DNS rebinding was discovered in 1996 and affected the Java Virtual Machine (VM). Recently a group of researchers at Stanford found out that this vulnerability is still present in browsers and that the common solution, known as DNS pinning, is not effective anymore. In August, SecurityFocus covered the resurgence of interest in the attacks at the Black Hat Security briefings in Los Vegas.
Federico Biancuzzi tracked down one of the authors of the study, Adam Barth, to learn about the impact of the problem, which workarounds can be deployed right now, and how to protect browsers from DNS rebinding attacks in the long run.
SecurityFocus: Could you introduce yourself?
Adam Barth: I'm a Ph.D. student at Stanford University and a member of the Stanford Web Security Lab. Collin Jackson, Andrew Bortz, Weidong Shao, Dan Boneh, and I are presenting a paper at the 2007 ACM Conference on Computer and Communications Security, detailing how to protect browsers from DNS rebinding attacks.
What is DNS rebinding?
DNS rebinding is a vulnerability in Web browsers and their plug-ins that can be exploited to circumvent firewalls or to temporarily hijack a client's IP address, effectively converting browsers into open network proxies. Users rely on their Web browsers to isolate sites they visit using the same origin policy: one site should be able to read and write data only from itself. DNS rebinding vulnerabilities permit an attacker to confuse a Web browser into aggregating a target server into his or her origin, allowing the attacker to communicate with that server through the browser.
What type of attacks can it be used for?
These vulnerabilities can be used for two types of attacks.
First, DNS rebinding can be exploited to circumvent firewalls. If a user inside a corporate network views malicious content (delivered, for example, as an advertisement on a reputable Web site) the attacker can open network connections to any machine behind the corporation's firewall, through the browser. Using these connections, the attacker can ex-filtrate confidential documents, exploit unpatched vulnerabilities in network services, or otherwise abuse network services relying on the firewall for protection.
Second, DNS rebinding can be exploited to temporarily hijack a user's IP address to send spam email or defraud pay-per-click advertisers. Filtering spam relies heavily on black-listing IP addresses known to send spam. Using DNS rebinding, an attacker can send spam from the IP address of every client viewing his or her malicious content, avoiding these black lists. Similarly, the pay-per-click advertising schemes used by most advertising networks rely on filtering fake clicks by examining the patterns of clicks by each IP address. Using DNS rebinding, the attacker can launder his or her clicks through hundreds of thousands of unsuspecting Web browsers.
These attacks are extremely cost effective, because the attacker needs only for the client to display his or her malicious content. Advertising networks sell impressions for tens of cents per thousand. We ran an experiment where we ran a Flash advertisement containing a DNS rebinding attack (against ourselves) on an advertising network and were able to hijack 30,000 unique IP address for $30, an order of magnitude cheaper than building a traditional bot network.