preventing host names from referring
to multiple IP addresses.
• Internet Explorer 7 pins DNS bindings for 30 minutes.1
Unfortunately, if the attacker’s domain has multiple A
records and the current server becomes unavailable,
the browser will try a di↵ erent IP address within one
second.
• Internet Explorer 6 also pins DNS bindings for 30 min-
utes, but an attacker can cause the browser to release
its pin after one second by forcing a connection to the
current IP address to fail, for example by including the
element <img src="http://attacker.com:81/">.
1The duration is set by the registry keys DnsCacheTimeout
and ServerInfoTimeOut in
HKEY CURRENT USERSOFTWAREMicrosoft Windows
12. CurrentVersionInternet Settings
• Firefox 1.5 and 2 cache DNS entries for between 60 and
120 seconds. DNS entries expire when the value of the
current minute increments twice. 2 Using JavaScript,
the attacker can read the user’s clock and compute
when the pin will expire. Using multiple A records, an
attacker can further reduce this time to one second.
• Opera 9 behaves similarly to Internet Explorer 6. In
our experiments, we found that it pins for approxi-
mately 12 minutes but can be tricked into releasing its
pin after 4 seconds by connecting to a closed port.
• Safari 2 pins DNS bindings for one second. Because
the pinning time is so low, the attacker may need to
send a “Connection: close” HTTP header to ensure
that the browser does not re-use the existing TCP con-
nection to the attacker.
Flash Player 9. Flash Player 9 permits SWF movies to
open TCP sockets to arbitrary hosts, provided the destina-
tion serves an XML policy authorizing the movie’s origin [2].
According to Adobe, Flash Player 9 is installed on 55.8% of
web browsers (as of December 2006) [1]; according to our
own experiments, Flash Player 9 was present in 86.9% of
browsers. Flash Player is vulnerable to the following re-
binding attack:
1. The client’s web browser visits a malicious web site
that embeds a SWF movie.
2. The SWF movie opens a socket on a port less than
1024 to attacker.com, bound to the attacker’s IP ad-
13. dress. Flash Player sends <policy-file-request />.
3. The attacker responds with the following XML:
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>
4. The SWF movie opens a socket to an arbitrary port
number on attacker.com, which the attacker has re-
bound to the target’s IP address.
The policy XML provided by the attacker in step 3 in-
structs Flash Player to permit arbitrary socket access to
attacker.com. Flash Player permits the socket connections
to the target because it does not pin host names to a single
IP address. If the attacker were to serve the policy file from
a port number � 1024, Flash Player would authorize only
ports � 1024.
3.2 Multi-Pin Vulnerabilities
Current browsers use several plug-ins to render web pages,
many of which permit direct socket access back to their ori-
gins. Another class of rebinding attacks exploit the fact
that these multiple technologies maintain separate DNS pin
databases. If one technology pins to the attacker’s IP ad-
dress and another pins to the target’s IP address, the at-
tacker can make use of inter-technology communication to
circumvent the same-origin restrictions on network access.
Some of these attacks have been discussed previously in the
full-disclosure community [4].
Java. Java, installed on 87.6%3 of web browsers [1], can also
2The duration is set by network.dnsCacheExpiration.
14. 3We observed 98.1% penetration in our experiment.
open TCP connections back to their origins. The Java Vir-
tual Machine (JVM) maintains DNS pins separately from
the browser, opening up the possibility of DNS rebinding
vulnerabilities. Java applets themselves are not vulnerable
because the JVM retrieves applets directly from the net-
work, permitting the JVM to pin the origin of the applet to
the correct IP address. Java is vulnerable, however, to the
following attacks.
• LiveConnect bridges JavaScript and the JVM in Fire-
fox and Opera, permitting script access to the Java
standard library, including the Socket class, without
loading an applet. The browser pins to the attacker’s
IP address, but the JVM spawned by LiveConnect
does a second DNS resolve and pins to the target’s
IP address. The attacker’s JavaScript can exploit this
pin mismatch to open and communicate on a socket
from the client machine to an arbitrary IP address on
an arbitrary destination port, including UDP sockets
with a source port number � 1024.
• Applets with Proxies are also vulnerable to a multi-
pin attack, regardless of which browser the client uses.
If the client uses an HTTP proxy to access the web,
there is yet another DNS resolver involved—the proxy.
When the JVM retrieves an applet via a proxy, it re-
quests the applet by host name, not by IP address.
If the applet opens a socket, the JVM does a second
DNS resolve and pins to the target’s IP address.
• Relative Paths can cause multi-pin vulnerabilities. If
a server hosts an HTML page that embeds an applet
using a relative path with the parameter mayscript
set to true, that machine can be the target of a multi-
15. pin attack. The browser pins to the target, retrieves
the HTML page, and instructs the JVM to load the
applet. The JVM does a second DNS resolve, pins
to the attacker, and retrieves a malicious applet. The
applet instructs the browser, via JavaScript, to issue
XMLHttpRequests to the target’s IP address.
Flash Player. Flash Player would still be vulnerable to
multi-pin attacks even if it pinned DNS bindings. Flash
Player does not retrieve its movies directly from the net-
work. Instead, the browser downloads the movie and spawns
Flash Player, transferring the movie’s origin by host name.
When the attacker’s movie attempts to open a socket, Flash
Player does a second DNS resolution and would pin to the
target’s IP address. The URLLoader class is not vulnerable to
multi-pin attacks because it uses the browser to request the
URL and thus uses the browser’s DNS pins, but the Socket
class could still be used to read and write on arbitrary TCP
sockets.
Other Plug-ins. Other browser plug-ins permit network
access, including Adobe Acrobat and Microsoft Silverlight.
Acrobat restricts network communication to the SOAP pro-
tocol but does not restrict access by document origin. Of-
ten, the Acrobat plug-in will prompt the user before access-
ing the network. Silverlight permits network access through
BrowserHttpWebRequest, which uses the browser to make
the request (like URLLoader in Flash Player) and thus uses
the browser’s DNS pins.
4. ATTACKS USING DNS REBINDING
An attacker can exploit the DNS rebinding vulnerabilities
described in Section 3 to mount a number of attacks. For
16. some of these attacks, the attacker requires the direct socket
access a↵ orded by DNS rebinding with Flash Player and
Java, whereas others require only the ability to read HTTP
responses from the target. The attacks fall into two broad
categories, according to the attacker’s goal:
• Firewall Circumvention. The attacker can use DNS re-
binding to access machines behind firewalls that he or
she cannot access directly. With direct socket access,
the attacker can interact with a number of internal
services besides HTTP.
• IP Hijacking. The attacker can also use DNS rebinding
to access publicly available servers from the client’s IP
address. This allows the attacker to take advantage of
the target’s implicit or explicit trust in the client’s IP
address.
To mount these attacks, the attacker must first induce the
client to load some active content. This can be done by a
variety of techniques discussed in Section 4.4. Once loaded
onto the client’s machine, the attacker’s code can communi-
cate with any machine reachable by the client.
4.1 Firewall Circumvention
A firewall restricts tra�c between computer networks in
di↵ erent zones of trust. Some examples include blocking
connections from the public Internet to internal machines
and mediating connections from internal machines to Inter-
net servers with application-level proxies. Firewall circum-
vention attacks bypass the prohibition on inbound connec-
tions, allowing the attacker to connect to internal servers
while the user is visiting the attacker’s Internet web page
(see Figure 1).
17. Spidering the Intranet. The attacker need not specify
the target machine by IP address. Instead, the attacker
can guess the internal host name of the target, for example
hr.corp.company.com, and rebind attacker.com to a CNAME
record pointing to that host name. The client’s own recur-
sive DNS resolver will complete the resolution and return
the IP address of the target. Intranet host names are often
guessable and occasionally disclosed publicly [30, 9]. This
technique obviates the need for the attacker to scan IP ad-
dresses to find an interesting target but does not work with
the multiple A record technique described in Section 3.1.
Having found a machine on the intranet, the attacker can
connect to the machine over HTTP and request the root
document. If the server responds with an HTML page, the
attacker can follow links and search forms on that page,
eventually spidering the entire intranet. Web servers inside
corporate firewalls often host confidential documents, rely-
ing on the firewall to prevent untrusted users from accessing
the documents. Using a DNS rebinding attack, the attacker
can leverage the client’s browser to read these documents
and exfiltrate them to the attacker, for example by submit-
ting an HTML form to the attacker’s web server.
Compromising Unpatched Machines. Network admin-
istrators often do not patch internal machines as quickly
as Internet-facing machines because the patching process is
time-consuming and expensive. The attacker can attempt
to exploit known vulnerabilities in machines on the internal
network. In particular, the attacker can attempt to exploit
the client machine itself. The attacks against the client it-
self originate from localhost and so bypass software fire-
walls and other security checks, including many designed to
protect serious vulnerabilities. If an exploit succeeds, the
attacker can establish a presence within the firewall that
18. persists even after clients close their browsers.
Abusing Internal Open Services. Internal networks
contain many open services intended for internal use only.
For example, network printers often accept print jobs from
internal machines without additional authentication. The
attacker can use direct socket access to command network
printers to exhaust their toner and paper supplies.
Similarly, users inside firewalls often feel comfortable cre-
ating file shares or FTP servers accessible to anonymous
users under the assumption that the servers will be avail-
able only to clients within the network. With the ability to
read and write arbitrary sockets, the attacker can exfiltrate
the shared documents and use these servers to store illicit
information for later retrieval.
Consumer routers are often installed without changing the
default password, making them an attractive target for re-
configuration attacks by web pages [40]. Firmware patches
have attempted to secure routers against cross-site scripting
and cross-site request forgery, in an e↵ ort to prevent recon-
figuration attacks. DNS rebinding attacks allow the attacker
direct socket access to the router, bypassing these defenses.
4.2 IP Hijacking
Attackers can also use DNS rebinding attacks to target
machines on the public Internet. For these attacks, the at-
tacker is not leveraging the client’s machine to connect to
otherwise inaccessible services but instead abusing the im-
plicit or explicit trust public services have in the client’s IP
address. Once the attacker has hijacked a client’s IP ad-
dress, there are several attacks he or she can perpetrate.
Committing Click Fraud. Web publishers are often paid
19. by web advertisers on a per-click basis. Fraudulent publish-
ers can increase their advertising revenue by generating fake
clicks, and advertisers can drain competitors’ budgets by
clicking on their advertisements. The exact algorithms used
by advertising networks to detect these “invalid” clicks are
proprietary, but the IP address initiating the click is widely
believed to be an essential input. In fact, one common use
of bot networks is to generate clicks [7].
Click fraud would appear to require only the ability to
send HTTP requests to the advertising network, but adver-
tisers defend against the send-only attacks, permitted by the
same-origin policy, by including a unique nonce with every
advertising impression. Clicks lacking the correct nonce are
rejected as invalid, requiring the attacker to read the nonce
from an HTTP response in order to generate a click.
This attack is highly cost-e↵ ective, as the attacker can
buy advertising impressions, which cost tens of cents per
thousand, and convert them into clicks, worth tens of cents
each. The attack is su�ciently cost-e↵ ective that the at-
tacker need not convert every purchased impression into a
click. Instead, the fraudster can use most of the purchased
impressions to generate fake impressions on the site, main-
taining a believable click-through rate.
Sending Spam. Many e-mail servers blacklist IP addresses
known to send spam e-mail [39]. By hijacking a client’s IP
address, an attacker can send spam from IP addresses with
clean reputations. To send spam e-mail, the attacker need
only write content to SMTP servers on port 25, an action
blocked by most browsers but permitted by Flash Player
and Java. Additionally, an attacker will often be able to use
the client’s actual mail relay. Even service providers that
20. require successful authentication via POP3 before sending
e-mail are not protected, because users typically leave their
desktop mail clients open and polling their POP3 servers.
Defeating IP-based Authentication. Although discour-
aged by security professionals [10], many Internet services
still employ IP-based authentication. For example, the ACM
Digital Library makes the full text of articles available only
to subscribers, who are often authenticated by IP address.
After hijacking an authorized IP address, the attacker can
access the service, defeating the authentication mechanism.
Because the communication originates from an IP address
actually authorized to use the service, it can be di�cult,
or even impossible, for the service provider to recognize the
security breach.
Framing Clients. An attacker who hijacks an IP address
can perform misdeeds and frame the client. For example,
an attacker can attempt to gain unauthorized access to a
computer system using a hijacked IP address as a proxy.
As the attack originates from the hijacked IP address, the
logs will implicate the client, not the attacker, in the crime.
Moreover, if the attacker hosts the malicious web site over
HTTPS, the browser will not cache the page and no traces
will be left on the client’s machine.
4.3 Proof-of-Concept Demonstration
We developed proof-of-concept exploits for DNS rebinding
vulnerabilities in Flash Player 9, LiveConnect, Java applets
with proxy servers, and the browser itself. Our system con-
sists of a custom DNS server authoritative for dnsrebinding.net,
a custom Flash Player policy server, and a standard Apache
web server. The various technologies issue DNS queries
that encode the attacker and target host names, together
with a nonce, in the subdomain. For each nonce, the DNS
21. server first responds with the attacker’s IP address (with a
zero TTL) and thereafter with the target’s IP address. Our
proof-of-concept demo, http://crypto.stanford.edu/dns,
implements wget and telnet by mounting a rebinding at-
tack against the browser.
4.4 Experiment: Recruiting Browsers
Methodology. We tested DNS rebinding experimentally
by running a Flash Player 9 advertisement on a minor ad-
vertising network targeting the keywords “Firefox,” “game,”
“Internet Explorer,” “video,” and “YouTube.” The experi-
ment used two machines in our laboratory, an attacker and a
target. The attacker ran a custom authoritative DNS server
for dnsrebinding.net, a custom Flash Player policy server,
and an Apache web server hosting the advertisement. The
target ran an Apache web server to log successful attacks.
The Flash Player advertisement exploited the vulnerability
described in Section 3.1 to load an XML document from the
target server in our lab. The attack required only that the
client view the ad, not that the user click on the ad.
Vulnerability Impressions
Flash Player 9 86.9%
LiveConnect 24.4%
Java+Proxy 2.2%
Total Multi-Pin 90.6%
Table 2: Percentage of Impressions by Vulnerability
Cumulative Duration of Successful Attacks
for 75% Shortest Duration Attacks
0
10
22. 20
30
40
50
60
70
80
90
100
0 64 128 192 256
Duration of Attack Success (secs)
S
uc
ce
ss
fu
l A
tt
ac
ks
(
pe
rc
en
t)
Cumulative Duration of Successful Attacks
1
10
23. 100
1,000
10,000
100,000
1 10 100 1000 10000 100000 1000000
Duration of Attack Success (secs, logscale)
S
uc
ce
ss
fu
l A
tt
ac
ks
(
lo
gs
ca
le
)
Figure 2: Duration of Successful Attacks
The experiment lasted until the user navigated away from
the advertisement, at which time we lost the ability to use
the viewer’s network connection. For privacy, we collected
only properties typically disclosed by browsers when viewing
web pages (e.g., plug-in support, user agent, and external IP
24. address). The experiment conformed to the terms of service
of the advertising network and to the guidelines of the in-
dependent review board at our institution. Every network
operation produced by the advertisement could have been
produced by a legitimate SWF advertisement, but we pro-
duced the operations through the Socket interface, demon-
strating the ability to make arbitrary TCP connections.
Results. We ran the ad beginning at midnight EDT on
three successive nights in late April 2007. We bid $0.50
per 1000 impressions for a variety of keywords. We spent
$10 per day, garnering approximately 20,000 impressions per
day. Due to a server misconfiguration, we disregarded ap-
proximately 10,000 impressions. We also disregarded 19 im-
pressions from our university. We received 50,951 impres-
sions from 44,924 unique IP addresses (40.2% IE7, 32.3%
IE6, 23.5% Firefox, 4% Other).
We ran the rebinding experiment on the 44,301 (86.9%)
impressions that reported Flash Player 9. We did not at-
tempt to exploit other rebinding vulnerabilities (see Ta-
ble 2). The experiment was successful on 30,636 (60.1%)
impressions and 27,480 unique IP addresses. The attack
was less successful on the 1,672 impressions served to Mac
OS, succeeding 36.4% of the time, compared to a success
rate of 70.0% on the 49,535 (97.2%) Windows impressions.4
Mac OS is more resistant to this rebinding attack due to
some caching of DNS entries despite their zero TTL.
For each successful experiment, we measured how long an
attacker could have used the client’s network access by load-
ing the target document at exponentially longer intervals, as
shown in Figure 2. The median impression duration was 32
25. seconds, with 25% of the impressions lasting longer than 256
seconds. We observed 9 impressions with a duration of at
least 36.4 hours, 25 at least 18.2 hours, and 81 at least 9.1
hours. In aggregate, we obtained 100.3 machine-days of net-
work access. These observations are consistent with those
of [24]. The large number of attacks ending between 4.2 and
8.5 minutes suggests that this is a common duration of time
for users to spend on a web page.
Discussion. Our experimental results show that DNS re-
binding vulnerabilities are widespread and cost-e↵ ective to
exploit on a large scale. Each impression costs $0.0005 and
54% of the impressions convert to successful attacks from
unique IP addresses. To hijack 100,000 IP addresses for a
temporary bot network, and attacker would need to spend
less than $100. This technique compares favorably to rent-
ing a traditional bot network for sending spam e-mail and
committing click fraud for two reasons. First, these applica-
tions require large numbers of “fresh” IP address for short
durations as compromised machines are quickly blacklisted.
Second, while estimates of the rental cost of bot networks
vary [44, 14, 7], this technique appears to be at least one or
two orders of magnitude less expensive.
5. DEFENSES AGAINST REBINDING
Defenses for DNS rebinding attacks can be implemented
in browsers, plug-ins, DNS resolvers, firewalls, and servers.
These defenses range in complexity of development, di�-
culty of deployment, and e↵ ectiveness against firewall cir-
cumvention and IP hijacking. In addition to necessary mit-
igations for Flash Player, Java LiveConnect, and browsers,
we propose three long-term defenses. To protect against fire-
wall circumvention, we propose a solution that can be de-
ployed unilaterally by organizations at their network bound-
ary. To fully defend against rebinding attacks, we propose
26. two defenses: one that requires socket-level network access
be authorized explicitly by the destination server and an-
other works even if sockets are allowed by default.
5.1 Fixing Firewall Circumvention
Networks can be protected against firewall circumvention
by forbidding external host names from resolving to internal
IP addresses, e↵ ectively preventing the attacker from nam-
ing the target server. Without the ability to name the tar-
get, the attacker is unable to aggregate the target server into
an origin under his or her control. These malicious bindings
4We succeeded in opening a socket with 2 of 11 PlayStation 3
impressions (those with Flash Player 9), but none of the 12
Nintendo Wii impressions were vulnerable.
can be blocked either by filtering packets at the firewall [5]
or by modifying the DNS resolvers used by clients on the
network.
• Enterprise. By blocking outbound tra�c on port 53, a
firewall administrator for an organization can force all
internal machines, including HTTP proxies and VPN
clients, to use a DNS server that is configured not to
resolve external names to internal IP addresses. To
implement this approach, we developed a 300 line C
program, dnswall [15], that runs alongside BIND and
enforces this policy.
• Consumer. Many consumer firewalls, such as those
produced by Linksys, already expose a caching DNS
resolver and can be augmented with dnswall to block
DNS responses that contain private IP addresses. The
vendors of these devices have an incentive to patch
their firewalls because these rebinding attacks can be
27. used to reconfigure these routers to mount further at-
tacks on their owners.
• Software. Software firewalls, such as the Windows
Firewall, can also prevent their own circumvention by
blocking DNS resolutions to 127.*.*.*. This tech-
nique does not defend services bound to the external
network interface but does protects a large number of
services that bind only to the loopback interface.
Blocking external names from resolving to internal addresses
prevents firewall circumvention but does not defend against
IP hijacking. An attacker can still use internal machines to
attack services running on the public Internet.
5.2 Fixing Plug-ins
Plug-ins are a particular source of complexity in defend-
ing against DNS rebinding attacks because they enable sub-
second attacks, provide socket-level network access, and op-
erate independently from browsers. In order to prevent re-
binding attacks, these plug-ins must be patched.
Flash Player. When a SWF movie opens a socket to a
new host name, it requests a policy over the socket to de-
termine whether the host accepts socket connections from
the origin of the movie. Flash Player could fix most of
its rebinding vulnerabilities by considering a policy valid
for a socket connection only if it obtained the policy from
the same IP address in addition to its current requirement
that it obtained the policy from the same host name. Us-
ing this design, when attacker.com is rebound to the tar-
get IP address, Flash Player will refuse to open a socket to
that address unless the target provides a policy authorizing
attacker.com. This simple refinement uses existing Flash
Player policy deployments and is backwards compatible, as
28. host names expecting Flash Player connections already serve
policy documents from all of their IP addresses.
SWF movies can also access ports numbers � 1024 on
their origin host name without requesting a policy. Al-
though the majority of services an attacker can profitably
target (e.g., SMTP, HTTP, HTTPS, SSH, FTP, NNTP)
are hosted on low-numbered ports, other services such as
MySQL, BitTorrent, IRC, and HTTP proxies are vulnera-
ble. To fully protect against rebinding attacks, Flash Player
could request a policy before opening sockets to any port,
even back to its origin. However, this modification breaks
backwards compatibility because those servers might not be
already serving policy files.
Java. Many deployed Java applets expect sockets to be al-
lowed by default. If clients are permitted to use these applets
from behind HTTP proxies, they will remain vulnerable to
multi-pin attacks because proxy requests are made by host
name instead of by IP address. A safer approach is to use the
CONNECT method to obtain a proxied socket connection to an
external machine. Typically proxies only allow CONNECT on
port 443 (HTTPS), making this the only port available for
these applets. Alternatively, proxies can use HTTP head-
ers to communicate IP addresses of hosts between the client
and the proxy [28, 29], but this approach requires both the
client and the proxy to implement the protocol.
Java LiveConnect. LiveConnect introduces additional
vulnerabilities, but browsers can fix the LiveConnect multi-
pin vulnerability without altering the JVM by installing
their own DNS resolver into the JVM using a standard
interface. Firefox, in particular, implements LiveConnect
29. through the Java Native Interface (JNI). When Firefox ini-
tializes the JVM, it can install a custom InetAddress class
that will handle DNS resolution for the JVM. This custom
class should contain a native method that implements DNS
resolution using Firefox’s DNS resolver instead of the system
resolver. If the browser implements pinning, LiveConnect
and the browser will use a common pin database, removing
multi-pin vulnerabilities.
5.3 Fixing Browsers (Default-Deny Sockets)
Allowing direct socket access by default precludes many
defenses for DNS rebinding attacks. If browser plug-ins de-
faulted to denying socket access, as a patched Flash Player
and the proposed TCPConnection (specified in HTML5 [19])
would, these defenses would become viable. Java and Live-
Connect, along with any number of lesser-known plug-ins,
expect socket access to be allowed, and fixing these is a chal-
lenge.
Checking Host Header. HTTP 1.1 requires that user
agents include a Host header in HTTP requests that spec-
ifies the host name of the server [11]. This feature is used
extensively by HTTP proxies and by web servers to host
many virtual hosts on one IP address. If sockets are de-
nied by default, the Host header reliably indicates the host
name being used by the browser to contact the server be-
cause XMLHttpRequest [43] and related technologies are re-
stricted from spoofing the Host header.5 One server-side de-
fense for these attacks is therefore to reject incoming HTTP
requests with unexpected Host headers [28, 37].
Finer-grained Origins. Another defense against DNS
rebinding attacks is to refine origins to include additional
information, such as the server’s IP address [28] or public
key [27, 23], so that when the attacker rebinds attacker.com
30. to the target, the browser will consider the rebound host
name to be a new origin. One challenge to deploying finer-
grained origins is that every plug-in would need to revise its
security policies and interacting technologies would need to
hand-o↵ refined origins correctly.
5Lack of integrity of the Host header has been a recur-
ring source of security vulnerabilities, most notably in Flash
Player 7.
• IP Addresses. Refining origins with IP address [28]
is more robust than pinning in that a single browsing
session can fail-over from one IP address to another.
When such a fail-over occurs, however, it will likely
break long-lived AJAX applications, such as Gmail,
because they will be prevented from making XML-
HttpRequests to the new IP address. Users can recover
from this by clicking the browser’s reload button. Un-
fortunately, browsers that use a proxy server do not
know the actual IP address of the remote server and
thus cannot properly refine origins. Also, this defense
is vulnerable to an attack using relative paths to script
files, similar to the applet relative-path vulnerability
described in Section 3.2.
• Public Keys. Augmenting origins with public keys [27,
23] prevents two HTTPS pages served from the same
domain with di↵ erent public keys from reading each
other’s state. This defense is useful when users dis-
miss HTTPS invalid certificate warnings and chiefly
protects HTTPS-only “secure” cookies from network
attackers. Many web pages, however, are not served
over HTTPS, rendering this defense more appropriate
for pharming attacks that compromise victim domains
than for rebinding attacks.
31. Smarter Pinning. To mitigate rebinding attacks, browsers
can implement smarter pinning policies. Pinning is a de-
fense for DNS rebinding that trades o↵ robustness for secu-
rity. RFC 1035 [32] provides for small (and even zero) TTLs
to enable dynamic DNS and robust behavior in the case of
server failure but respecting these TTLs allows rebinding
attacks. Over the last decade, browsers have experimented
with di↵ erent pin durations and release heuristics, leading
some vendors to shorten their pin duration to improve ro-
bustness [13]. However, duration is not the only parameter
that can be varied in a pinning policy.
Browsers can vary the width of their pins by permitting
host names to be rebound within a set of IP addresses that
meet some similarity heuristic. Selecting an optimal width
as well as duration enables a better trade-o↵ between se-
curity and robustness than optimizing duration alone. One
promising policy is to allow rebinding within a class C net-
work. For example, if a host name resolved to 171.64.78.10,
then the client would also accept any IP address beginning
with 171.64.78 for that host name. The developers of the
NoScript Firefox extension [26] have announced plans [25]
to adopt this pinning heuristic.
• Security. When browsers use class C network pinning,
the attacker must locate the attack server on the same
class C network as the target, making the rebinding
attack much more di�cult to mount. The attack is
possible only if the attacker co-locates a server at the
same hosting facility or leverages a cross-site scripting
vulnerability on a co-located server. This significantly
raises the bar for the attacker and provides better re-
courses for the target.
• Robustness. To study the robustness of class C net-
work pinning, we investigated the IP addresses re-
32. ported by the 100 most visited English-language sites
(according to Alexa [3]). We visited the home page of
these sites and compiled a list of the 336 host names
used for embedded content (e.g., www.yahoo.com em-
beds images from us.i1.yimg.com). We then issued
DNS queries for these hosts every 10 minutes for 24
hours, recording the IP addresses reported.
In this experiment, 58% reported a single IP address
consistently across all queries. Note that geographic
load balancing is not captured in our data because we
issued our queries from a single machine, mimicking
the behavior of a real client. Averaged over the 42%
of hosts reporting multiple IP addresses, if a browser
pinned to an IP address at random, the expected frac-
tion of IP addresses available for rebinding under class
C network pinning is 81.3% compared with 16.4% un-
der strict IP address pinning, suggesting that class C
pinning is significantly more robust to server failure.
Other heuristics for pin width are possible. For example,
the browser could prevent rebinding between public IP ad-
dresses and the RFC 1918 [35] private IP addresses. This
provides greater robustness for fail-overs across data centers
and for dynamic DNS. LocalRodeo [22, 45] is a Firefox ex-
tension that implements RFC 1918 pinning for JavaScript.
As for security, RFC 1918 pinning largely prevents firewall
circumvention but does not protect against IP hijacking nor
does it prevent firewall circumvention in the case where a
firewall protects non-private IP addresses, which is the case
for many real-life protected networks and personal software
firewalls.
33. Even the widest possible pinning heuristic prevents some
legitimate rebinding of DNS names. For example, public
host names controlled by an organization often have two IP
addresses, a private IP address used by clients within the
firewall and a public IP address used by clients on the Inter-
net. Pinning prevents employees from properly connecting
to these severs after joining the organization’s Virtual Pri-
vate Network (VPN) as those host names appear to rebind
from public to private IP addresses.
Policy-based Pinning. Instead of using unpinning heuris-
tics, we propose browsers consult server-supplied policies to
determine when it is safe to re-pin a host name from one IP
address to another, providing robustness without degrading
security. To re-pin safely, the browser must obtain a policy
from both the old and new IP address (because some at-
tacks first bind to the attacker whereas others first bind to
the target). Servers can supply this policy at a well-known
location, such as /crossdomain.xml, or in reverse DNS (see
Section 5.4).
Pinning Pitfalls. Correctly implementing pinning has sev-
eral subtleties that are critical to its ability to defend against
DNS rebinding attacks.
• Common Pin Database. To eliminate multi-pin at-
tacks, pinning-based defense require that all browser
technologies that access the network share a common
pin database. Many plug-ins, including Flash Player
and Silverlight, already use the browser’s pins when
issuing HTTP requests because they issue these re-
quests through the browser. To share DNS pins for
other kinds of network access, either the browser could
expose an interface to its pin database or the operating
system could pin in its DNS resolver. Unfortunately,
browser vendors appear reluctant to expose such an
34. interface [12, 33] and pinning in the operating system
either changes the semantics of DNS for other applica-
tions or requires that the OS treats browsers and their
plug-ins di↵ erently from other applications.
• Cache. The browser’s cache and all plug-in caches
must be modified to prevent rebinding attacks. Cur-
rently, objects stored in the cache are retrieved by
URL, irrespective of the originating IP address, creat-
ing a rebinding vulnerability: a cached script from the
attacker might run later when attacker.com is bound
to the target. To prevent this attack, objects in the
cache must be retrieved by both URL and originat-
ing IP address. This degrades performance when the
browser pins to a new IP address, which might occur
when the host at the first IP address fails, the user
starts a new browsing session, or the user’s network
connectivity changes. These events are uncommon and
are unlikely to impact performance significantly.
• document.domain. Even with the strictest pinning, a
server is vulnerable to rebinding attacks if it hosts a
web page that executes the following, seemingly in-
nocuous, JavaScript:
document.domain = document.domain;
After a page sets its domain property, the browser al-
lows cross-origin interactions with other pages that
have set their domain property to the same value [42,
17]. This idiom, used by a number of JavaScript li-
braries6, sets the domain property to a value under
the control of the attacker: the current host name.
5.4 Fixing Browsers (Default-Allow Sockets)
35. Instead of trying to prevent a host name from rebinding
from one IP address to another—a fairly common event—a
di↵ erent approach to defending against rebinding is to pre-
vent the attacker from naming the target server, essentially
generalizing dnswall to the Internet. Without the ability to
name the target server, the attacker cannot mount a DNS
rebinding attack against the target. This approach defends
against rebinding, can allow socket access by default, and
preserves the robustness of dynamic DNS.
Host Name Authorization. On the Internet, clients re-
quire additional information to determine the set of valid
host names for an given IP address. We propose that servers
advertise the set of host names they consider valid for them-
selves and clients check these advertisements before binding
a host name to an IP address, making explicit which host
names can map to which IP addresses. Host name autho-
rization prevents rebinding attacks because honest machines
will not advertise host names controlled by attackers.
Reverse DNS already provides a mapping from IP ad-
dresses to host names. The owner of an IP address ip is
delegated naming authority for ip.in-addr.arpa and typi-
cally stores a PTR record containing the host name associ-
ated with that IP address. These records are insu�cient
for host name authorization because a single IP address can
have many valid host names, and existing PTR records do
not indicate that other host names are invalid.
6For example, “Dojo” AJAX library, Struts servlet/JSP
based web application framework, jsMath AJAX Mathemat-
ics library, and Sun’s “Ultimate client-side JavaScript client
sni↵ ” library are vulnerable in this way.
36. The reverse DNS system can be extended to authorize
host names without sacrificing backwards compatibility. To
authorize the host www.example.com for 171.64.78.146, the
owner of the IP address inserts the following DNS records:
auth.146.78.64.171.in-addr.arpa.
IN A 171.64.78.146
www.example.com.auth.146.78.64.171.in-addr.arpa.
IN A 171.64.78.146
To make a policy-enabled resolution for www.example.com,
first resolve the host name a set of IP addresses normally
and then validate each IP address as follows:
1. Resolve the host name auth.ip.in-addr.arpa.
2. If the host name exists, ip is policy-enabled and ac-
cepts only authorized host names. Otherwise, ip is
not policy-enabled and accepts any host name.
3. Finally, if ip is policy-enabled, resolve the host name
www.example.com.auth.ip.in-addr.arpa
to determine if the host name is authorized.
An IP address ip implicitly authorizes every host name of
the form *.auth.ip.in-addr.arpa, preventing incorrect re-
cursive policy checks. For host names with multiple IP ad-
dresses, only authorized IP addresses should be included in
the result. If no IP addresses are authorized, the result
should be “not found.” If an IP address is not policy en-
abled, DNS rebinding attacks can be mitigated using the
techniques in Section 5.3.
37. The policy check can be implemented in DNS resolvers7,
such as ones run by organizations and ISPs, transparently
protecting large groups of machines from having their IP
addresses hijacked. User agents, such as browser and plug-
ins, can easily query the policy records because they are
stored in A records and can issue policy checks in paral-
lel with HTTP requests (provided they do not process the
HTTP response before the host name is authorized). Stan-
dard DNS caching reduces much of the overhead of redun-
dant policy checks issued by DNS resolvers, browsers, and
plug-ins. As a further optimization, policy-enabled resolvers
can include policy records in the “additional” section of the
DNS response, allowing downstream resolvers to cache com-
plete policies and user-agents to get policy records without
a separate request. We have implemented host name autho-
rization as a 72-line patch to Firefox 2.
One disadvantage of this mechanism is that the owner of
an IP address, the ISP, might not be the owner of the ma-
chine at that IP address. The machine can advertise the
correct set of authorized host names only if the ISP is will-
ing to delegate the auth subdomain to the owner or insert
appropriate DNS records. Instead, machines could advertise
authorized host names over HTTP in a well-known location,
similar to crossdomain.xml, but this has several disadvan-
tages: it requires policy-enabled DNS resolvers to implement
HTTP clients, it requires all machines, such as SMTP gate-
ways, to run an HTTP server, and policy queries are not
cached, resulting in extra tra�c comparable to favicon.ico.
7To prevent a subtle attack that involves poisoning DNS
caches, a policy-enabled DNS resolver must follow the same
procedure for CNAME queries as for A queries, even though
responses to the former do not directly include IP addresses.
38. Trusted Policy Providers. Clients and DNS resolvers
can also check policy by querying a trusted policy provider.
Much like spam black lists [39] and phishing filters [6, 31,
16], di↵ erent policy providers can use di↵ erent heuristics to
determine whether a host name is valid for an IP address,
but every provider should respect host names authorized
in reverse DNS. When correctly configured, host name au-
thorization in reverse DNS has no false negatives (no valid
host name is rejected) but many false positives (lack of pol-
icy is implicit authorization). Trusted policy providers can
greatly reduce the false positive rate, possibly at the cost of
increasing the false negative rate. Clients are free to select
as aggressive a policy provider as they desire.
6. RELATED WORK
Using Browsers as Bots. The technique of luring web
users to an attacker’s site and then distracting them while
their browsers participate in a coordinated attack is de-
scribed in [24]. These “puppetnets” can be used for dis-
tributed denial of service but cannot be used to mount the
attacks described in Section 4 because puppetnets cannot
read back responses from di↵ erent origins or connect to for-
bidden ports such as 25.
JavaScript can also be misused to scan behind firewalls [18]
and reconfigure home routers [40]. These techniques of-
ten rely on exploiting default passwords and on underlying
cross-site scripting or cross-site request forgery vulnerabil-
ities. DNS rebinding attacks can be used to exploit de-
fault passwords without the need for a cross-site scripting
or cross-site request forgery hole.
Sender Policy Framework. To fight spam e-mail, the
Sender Policy Framework (SPF) [46] stores policy informa-
tion in DNS. SPF policies are stored as TXT records in for-
39. ward DNS, where host names can advertise the set of IP
addresses authorized to send e-mail on their behalf.
7. CONCLUSIONS
An attacker can exploit DNS rebinding vulnerabilities to
circumvent firewalls and hijack IP addresses. Basic DNS re-
binding attacks have been known for over a decade, but the
classic defense, pinning, reduces robustness and fails to pro-
tect current browsers that use plug-ins. Modern multi-pin
attacks defeat pinning in hundreds of milliseconds, granting
the attacker direct socket access from the client’s machine.
These attacks are a highly cost-e↵ ective technique for hi-
jacking hundreds of thousands of IP addresses for sending
spam e-mail and committing click fraud.
For network administrators, we provide a tool to prevent
DNS rebinding from being used for firewall circumvention
by blocking external DNS names from resolving to internal
IP addresses. For the vendors of Flash Player, Java, and
LiveConnect, we suggest simple patches that mitigate large-
scale exploitation by vastly reducing the cost-e↵ ectiveness
of the attacks for sending spam e-mail and committing click
fraud. Finally, we propose two defense options that prevent
both firewall circumvention and IP hijacking: policy-based
pinning and host name authorization. We hope that ven-
dors and network administrators will deploy these defenses
quickly before attackers exploit DNS rebinding on a large
scale.
Acknowledgments
We thank Drew Dean, Darin Fisher, Jeremiah Grossman,
Martin Johns, Dan Kaminsky, Chris Karlof, Jim Roskind,
and Dan Wallach for their helpful suggestions and feedback.
40. This work is supported by grants from the National Science
Foundation and the US Department of Homeland Security.
8. REFERENCES
[1] Adobe. Flash Player Penetration. http://www.adobe.
com/products/player census/flashplayer/.
[2] Adobe. Adobe Flash Player 9 Security.
http://www.adobe.com/devnet/flashplayer/
articles/flash player 9 security.pdf, July 2006.
[3] Alexa. Top sites. http://www.alexa.com/site/ds/
top sites?ts mode=global.
[4] K. Anvil. Anti-DNS pinning + socket in flash.
http://www.jumperz.net/, 2007.
[5] W. Cheswick and S. Bellovin. A DNS filter and switch
for packet-filtering gateways. In Proc. Usenix, 1996.
[6] N. Chou, R. Ledesma, Y. Teraguchi, and J. Mitchell.
Client-side defense against web-based identity theft.
In Proc. NDSS, 2004.
[7] N. Daswani, M. Stoppelman, et al. The anatomy of
Clickbot.A. In Proc. HotBots, 2007.
[8] D. Dean, E. W. Felten, and D. S. Wallach. Java
security: from HotJava to Netscape and beyond. In
IEEE Symposium on Security and Privacy: Oakland,
California, May 1996.
[9] D. Edwards. Your MOMA knows best, December
2005. http://xooglers.blogspot.com/2005/12/
your-moma-knows-best.html.
41. [10] K. Fenzi and D. Wreski. Linux security HOWTO,
January 2004.
[11] R. Fielding et al. Hypertext Transfer
Protocol—HTTP/1.1. RFC 2616, June 1999.
[12] D. Fisher, 2007. Personal communication.
[13] D. Fisher et al. Problems with new DNS cache
(“pinning” forever). https:
//bugzilla.mozilla.org/show bug.cgi?id=162871.
[14] D. Goodin. Calif. man pleads guilty to felony hacking.
Associated Press, Janurary 2005.
[15] Google. dnswall.
http://code.google.com/p/google-dnswall/.
[16] Google. Google Safe Browsing for Firefox, 2005. http:
//www.google.com/tools/firefox/safebrowsing/.
[17] S. Grimm et al. Setting document.domain doesn’t
match an implicit parent domain. https:
//bugzilla.mozilla.org/show bug.cgi?id=183143.
[18] J. Grossman and T. Niedzialkowski. Hacking intranet
websites from the outside: JavaScript malware just
got a lot more dangerous. In Blackhat USA, August
2006. Invited talk.
[19] I. Hickson et al. HTML 5 Working Draft. http:
//www.whatwg.org/specs/web-apps/current-work/.
[20] C. Jackson, A. Bortz, D. Boneh, and J. Mitchell.
Protecting browser state from web privacy attacks. In
42. Proc. WWW, 2006.
[21] M. Johns. (somewhat) breaking the same-origin policy
by undermining DNS pinning, August 2006.
http://shampoo.antville.org/stories/1451301/.
[22] M. Johns and J. Winter. Protecting the Intranet
against “JavaScript Malware” and related attacks. In
Proc. DIMVA, July 2007.
[23] C. K. Karlof, U. Shankar, D. Tygar, and D. Wagner.
Dynamic pharming attacks and the locked same-origin
policies for web browsers. In Proc. CCS, October 2007.
[24] V. T. Lam, S. Antonatos, P. Akritidis, and K. G.
Anagnostakis. Puppetnets: Misusing web browsers as
a distributed attack infrastructure. In Proc. CCS,
2006.
[25] G. Maone. DNS Spoofing/Pinning. http:
//sla.ckers.org/forum/read.php?6,4511,14500.
[26] G. Maone. NoScript. http://noscript.net/.
[27] C. Masone, K. Baek, and S. Smith. WSKE: web server
key enabled cookies. In Proc. USEC, 2007.
[28] A. Megacz. XWT Foundation Security Advisory.
http://xwt.org/research/papers/sop.txt.
[29] A. Megacz and D. Meketa. X-RequestOrigin.
http://www.xwt.org/x-requestorigin.txt.
[30] Microsoft. Microsoft Web Enterprise Portal, January
2004. http://www.microsoft.com/technet/
itshowcase/content/MSWebTWP.mspx.
43. [31] Microsoft. Microsoft phishing filter: A new approach
to building trust in e-commerce content, 2005.
[32] P. Mockapetris. Domain Names—Implementation and
Specification. IETF RFC 1035, November 1987.
[33] C. Nuuja (Adobe), 2007. Personal communication.
[34] G. Ollmann. The pharming guide. http://www.
ngssoftware.com/papers/ThePharmingGuide.pdf,
August 2005.
[35] Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J.
de Groot, and E. Lear. Address Allocation for Private
Internets. IETF RFC 1918, February 1996.
[36] J. Roskind. Attacks against the Netscape browser. In
RSA Conference, April 2001. Invited talk.
[37] D. Ross. Notes on DNS pinning.
http://blogs.msdn.com/dross/archive/2007/07/
09/notes-on-dns-pinning.aspx, 2007.
[38] J. Ruderman. JavaScript Security: Same Origin.
http://www.mozilla.org/projects/security/
components/same-origin.html.
[39] Spamhaus. The spamhaus block list, 2007.
http://www.spamhaus.org/sbl/.
[40] S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by
pharming. Technical Report 641, Computer Science,
Indiana University, December 2006.
[41] J. Topf. HTML Form Protocol Attack, August 2001.
44. http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.
[42] D. Veditz et al. document.domain abused to access
hosts behind firewall. https:
//bugzilla.mozilla.org/show bug.cgi?id=154930.
[43] W3C. The XMLHttpRequest Object, February 2007.
http://www.w3.org/TR/XMLHttpRequest/.
[44] B. Warner. Home PCs rented out in sabotage-for-hire
racket. Reuters, July 2004.
[45] J. Winter and M. Johns. LocalRodeo: Client-side
protection against JavaScript Malware.
http://databasement.net/labs/localrodeo/, 2007.
[46] M. Wong and W. Schlitt. Sender Policy Framework
(SPF) for Authorizing Use of Domains in E-Mail.
IETF RFC 4408, April 2006.
Enhancing Byte-Level
Network Intrusion Detection Signatures with Context
Robin Sommer
TU München
Germany
[email protected]
Vern Paxson
International Computer Science Institute and
Lawrence Berkeley National Laboratory
45. Berkeley, CA, USA
[email protected]
ABSTRACT
Many network intrusion detection systems (NIDS) use byte
sequen-
ces as signatures to detect malicious activity. While being
highly
efficient, they tend to suffer from a high false-positive rate. We
develop the concept of contextual signatures as an improvement
of
string-based signature-matching. Rather than matching fixed
strings
in isolation, we augment the matching process with additional
con-
text. When designing an efficient signature engine for the NIDS
Bro, we provide low-level context by using regular expressions
for
matching, and high-level context by taking advantage of the se-
mantic information made available by Bro’s protocol analysis
and
scripting language. Therewith, we greatly enhance the
signature’s
expressiveness and hence the ability to reduce false positives.
We
present several examples such as matching requests with
replies,
using knowledge of the environment, defining dependencies be-
tween signatures to model step-wise attacks, and recognizing
ex-
ploit scans.
To leverage existing efforts, we convert the comprehensive sig-
nature set of the popular freeware NIDS Snort into Bro’s
language.
While this does not provide us with improved signatures by
46. itself,
we reap an established base to build upon. Consequently, we
evalu-
ate our work by comparing to Snort, discussing in the process
sev-
eral general problems of comparing different NIDSs.
Categories and Subject Descriptors: C.2.0 [Computer-Communi-
cation Networks]: General - Security and protection.
General Terms: Performance, Security.
Keywords: Bro, Network Intrusion Detection, Pattern Matching,
Security, Signatures, Snort, Evaluation
1. INTRODUCTION
Several different approaches are employed in attempting to
detect
computer attacks. Anomaly-based systems derive (usually in an
au-
tomated fashion) a notion of “normal” system behavior, and
report
divergences from this profile, an approach premised on the
notion
that attacks tend to look different in some fashion from
legitimate
computer use. Misuse detection systems look for particular,
explicit
indications of attacks (Host-based IDSs inspect audit logs for
this
while network-based IDSs, or NIDSs, inspect the network
traffic).
Permission to make digital or hard copies of all or part of this
work for
personal or classroom use is granted without fee provided that
47. copies are
not made or distributed for profit or commercial advantage and
that copies
bear this notice and the full citation on the first page. To copy
otherwise, to
republish, to post on servers or to redistribute to lists, requires
prior specific
permission and/or a fee.
CCS’03,�October�27–31,�2003,�Washington,�DC,�USA.
Copyright 2003 ACM 1-58113-738-9/03/0010 ...$5.00.
In this paper, we concentrate on one popular form of misuse de-
tection, network-based signature matching in which the system
in-
spects network traffic for matches against exact, precisely-
described
patterns. While NIDSs use different abstractions for defining
such
patterns, most of the time the term signature refers to raw byte
se-
quences. Typically, a site deploys a NIDS where it can see
network
traffic between the trusted hosts it protects and the untrusted
exterior
world, and the signature-matching NIDS inspects the passing
pack-
ets for these sequences. It generates an alert as soon as it
encounters
one. Most commercial NIDSs follow this approach [19], and
also
the most well-known freeware NIDS, Snort [29]. As an
example,
to detect the buffer overflow described in CAN-2002-0392 [9],
Snort’s signature #1808 looks for the byte pattern 0xC0505289-
E150515250B83B000000CD80 [2] in Web requests. Keeping
in mind that there are more general forms of signatures used in
48. in-
trusion detection as well—some of which we briefly discuss in
§2—
in this paper we adopt this common use of the term signature.
Signature-matching in this sense has several appealing proper-
ties. First, the underlying conceptual notion is simple: it is easy
to explain what the matcher is looking for and why, and what
sort
of total coverage it provides. Second, because of this simplicity,
signatures can be easy to share, and to accumulate into large
“at-
tack libraries.” Third, for some signatures, the matching can be
quite tight: a match indicates with high confidence that an
attack
occurred.
On the other hand, signature-matching also has significant lim-
itations. In general, especially when using tight signatures, the
matcher has no capability to detect attacks other than those for
which it has explicit signatures; the matcher will in general
com-
pletely miss novel attacks, which, unfortunately, continue to be
de-
veloped at a brisk pace. In addition, often signatures are not in
fact
“tight.” For example, the Snort signature #1042 to detect an
exploit
of CVE-2000-0778 [9] searches for “Translate: F” in Web
requests; but it turns out that this header is regularly used by
certain
applications. Loose signatures immediately raise the major
problem
of false positives: alerts that in fact do not reflect an actual
attack.
A second form of false positive, which signature matchers
49. likewise
often fail to address, is that of failed attacks. Since at many
sites
attacks occur at nearly-continuous rates, failed attacks are often
of
little interest. At a minimum, it is important to distinguish
between
them and successful attacks.
A key point here is that the problem of false positives can po-
tentially be greatly reduced if the matcher has additional
context at
its disposal: either additional particulars regarding the exact
activ-
ity and its semantics, in order to weed out false positives due to
overly general “loose” signatures; or the additional information
of
how the attacked system responded to the attack, which often
indi-
cates whether the attack succeeded.
262
In this paper, we develop the concept of contextual signatures,
in which the traditional form of string-based signature matching
is
augmented by incorporating additional context on different
levels
when evaluating the signatures. First of all, we design and
imple-
ment an efficient pattern matcher similar in spirit to traditional
sig-
nature engines used in other NIDS. But already on this low-
level
50. we enable the use of additional context by (i) providing full
regu-
lar expressions instead of fixed strings, and (ii) giving the
signature
engine a notion of full connection state, which allows it to
corre-
late multiple interdependent matches in both directions of a user
session. Then, if the signature engine reports the match of a sig-
nature, we use this event as the start of a decision process,
instead
of an alert by itself as is done by most signature-matching
NIDSs.
Again, we use additional context to judge whether something
alert-
worthy has indeed occurred. This time the context is located on
a
higher-level, containing our knowledge about the network that
we
have either explicitly defined or already learned during
operation.
In §3.5, we will show several examples to demonstrate how the
concept of contextual signatures can help to eliminate most of
the
limitations of traditional signatures discussed above. We will
see
that regular expressions, interdependent signatures, and
knowledge
about the particular environment have significant potential to
reduce
the false positive rate and to identify failed attack attempts. For
example, we can consider the server’s response to an attack and
the set of software it is actually running—its vulnerability
profile—
to decide whether an attack has succeeded. In addition, treating
signature matches as events rather than alerts enables us to
51. analyze
them on a meta-level as well, which we demonstrate by
identifying
exploit scans (scanning multiple hosts for a known
vulnerability).
Instrumenting signatures to consider additional context has to
be
performed manually. For each signature, we need to determine
what
context might actually help to increase its performance. While
this
is tedious for large sets of already-existing signatures, it is not
an
extra problem when developing new ones, as such signatures
have
to be similarly adjusted to the specifics of particular attacks
anyway.
Contextual signatures serve as a building block for increasing
the
expressivess of signatures; not as a stand-alone solution.
We implemented the concept of contextual signatures in the
framework already provided by the freeware NIDS Bro [25]. In
contrast to most NIDSs, Bro is fundamentally neither an
anomaly-
based system nor a signature-based system. It is instead
partitioned
into a protocol analysis component and a policy script
component.
The former feeds the latter via generating a stream of events
that
reflect different types of activity detected by the protocol analy-
sis; consequently, the analyzer is also referred to as the event
en-
gine. For example, when the analyzer sees the establishment of
52. a TCP connection, it generates a connection established
event; when it sees an HTTP request it generates http request
and for the corresponding reply http reply; and when the event
engine’s heuristics determine that a user has successfully
authenti-
cated during a Telnet or Rlogin session, it generates login suc-
cess (likewise, each failed attempt results in a login failure
event).
Bro’s event engine is policy-neutral: it does not consider any
particular events as reflecting trouble. It simply makes the
events
available to the policy script interpreter. The interpreter then
ex-
ecutes scripts written in Bro’s custom scripting language in
order
to define the response to the stream of events. Because the lan-
guage includes rich data types, persistent state, and access to
timers
and external programs, the response can incorporate a great deal
of
context in addition to the event itself. The script’s reaction to a
par-
ticular event can range from updating arbitrary state (for
example,
tracking types of activity by address or address pair, or
grouping re-
lated connections into higher-level “sessions”) to generating
alerts
(e.g., via syslog) or invoking programs for a reactive response.
More generally, a Bro policy script can implement signature-
style
matching—for example, inspecting the URIs in Web requests,
the
53. MIME-encoded contents of email (which the event engine will
first
unpack), the user names and keystrokes in login sessions, or the
filenames in FTP sessions—but at a higher semantic level than
as
just individual packets or generic TCP byte streams.
Bro’s layered approach is very powerful as it allows a wide
range
of different applications. But it has a significant shortcoming:
while, as discussed above, the policy script is capable of
perform-
ing traditional signature-matching, doing so can be cumbersome
for
large sets of signatures, because each signature has to be coded
as
part of a script function. This is in contrast to the concise, low-
level
languages used by most traditional signature-based systems. In
ad-
dition, if the signatures are matched sequentially, then the
overhead
of the matching can become prohibitive. Finally, a great deal of
community effort is already expended on developing and
dissemi-
nating packet-based and byte-stream-based signatures. For
exam-
ple, the 1.9.0 release of Snort comes with a library of 1,715
signa-
tures [2]. It would be a major advantage if we could leverage
these
efforts by incorporating such libraries.
Therefore, one motivation for this work is to combine Bro’s
flexi-
bility with the capabilities of other NIDSs by implementing a
54. signa-
ture engine. But in contrast to traditional systems, which use
their
signature matcher more or less on its own, we tightly integrate
it
into Bro’s architecture in order to provide contextual signatures.
As
discussed above, there are two main levels on which we use
addi-
tional context for signature matching. First, at a detailed level,
we
extend the expressiveness of signatures. Although byte-level
pattern
matching is a central part of NIDSs, most only allow signatures
to
be expressed in terms of fixed strings. Bro, on the other hand,
al-
ready provides regular expressions for use in policy scripts, and
we
use them for signatures as well. The expressiveness of such
patterns
provides us with an immediate way to express syntactic context.
For example, with regular expressions it is easy to express the
no-
tion “string XYZ but only if preceded at some point earlier by
string
ABC”. An important point to keep in mind regarding regular
expres-
sion matching is that, once we have fully constructed the
matcher,
which is expressed as a Deterministic Finite Automaton (DFA),
the
matching can be done in O(n) time for n characters in the input,
and also Ω(n) time. (That is, the matching always takes time
linear
in the size of the input, regardless of the specifics of the input.)
55. The
“parallel Boyer-Moore” approaches that have been explored in
the
literature for fast matching of multiple fixed strings for Snort
[12, 8]
have a wide range of running times—potentially sublinear in n,
but
also potentially superlinear in n. So, depending on the
particulars
of the strings we want to match and the input against which we
do
the matching, regular expressions might prove fundamentally
more
efficient, or might not; we need empirical evaluations to
determine
the relative performance in practice. In addition, the
construction of
a regular expression matcher requires time potentially
exponential
in the length of the expression, clearly prohibitive, a point to
which
we return in §3.1.
Second, on a higher level, we use Bro’s rich contextual state to
implement our improvements to plain matching described
above.
Making use of Bro’s architecture, our engine sends events to the
policy layer. There, the policy script can use all of Bro’s
already
existing mechanisms to decide how to react. We show several
such
examples in §3.5.
Due to Snort’s large user base, it enjoys a comprehensive and
up-to-date set of signatures. Therefore, although for flexibility
we
56. have designed a custom signature language for Bro, we make
use
263
of the Snort libraries via a conversion program. This program
takes
an unmodified Snort configuration and creates a corresponding
Bro
signature set. Of course, by just using the same signatures in
Bro as
in Snort, we are not able to improve the resulting alerts in terms
of
quality. But even if we do not accompany them with additional
context, they immediately give us a baseline of already widely-
deployed signatures. Consequently, Snort serves us as a
reference.
Throughout the paper we compare with Snort both in terms of
qual-
ity and performance. But while doing so, we encountered
several
general problems for evaluating and comparing NIDSs. We be-
lieve these arise independently of our work with Bro and Snort,
and
therefore describe them in some detail. Keeping these
limitations
in mind, we then evaluate the performance of our signature
engine
and find that it performs well.
§2 briefly summarizes related work. In §3 we present the main
design ideas behind implementing contextual signatures: regular
expressions, integration into Bro’s architecture, some
difficulties
57. with using Snort signatures, and examples of the power of the
Bro
signature language. In §4 we discuss general problems of
evaluating
NIDSs, and then compare Bro’s signature matching with
Snort’s. §5
summarizes our conclusions.
2. RELATED WORK
[4] gives an introduction to intrusion detection in general,
defin-
ing basic concepts and terminology.
In the context of signature-based network intrusion detection,
previous work has focussed on efficiently matching hundreds of
fixed strings in parallel: [12] and [8] both present
implementations
of set-wise pattern matching for Snort [29]. For Bro’s signature
en-
gine, we make use of regular expressions [18]. They give us
both
flexibility and efficiency. [17] presents a method to
incrementally
build the underlying DFA, which we can use to avoid the
potentially
enormous memory and computation required to generate the
com-
plete DFA for thousands of signatures. An extended form of
regular
expressions has been used in intrusion detection for defining se-
quences of events [30], but to our knowledge no NIDS uses
them
for actually matching multiple byte patterns against the payload
of
packets.
58. In this paper, we concentrate on signature-based NIDS. Snort is
one of the most-widely deployed systems and relies heavily on
its
signature set. Also, most of the commercial NIDSs are
signature-
based [19], although there are systems that use more powerful
con-
cepts to express signatures than just specifying byte patterns.
NFR [28], for example, uses a flexible language called N-Code
to
declare its signatures. In this sense, Bro already provides
sophisti-
cated signatures by means of its policy language. But the goal
of our
work is to combine the advantages of a traditional dedicated
pattern
matcher with the power of an additional layer abstracting from
the
raw network traffic. IDS like STAT [35] or Emerald [26] are
more
general in scope than purely network-based systems. They con-
tain misuse-detection components as well, but their signatures
are
defined at a higher level. The STAT framework abstracts from
low-
level details by using transitions on a set of states as signatures.
A
component called NetSTAT [36] defines such state transitions
based
on observed network-traffic. Emerald, on the other hand,
utilizes
P-BEST [20], a production-based expert system to define
attacks
based on a set of facts and rules. Due to their general scope,
both
59. systems use a great deal of context to detect intrusions. On the
other
hand, our aim is to complement the most common form of
signa-
ture matching—low-level string matching—with context, while
still
keeping its efficiency.
The huge number of generated alerts is one of the most impor-
tant problems of NIDS (see, for example, [23]). [3] discusses
some
statistical limits, arguing in particular that the false-alarm rate
is the
limiting factor for the performance of an IDS.
Most string-based NIDSs use their own signature language, and
are therefore incompatible. But since most languages cover a
com-
mon subset, it is generally possible to convert the signatures of
one
system into the syntax of another. ArachNIDS [1], for example,
generates signatures dynamically for different systems based on
a
common database, and [32] presents a conversion of Snort
signa-
tures into STAT’s language, although it does not compare the
two
systems in terms of performance. We take a similar approach,
and
convert Snort’s set into Bro’s new signature language.
For evaluation of the new signature engine, we take Snort as a
reference. But while comparing Bro and Snort, we have encoun-
tered several difficulties which we discuss in §4. They are part
of
60. the general question of how to evaluate NIDSs. One of the most
comprehensive evaluations is presented in [21, 22], while [24]
of-
fers a critique of the methodology used in these studies. [14]
further
extends the evaluation method by providing a user-friendly
environ-
ment on the one hand, and new characterizations of attack
traffic
on the other hand. More recently, [10] evaluates several
commer-
cial systems, emphasizing the view of an analyst who receives
the
alerts, finding that these systems ignore relevant information
about
the context of the alerts. [15] discusses developing a benchmark
for
NIDSs, measuring their capacity with a representative traffic
mix.
(Note, in §4.2 we discuss our experiences with the difficulty of
find-
ing “representative” traces.)
3. CONTEXTUAL SIGNATURES
The heart of Bro’s contextual signatures is a signature engine
de-
signed with three main goals in mind: (i) expressive power, (ii)
the
ability to improve alert quality by utilizing Bro’s contextual
state,
and (iii) enabling the reuse of existing signature sets. We
discuss
each in turn. Afterwards, we present our experiences with
Snort’s
signature set, and finally show examples which demonstrate
61. appli-
cations for the described concepts.
3.1 Regular Expressions
A traditional signature usually contains a sequence of bytes that
are representative of a specific attack. If this sequence is found
in the payload of a packet, this is an indicator of a possible at-
tack. Therefore, the matcher is a central part of any signature-
based
NIDS. While many NIDSs only allow fixed strings as search
pat-
terns, we argue for the utility of using regular expressions.
Regular
expressions provide several significant advantages: first, they
are
far more flexible than fixed strings. Their expressiveness has
made
them a well-known tool in many applications, and their power
arises
in part from providing additional syntactic context with
which to sharpen textual searches. In particular, character
classes,
union, optional elements, and closures prove very useful for
speci-
fying attack signatures, as we see in §3.5.1.
Surprisingly, given their power, regular expressions can be
matched very efficiently. This is done by compiling the expres-
sions into DFAs whose terminating states indicate whether a
match
is found. A sequence of n bytes can therefore be matched with
O(n) operations, and each operation is simply an array lookup—
highly efficient.
The total number of patterns contained in the signature set of
62. a NIDSs can be quite large. Snort’s set, for example, contains
1,715 distinct signatures, of which 1,273 are enabled by default.
Matching these individually is very expensive. However, for
fixed
strings, there are algorithms for matching sets of strings
simulta-
neously. Consequently, while Snort’s default engine still works
it-
eratively, there has been recent work to replace it with a “set-
wise”
264
matcher [8, 12].1 On the other hand, regular expressions give us
set-
wise matching for free: by using the union operator on the
individ-
ual patterns, we get a new regular expression which effectively
com-
bines all of them. The result is a single DFA that again needs
O(n)
operations to match against an n byte sequence. Only slight
modifi-
cations have been necessary to extend the interface of Bro’s
already-
existing regular expression matcher to explicitly allow grouping
of
expressions.
Given the expressiveness and efficiency of regular expressions,
there is still a reason why a NIDS might avoid using them: the
underlying DFA can grow very large. Fully compiling a regular
ex-
pression into a DFA leads potentially to an exponential number
63. of
DFA states, depending on the particulars of the patterns [18].
Con-
sidering the very complex regular expression built by combining
all individual patterns, this straight-forward approach could
easily
be intractable. Our experience with building DFAs for regular
ex-
pressions matching many hundreds of signatures shows that this
is
indeed the case. However, it turns out that in practice it is
possible
to avoid the state/time explosion, as follows.
Instead of pre-computing the DFA, we build the DFA “on-the-
fly” during the actual matching [17]. Each time the DFA needs
to
transit into a state that is not already constructed, we compute
the
new state and record it for future reuse. This way, we only store
DFA states that are actually needed. An important observation
is
that for n new input characters, we will build at most n new
states.
Furthermore, we find in practice (§4.3) that for normal traffic
the
growth is much less than linear.
However, there is still a concern that given inauspicious
traffic—
which may actually be artificially crafted by an attacker—the
state
construction may eventually consume more memory than we
have
available. Therefore, we also implemented a memory-bounded
DFA
64. state cache. Configured with a maximum number of DFA states,
it expires old states on a least-recently-used basis. In the sequel,
when we mention “Bro with a limited state cache,” we are
referring
to such a bounded set of states (which is a configuration option
for
our version of Bro), using the default bound of 10,000 states.
Another important point is that it’s not necessary to combine all
patterns contained in the signature set into a single regular
expres-
sion. Most signatures contain additional constraints like IP
address
ranges or port numbers that restrict their applicability to a
subset of
the whole traffic. Based on these constraints, we can build
groups
of signatures that match the same kind of traffic. By collecting
only
those patterns into a common regular expression for matching
the
group, we are able to reduce the size of the resulting DFA dras-
tically. As we show in §4, this gives us a very powerful pattern
matcher still efficient enough to cope with high-volume traffic.
3.2 Improving Alert Quality by Using Context
Though pattern matching is a central part of any signature-based
NIDSs, as we discussed above there is potentially great utility
in
incorporating more context in the system’s analysis prior to
gener-
ating an alert, to ensure that there is indeed something alert-
worthy
occurring. We can considerably increase the quality of alerts,
while
65. simultaneously reducing their quantity, by utilizing knowledge
about the current state of the network. Bro is an excellent tool
for
this as it already keeps a lot of easily accessible state.
The new signature engine is designed to fit nicely into Bro’s
lay-
ered architecture as an adjunct to the protocol analysis event en-
gine (see Figure 1). We have implemented a custom language
for
defining signatures. It is mostly a superset of other, similar lan-
1The code of [12] is already contained in the Snort distribution,
but
not compiled-in by default. This is perhaps due to some subtle
bugs,
some of which we encountered during our testing as well.
Figure 1: Integrating the signature engine (adapted from [25])
Event Control
Event Engine
Event stream
Real−time notification
Signature Control
Packet filter
Policy script
Filtered packet stream
66. Packet stream
Signature
Engine
Signatures
Network
Policy Layer
Packet capture
guages, and we describe it in more detail in §3.3. A new
component
placed within Bro’s middle layer matches these signatures
against
the packet stream. Whenever it finds a match, it inserts a new
event
into the event stream. The policy layer can then decide how to
re-
act. Additionally, we can pass information from the policy layer
back into the signature engine to control its operation. A
signature
can specify a script function to call whenever a particular
signature
matches. This function can then consult additional context and
in-
dicate whether the corresponding event should indeed be
generated.
We show an example of this later in §3.5.4.
In general, Bro’s analyzers follow the communication between
two endpoints and extract protocol-specific information. For
exam-
ple, the HTTP analyzer is able to extract URIs requested by
67. Web
clients (which includes performing general preprocessing such
as
expanding hex escapes) and the status code and items sent back
by servers in reply, whereas the FTP analyzer follows the
applica-
tion dialog, matching FTP commands and arguments (such as
the
names of accessed files) with their corresponding replies.
Clearly,
this protocol-specific analysis provides significantly more
context
than does a simple view of the total payload as an
undifferentiated
byte stream.
The signature engine can take advantage of this additional in-
formation by incorporating semantic-level signature matching.
For
example, the signatures can include the notion of matching
against
HTTP URIs; the URIs to be matched are provided by Bro’s
HTTP
analyzer. Having developed this mechanism for interfacing the
sig-
nature engine with the HTTP analyzer, it is now straight
forward
to extend it to other analyzers and semantic elements (indeed,
we
timed how long it took to add and debug interfaces for FTP and
Finger, and the two totalled only 20 minutes).
Central to Bro’s architecture is its connection management.
Each
network packet is associated with exactly one connection. This
no-
68. tion of connections allows several powerful extensions to
traditional
signatures. First of all, Bro reassembles the payload stream of
TCP
connections. Therefore, we can perform all pattern matching on
the
actual stream (in contrast to individual packets). While Snort
has a
preprocessor for TCP session reassembling, it does so by
combin-
ing several packets into a larger “virtual” packet. This packet is
then
passed on to the pattern matcher. Because the resulting analysis
remains packet-based, it still suffers from discretization
problems
introduced by focusing on packets, such as missing byte
sequences
that cross packet boundaries. (See a related discussion in [25] of
the
problem of matching strings in TCP traffic in the face of
possible
intruder evasion [27].)
In Bro, a signature match does not necessarily correspond to an
alert; as with other events, that decision is left to the policy
script.
Hence, it makes sense to remember which signatures have
matched
for a particular connection so far. Given this information, it is
then
possible to specify dependencies between signatures like
“signature
265
69. A only matches if signature B has already matched,” or “if a
host
matches more than N signatures of type C, then generate an
alert.”
This way, we can for example describe multiple steps of an
attack.
In addition, Bro notes in which direction of a connection a
particular
signature has matched, which gives us the notion of
request/reply
signatures: we can associate a client request with the
corresponding
server reply. A typical use is to differentiate between successful
and
unsuccessful attacks. We show an example in §3.5.3.
More generally, the policy script layer can associate arbitrary
kinds of data with a connection or with one of its endpoints.
This
means that any information we can deduce from any of Bro’s
other
components can be used to improve the quality of alerts. We
demon-
strate the power of this approach in §3.5.2.
Keeping per-connection state for signature matching naturally
raises the question of state management: at some point in time
we
have to reclaim state from older connections to prevent the
system
from exhausting the available memory. But again we can
leverage
the work already being done by Bro. Independently of our
signa-
tures, it already performs a sophisticated connection-tracking
70. using
various timeouts to expire connections. By attaching the
matching
state to the already-existing per-connection state, we assure that
the
signature engine works economically even with large numbers
of
connections.
3.3 Signature Language
Any signature-based NIDS needs a language for actually
defining
signatures. For Bro, we had to choose between using an already
existing language and implementing a new one. We have
decided
to create a new language for two reasons. First, it gives us more
flexibility. We can more easily integrate the new concepts
described
in §3.1 and §3.2. Second, for making use of existing signature
sets,
it is easier to write a converter in some high-level scripting
language
than to implement it within Bro itself.
Snort’s signatures are comprehensive, free and frequently up-
dated. Therefore, we are particularly interested in converting
them
into our signature language. We have written a corresponding
Py-
thon script that takes an arbitrary Snort configuration and
outputs
signatures in Bro’s syntax. Figure 2 shows an example of such a
conversion.
Figure 2: Example of signature conversion
71. alert tcp any any -> [a.b.0.0/16,c.d.e.0/24] 80
( msg:"WEB-ATTACKS conf/httpd.conf attempt";
nocase; sid:1373; flow:to_server,established;
content:"conf/httpd.conf"; [...] )
(a) Snort
signature sid-1373 {
ip-proto == tcp
dst-ip == a.b.0.0/16,c.d.e.0/24
dst-port == 80
# The payload below is actually generated in a
# case-insensitive format, which we omit here
# for clarity.
payload /.*conf/httpd.conf/
tcp-state established,originator
event "WEB-ATTACKS conf/httpd.conf attempt"
}%
(b) Bro
It turns out to be rather difficult to implement a complete parser
for Snort’s language. As far as we have been able to determine,
its
syntax and semantics are not fully documented, and in fact often
only defined by the source code. In addition, due to different
inter-
nals of Bro and Snort, it is sometimes not possible to keep the
exact
semantics of the signatures. We return to this point in §4.2.
As the example in Figure 2 shows, our signatures are defined by
means of an identifier and a set of attributes. There are two
main
72. types of attributes: (i) conditions and (ii) actions. The
conditions
define when the signature matches, while the actions declare
what
to do in the case of a match. Conditions can be further divided
into
four types: header, content, dependency, and context.
Header conditions limit the applicability of the signature to a
sub-
set of traffic that contains matching packet headers. For TCP,
this
match is performed only for the first packet of a connection. For
other protocols, it is done on each individual packet. In general,
header conditions are defined by using a tcpdump-like [33]
syntax
(for example, tcp[2:2] == 80 matches TCP traffic with desti-
nation port 80). While this is very flexible, for convenience
there
are also some short-cuts (e.g., dst-port == 80).
Content conditions are defined by regular expressions. Again,
we differentiate two kinds of conditions here: first, the
expression
may be declared with the payload statement, in which case it is
matched against the raw packet payload (reassembled where
appli-
cable). Alternatively, it may be prefixed with an analyzer-
specific
label, in which case the expression is matched against the data
as
extracted by the corresponding analyzer. For example, the
HTTP
analyzer decodes requested URIs. So, http /(etc/(passwd
|shadow)/ matches any request containing either etc/passwd