Examples of DNS rebinding attacks

DNS rebinding attacks have been known for quite a long time. For example, Stanford Web Security Research Team posted a whitepaper about DNS rebinding attacks in 2007. But even if it’s a well-known type of attacks, nowadays you still can find software systems which are vulnerable to DNS rebinding attacks. For example, Google Project Zero recently discovered such problems in Blizzard Update Agent and BitTorent Transmission Daemon.

What is Same-Origin Policy?

Theoretically, Same-Origin Policy (SOP) which is implemented in a web browser is supposed to prevent scripts on client side to load resources from other websites (except a couple of cases which are considered safe enough). In other words, scripts on client side are only allowed to access content on the same host that served the script. One of the key steps here is comparing domain names. Let’s assume that a web browser opens http://ostap.com/index.html which contains code on Javascript. The Javascript code then tries to use XMLHttpRequest to download the content of http://hooves.com/secret.html and display it. This attempt should be denied by the web browser if it enforces SOP because SOP allows a script to access only content from ostap.com.

Why Same-Origin Policy is important?

Let’s imagine that http://ostap.com is a public website which is owned by an adversary. Let's also assume that http://hooves.com website is in a private network which belongs to "Horns and hooves" company. The private network is not accessible from the Internet. Finally, let's assume that the adversary don't have access to the private network, but he still wants to know what http://hooves.com/secret.html is.

What is a DNS rebinding attack?

The goal of DNS rebinding attack is to overcome restrictions which are enforced by Same-Origin Policy.

      Web browser                            http://ostap.com
(Mr. Panikovsky) (adversary)
| |
+----------------+ |
| load ostap.com | |
+----------------+ |
| |
| DNS: resolve ostap.com |
|---------------------------------------->|
| |
| DNS: IP of ostap.com (short TTL) |
| 1.1.1.1 |
|<----------------------------------------|
| |
| HTTP: get http://1.1.1.1/index.html |
|---------------------------------------->|
| |
| HTTP: index.html with a script |
|<----------------------------------------|
| |
+-------------------------------+ |
| run the script | |
| which requests | |
| http://ostap.com/secret.html | |
+-------------------------------+ |
| |
| DNS: resolve ostap.com again |
| because of short TTL |
|---------------------------------------->|
| |
| DNS: IP of hooves.com |
| 2.2.2.2 |
|<----------------------------------------|
| |
| HTTP: get http://2.2.2.2/secret.html |
|---------------------------------------->|
| |
| HTTP: secret.html |
| game over, SOP bypassed |
| then the script can send |
| secret.html to the adversary |
| |

Example: Blizzard games were vulnerable to DNS rebinding attack

If you play Blizzard’s online games you should be probably aware of the recent security vulnerability in their Blizzard Update Agent. The issue has been discovered by Google’s Project Zero. Making a long story short, if you play Blizzard games, you may be in a danger.

Preventing DNS rebinding attacks

Here is a lesson which can be learnt from this issue. Let’s imagine that you have a project which contains a server which provides some kind of HTTP API. Then let’s assume that this server is supposed to be accessed only from the same host or from a private network. It even can bind a port to 0.0.0.0/localhost, or the port can be protected from external connections by a firewall. This kind of assumption may make you think that your server is protected from malicious requests, but it's not actually true. An attacker can still run a DNS rebinding attack to access the server. There is a couple of ways to mitigate this issue which may depend of the actual software system. One of possible ways to mitigate this problem is check if 'Host' header contains 'localhost' or any other allowed hostname. The server should reject a request if 'Host' header contains any unexpected hostname. In other words, a proper white-listing should be implemented for 'Host' header.

I write about Java, security, electronics and DIY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store