Table of Contents
Did you know? DNS rebinding exploits a weakness in browser's Same Origin Policy via malicious DNS requests to bind to local network resources allowing a malicious website to attack the victims internal network.
In this blog post, we delve into the workings and impact of the DNS rebinding attack, including examples of how it can be exploited. Following this, we explore widely adopted countermeasures against this type of attack and discuss their shortcomings.
Let's get started:
Common Corporate Network Threats
Corporate private networks are intended to be isolated from the internet, preventing attackers from interacting with internal servers, and internal web applications such as network device management consoles. However, hackers have still found ways to take advantage of internal network resources from their external positions.
Some common methods of attack include phishing and spear phishing where attackers deliver content to socially engineer to individuals inside the network and have them execute their malicious payloads on behalf of the outside attacker, exploiting known vulnerabilities or misconfigurations in public facing assets to hack into the network, and using stolen credentials and password spraying attacks to get in - again through public facing applications such as VPNs and remote desktop services (RDP).
Another way that threat actors can pivot into an internal network is by using a technique called DNS rebinding that leverages the domain name system (DNS). DNS rebinding attacks leverage web pages that run a client-side script on victims to attack their own internal network resources.
What Are DNS Rebinding Attacks?
Fundamentally, DNS-binding attacks leverage malicious web pages to run the attacker's script client-side, on the victim's browsers to attack their own internal network resources. DNS rebinding attacks leverage how the Domain Name System (DNS) works in order to bypass a browser's same-origin policy designed to prevent websites from accessing resources and services hosted on the underlying system's internal network.
Therefore, DNS rebinding attacks can circumvent network security measures that rely on network perimeter defenses and exploit devices that are not directly accessible from the internet. This attack technique is especially dangerous when devices on the targeted local network are not properly secured - perhaps because the network administrators believe they are inaccessible to attackers.
What is Same Origin Policy?
In the context of a DNS rebinding attack, Same Origin Policy is a security measure that the attackers want to circumvent to gain access to internal network resources. Same Origin Policy is implemented by browsers in order to prevent them from loading resources outside of the scope of the website's IP address or domain.
How Do DNS Rebinding Attacks Work?
There are several ways that DNS rebinding attacks can be executed by an attacker. For simplicity, here we will explain DNS rebinding attacks where an attacker quickly swaps out their DNS A records while the victim is browsing their website.
Here is a description of the attack process:
Initial DNS Lookup: The attacker registers a domain, say example.com, and sets up a malicious website on it. When a victim visits this website, their browser makes a DNS request to resolve the domain name (example.com) to an IP address. This process is fundamental to how the internet works . The attacker's DNS server responds with the legitimate IP address of the attacker's server where the malicious website is hosted
DNS Rebinding: The attacker controls their malicious hostname's DNS records and can point them to any IP address they chose using A (IPv4) and AAAA (IPv6) DNS records. In our example, the malicious script includes code that reaches out to the browser's configured DNS server again. However, by that time the attacker has changed the IP address that their DNS resolves to from the original IP address that points to example.com to an IP address within the reserved internal network ranges
Bypassing Same-Origin Policy: At this point, the victim's computer can be further instructed to interact with the internal IP address without violating the Same-Origin Policy because as mentioned earlier the browser Same Origin Policy uses the hostname to determine what is in and out of scope and the domain name has not changed. The browser is tricked into treating the internal resource as if it were part of the attacker's domain. This allows the malicious script to interact with internal network devices such as SOHO routers, printers, other computers on the network, and potentially even the localhost IP address 127.0.0.1, potentially interacting with services on the host computer that communicate via IP connections
Attack Execution: The script can perform a wide range of attacks on internal network assets, such as changing settings on a router, stealing information from web services running on the internal network, or exploiting vulnerabilities in internal applications—all without the knowledge or consent of the victim
How to Mitigate the Threat of DNS Rebinding Attacks
The content outlines various mitigation strategies against DNS rebinding attacks, each with its technical explanation. These strategies represent a multi-layered approach to defending against DNS rebinding attacks, each addressing different aspects and stages of the attack but also facing its own set of limitations and challenges.
Browser-based Mitigation: Modern browsers employ DNS pinning, keeping DNS resolution results in cache for a fixed period, ignoring the DNS TTL. This prevents attackers from changing the resolved IP address through frequent DNS requests. This method primarily blocks traditional time-varying attacks but can be bypassed by repeatedly sending requests until the cache expires or using multiple A-records attacks. Therefore, if the attacker can keep their website open in your browser long enough, the browser-based mitigation can be circumvented making it especially risky when watching long videos content on the attackers website
DNS-based Mitigation: DNS services like OpenDNS reject DNS responses that point to private (RFC 1918) and loopback IP addresses. DNS caching solutions (Dnsmasq, Unbound) implement similar policies. Not all non-routable IP addresses are blocked, and CNAME records can be used to bypass this mitigation. False positives may block legitimate services that resolve to internal IP addresses
Server-based Mitigation: Enabling HTTPS for private services and requiring correct domain validation for SSL certificates prevents attackers from establishing SSL connections. Authentication with strong credentials on private services adds another layer of protection. Depends on the internal services' developers, making it less scalable. Third-party applications in both home and enterprise environments pose challenges for network owners to enforce this protection
Real-time DNS Rebinding Detection: Utilizes a sophisticated signature-based system that monitors DNS traffic to detect abnormal patterns indicative of DNS rebinding attacks. This system can identify malicious hostnames in real time and covers a wide variety of DNS rebinding attacks. High detection accuracy, prevention of false positives through the use of legitimate usage filters, and the ability to recognize attacks targeting both internal IP addresses and hostnames
DNS rebinding attacks exploit the domain name system (DNS) to bypass browser same-origin restrictions, allowing malicious websites to access and attack internal network resources that would otherwise be off limits. This technique manipulates DNS records to trick a victim's browser such that the attacker's domain is associated with an internal network IPs allowing unauthorized interactions with internal devices and services.
Mitigations include browser-based strategies like DNS pinning that offer initial defense layers by caching DNS information, but effective bypasses exist. DNS-based mitigations, such as filtering responses that point to private or loopback addresses, provide additional security, and Server-side defenses, including the adoption of HTTPS and strong authentication, directly protect internal services but require complex implementation. Lastly, real-time DNS rebinding detection systems are highly effective at identifying malicious DNS activity with high accuracy.
Ready to test if your organization is at risk of being targeted by a successful DNS rebinding attack? Reach out to our team today for your free, zero-obligation quote.
Have Questions? Need a Quote?
Contact our team today to see how we can help improve your security posture. Get a no-obligation quote and a copy of our sample report to help you get started.