What is a DNS Rebinding Attack?

Did you know? DNS rebinding exploits a weakness in the browser’s Same Origin Policy via malicious DNS requests to bind to local network resources allowing a malicious website to attack the victims’ internal network.  In this blog post, we delve into the workings and impact of the DNS rebinding attack. Following this, we explore widely adopted countermeasures against this type of attack and discuss their shortcomings.

What is a DNS Rebinding Attack?

A DNS rebinding attack is a type of DNS attack that manipulates the resolution of domain names. Hackers usually conduct DNS rebinding attacks so that they can create a pathway that establishes communication between the victim’s browser and the attacker’s server, enabling the attacker to exploit vulnerabilities within the browser itself. So, a DNS rebinding attack is not a standalone attack like other cyberattacks. While an attacker conducts a DNS rebinding attack, not only do they compromise the domain, but they also hijack the domain’s nameserver. So, using a DNS rebinding attack, an attacker can use various techniques to deliver malicious content that might further infect devices with malware and other viruses.

How does it work?

The attacker registers a domain (such as anydomain.com) and delegates it to a DNS server under the attacker’s control. The server is configured to respond with a very short time to live (TTL) record, preventing the response from being cached. When the victim browses the malicious domain, the attacker’s DNS server first responds with the IP address of a server hosting the malicious client-side code.

For instance, they could point the victim’s browser to a website that contains malicious JavaScript or Flash scripts that are intended to execute on the victim’s computer.

The malicious client-side code makes additional accesses to the original domain name. These are permitted by the same-origin policy. However, when the victim’s browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, they could reply with an internal IP address or the IP address of a target somewhere else on the Internet.

How to mitigate the threat of DNS Rebinding Attacks

The content outlines various mitigation strategies against DNS rebinding attacks, each with its technical explanation. These strategies represent a multi-layered approach to defending against DNS rebinding attacks, each addressing different aspects and stages of the attack but also facing its own set of limitations and challenges.

• Browser-based Mitigation: Modern browsers employ DNS pinning, keeping DNS resolution results in the cache for a fixed period, ignoring the DNS TTL. This prevents attackers from changing the resolved IP address through frequent DNS requests. This method primarily blocks traditional time-varying attacks but can be bypassed by repeatedly sending requests until the cache expires or using multiple A-records attacks. Therefore, if the attacker can keep their website open in your browser long enough, the browser-based mitigation can be circumvented making it especially risky when watching long video content on the attackers’ website
• DNS-based Mitigation: DNS services reject DNS responses that point to private (RFC 1918) and loopback IP addresses. DNS caching solutions (Dnsmasq, Unbound) implement similar policies. Not all non-routable IP addresses are blocked, and CNAME records can be used to bypass this mitigation. False positives may block legitimate services that resolve to internal IP addresses
• Server-based Mitigation: Enabling HTTPS for private services and requiring correct domain validation for SSL certificates prevents attackers from establishing SSL connections. Authentication with strong credentials on private services adds another layer of protection. Depends on the internal services’ developers, making it less scalable. Third-party applications in both home and enterprise environments pose challenges for network owners to enforce this protection
• Real-time DNS Rebinding Detection: Utilizes a sophisticated signature-based system that monitors DNS traffic to detect abnormal patterns indicative of DNS rebinding attacks. This system can identify malicious hostnames in real time and covers a wide variety of DNS rebinding attacks. High detection accuracy, prevention of false positives through the use of legitimate usage filters, and the ability to recognize attacks targeting both internal IP addresses and hostnames

Conclusion

The DNS rebinding attack can compromise victims’ browsers as traffic tunnels to exploit private services. With this technique, attackers can steal confidential information and send forged requests to victims’ servers. Browsers, resolvers, and web applications have applied various protection strategies to defend against it. However, there are advanced exploits that can bypass traditional defenses. In addition, it’s harder to enforce complete protection as the internal network environment becomes more complex.