research-article

Protecting browsers from DNS rebinding attacks

Authors:

Collin Jackson,

Dan BonehAuthors Info & Claims

ACM Transactions on the Web (TWEB), Volume 3, Issue 1

Article No.: 2, Pages 1 - 26

https://doi.org/10.1145/1462148.1462150

Published: 17 January 2009 Publication History

Abstract

DNS rebinding attacks subvert the same-origin policy of browsers, converting them into open network proxies. Using DNS rebinding, an attacker can circumvent organizational and personal firewalls, send spam email, and defraud pay-per-click advertisers. We evaluate the cost effectiveness of mounting DNS rebinding attacks, finding that an attacker requires less than $100 to hijack 100,000 IP addresses. We analyze defenses to DNS rebinding attacks, including improvements to the classic “DNS pinning,” and recommend changes to browser plug-ins, firewalls, and Web servers. Our defenses have been adopted by plug-in vendors and by a number of open-source firewall implementations.

References

[1]

Adobe. 2006. Adobe Flash Player 9 security. http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf.

[2]

Adobe. 2008. Flash Player penetration. http://www.adobe.com/products/player_census/flash- player/.

[3]

Alexa. 2007. Top sites. http://www.alexa.com/site/ds/top_sites?ts_mode=global.

[4]

Anvil, K. 2007. Anti-DNS pinning + socket in flash. http://www.jumperz.net/.

[5]

Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. DNS security introduction and requirements. RFC 4033.

[6]

Bortz, A., Barth, A., and Jackson, C. 2007. Google dnswall. http://code.google.com/p/google-dnswall/.

[7]

Cheshire, S., Aboba, B., and Guttman, E. 2005. Dynamic configuration of IPv4 link-local addresses. IETF RFC 3927.

[8]

Cheswick, W. and Bellovin, S. 1996. A DNS filter and switch for packet-filtering gateways. In Proceedings of the USENIX Annual Technical Conference.

Digital Library

[9]

Daswani, N. and Stoppelman, M. 2007. The anatomy of Clickbot.A. In Proceedings of 1st Workshop on Hot Topics in Understanding Botnets (HotBots).

Digital Library

[10]

Dean, D., Felten, E. W., and Wallach, D. S. 1996. Java security: From HotJava to Netscape and beyond. In IEEE Symposium on Security and Privacy.

Digital Library

[11]

Edwards, D. 2005. Your MOMA knows best. http://xooglers.blogspot.com/2005/12/your-moma-knows-best.html.

[12]

Fainelli, F. 2008. The OpenWrt embedded development framework. In Free and Open Source Software Developers' European Meeting.

[13]

Fenzi, K. and Wreski, D. 2004. Linux security HOWTO.

Digital Library

[14]

Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. Hypertext Transfer Protocol—HTTP/1.1. RFC 2616.

Digital Library

[15]

Fisher, D. 2007. Personal communication.

[16]

Fisher, D. et al. 2003. Problems with new DNS cache (“pinning” forever). https://bugzilla.mozilla.org/show_bug.cgi?id=162871.

[17]

Gajek, S., Schwenk, J., and Xuan, C. 2008. On the insecurity of Microsoft's identity metasystem. Tech. Rep. HGI-TR-2008-003, Horst Görtz Institute for IT Security, Ruhr University Bochum. May. http://demo.nds.rub.de/cardspace/.

[18]

Goodin, D. 2005. Calif. man pleads guilty to felony hacking. Assoc. Press.

[19]

Gottschall, S. et al. 2008. Dd-wrt (version 24). http://www.dd-wrt.com/.

[20]

Grimm, S. et al. 2002. Setting document.domain doesn't match an implicit parent domain. https://bugzilla.mozilla.org/show_bug.cgi?id=183143.

[21]

Grossman, J. and Niedzialkowski, T. 2006. Hacking intranet Websites from the outside: JavaScript malware just got a lot more dangerous. In Blackhat USA. Invited talk.

[22]

Haupt, E. 2008. dnswall FreeBSD port. http://www.freebsd.org/cgi/cvsweb.cgi/ports/dns/dnswall/.

[23]

Hinden, R. and Deering, S. 2003. Internet protocol version 6 (IPv6) addressing architecture. IETF RFC 3513.

Digital Library

[24]

Hinden, R. and Haberman, B. 2005. Unique local IPv6 unicast addresses. IETF RFC 4193.

[25]

Jackson, C. and Barth, A. 2008. Beware of finer-grained origins. In Web 2.0 Security and Privacy.

[26]

Johns, M. 2006. (Somewhat) breaking the same-origin policy by undermining DNS pinning. http://shampoo.antville.org/stories/1451301/.

[27]

Johns, M. and Winter, J. 2007. Protecting the Intranet against “JavaScript Malware” and related attacks. In Proceedings of the GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).

Digital Library

[28]

Karlof, C. K., Shankar, U., Tygar, D., and Wagner, D. 2007. Dynamic pharming attacks and the locked same-origin policies for Web browsers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[29]

Kelley, S. 2008. Dnsmasq (version 2.41). http://www.thekelleys.org.uk/dnsmasq/doc.html.

[30]

Klein, A. 2006. Host header cannot be trusted as an anti anti DNS-pinning measure. http://www.securityfocus.com/archive/1/445490.

[31]

Lam, V. T., Antonatos, S., Akritidis, P., and Anagnostakis, K. G. 2006. Puppetnets: Misusing Web browsers as a distributed attack infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[32]

Maone, G. 2007a. DNS spoofing/pinning. http://sla.ckers.org/forum/read.php?6,4511,14500.

[33]

Maone, G. 2007b. NoScript. http://noscript.net/.

[34]

Megacz, A. 2002. XWT Foundation security advisory. http://www.megacz.com/research/sop.txt.

[35]

Megacz, A. and Meketa, D. 2003. X-RequestOrigin. http://www.xwt.org/x-requestorigin.txt.

[36]

Meyer, D. 1998. Administratively scoped IP multicast. IETF RFC 2365.

Digital Library

[37]

Microsoft. 2004. Microsoft Web enterprise portal. http://www.microsoft.com/technet/itshowcase/content/MSWebTWP.mspx.

[38]

Microsoft. 2008. Socket class (System.Net.Sockets). http://msdn.microsoft.com/en-us/library/system.net.sockets.socket(VS.95).aspx.

[39]

Mitre. 2007a. CVE-2007-5273.

[40]

Mitre. 2007b. CVE-2007-5274.

[41]

Mitre. 2007c. CVE-2007-5275.

[42]

Mitre. 2007d. CVE-2007-6244.

[43]

Mitre. 2008. CVE-2008-1192.

[44]

Mockapetris, P. 1987. Domain names—Implementation and specification. IETF RFC 1035.

Digital Library

[45]

Nuuja, C. 2007. Personal communication.

[46]

Ollmann, G. 2005. The pharming guide. http://www.ngssoftware.com/papers/ThePharmingGuide. pdf.

[47]

Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and Lear, E. 1996. Address allocation for private Internets. IETF RFC 1918.

Digital Library

[48]

Reynolds, J. and Postel, J. 1994. Assigned numbers. IETF RFC 1700.

[49]

Roskind, J. 2001. Attacks against the Netscape browser. In RSA Conference. Invited talk.

[50]

Ross, D. 2007. Notes on DNS pinning. http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns-pinning.aspx.

[51]

Ruderman, J. 2001. JavaScript security: Same origin. http://www.mozilla.org/projects/security/components/same-origin.html.

[52]

Soref, J. 2003. DNS: Spoofing and pinning. http://viper.haque.net/~timeless/blog/11/.

[53]

Spamhaus. 2007. The Spamhaus block list. http://www.spamhaus.org/sbl/.

[54]

Stamm, S., Ramzan, Z., and Jakobsson, M. 2006. Drive-By pharming. Tech. Rep. 641, Computer Science Department, Indiana University. December.

[55]

Topf, J. 2001. HTML form protocol attack. http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.

[56]

Veditz, D. et al. 2002. Document.domain abused to access hosts behind firewall. https://bugzilla.mozilla.org/show_bug.cgi?id=154930.

[57]

Warner, B. 2004. Home PCs rented out in sabotage-for-hire racket. Reuters.

[58]

Winter, J. and Johns, M. 2007. LocalRodeo: Client-Side protection against JavaScript Malware. http://databasement.net/labs/localrodeo/.

Cited By

Kaneko RSaito T(2023)DNS Rebinding Attacks Against Browsers on Azure Virtual Machines2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00100(564-571)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00100
Jafarian JAbolfathi MRahimian M(2023)Detecting Network Scanning Through Monitoring and Manipulation of DNS TrafficIEEE Access10.1109/ACCESS.2023.325010611(20267-20283)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3250106
He XWang JLiu JDing WHan ZWang BNebhen JWang W(2021)DNS Rebinding Threat Modeling and Security Analysis for Local Area Network of Maritime Transportation SystemsIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2021.3135197(1-13)Online publication date: 2021
https://doi.org/10.1109/TITS.2021.3135197
Show More Cited By

Index Terms

Protecting browsers from DNS rebinding attacks
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Robust defenses for cross-site request forgery
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the ...
Dynamic pharming attacks and locked same-origin policies for web browsers
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-...
Protecting browsers from dns rebinding attacks
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash and Java. These attacks can ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on the Web

ACM Transactions on the Web Volume 3, Issue 1

January 2009

123 pages

ISSN:1559-1131

EISSN:1559-114X

DOI:10.1145/1462148

Issue’s Table of Contents

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 January 2009

Accepted: 01 October 2008

Revised: 01 September 2008

Received: 01 June 2008

Published in TWEB Volume 3, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
3,654
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)1

Reflects downloads up to 17 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kaneko RSaito T(2023)DNS Rebinding Attacks Against Browsers on Azure Virtual Machines2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00100(564-571)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00100
Jafarian JAbolfathi MRahimian M(2023)Detecting Network Scanning Through Monitoring and Manipulation of DNS TrafficIEEE Access10.1109/ACCESS.2023.325010611(20267-20283)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3250106
He XWang JLiu JDing WHan ZWang BNebhen JWang W(2021)DNS Rebinding Threat Modeling and Security Analysis for Local Area Network of Maritime Transportation SystemsIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2021.3135197(1-13)Online publication date: 2021
https://doi.org/10.1109/TITS.2021.3135197
Mohaisen AGu ZRen KLi ZKamhoua CNjilla LNyang D(2020)Look-Aside at Your Own Risk: Privacy Implications of DNSSEC Look-Aside ValidationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.281602617:4(745-759)Online publication date: 1-Jul-2020
https://doi.org/10.1109/TDSC.2018.2816026
He XWang JLiu JHan ZLv ZWang W(2020)DNS Rebinding Detection for Local Internet of Things DevicesFrontiers in Cyber Security10.1007/978-981-15-9739-8_2(19-29)Online publication date: 4-Nov-2020
https://doi.org/10.1007/978-981-15-9739-8_2
Alharbi FChang JZhou YQian FQian ZAbu-Ghazaleh N(2019)Collaborative Client-Side DNS Cache Poisoning AttackIEEE INFOCOM 2019 - IEEE Conference on Computer Communications10.1109/INFOCOM.2019.8737514(1153-1161)Online publication date: Apr-2019
https://doi.org/10.1109/INFOCOM.2019.8737514
Acar GHuang DLi FNarayanan AFeamster N(2018)Web-based Attacks to Discover and Control Local IoT DevicesProceedings of the 2018 Workshop on IoT Security and Privacy10.1145/3229565.3229568(29-35)Online publication date: 7-Aug-2018
https://dl.acm.org/doi/10.1145/3229565.3229568
Arcaro LSilva KOliveira R(2018)On the Reliability and Tightness of GP and Exponential Models for Probabilistic WCET EstimationACM Transactions on Design Automation of Electronic Systems10.1145/318515423:3(1-27)Online publication date: 16-Mar-2018
https://dl.acm.org/doi/10.1145/3185154
Lu GKuo CChiang KBanerjee ABhattacharya BHo TChen H(2018)Flexible Droplet Routing in Active Matrix–Based Digital Microfluidic BiochipsACM Transactions on Design Automation of Electronic Systems10.1145/318438823:3(1-25)Online publication date: 16-Mar-2018
https://dl.acm.org/doi/10.1145/3184388
Keegan BAhmad M(2018)Deviant and Criminal Uses of Social NetworksEncyclopedia of Social Network Analysis and Mining10.1007/978-1-4939-7131-2_55(618-631)Online publication date: 12-Jun-2018
https://doi.org/10.1007/978-1-4939-7131-2_55
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents