Protecting browsers from dns rebinding attacks

DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash and Java. These attacks can be used to circumvent firewalls and are highly cost-effective for sending spam e-mail and defrauding pay-per-click advertisers, requiring less than $100 to temporarily hijack 100,000 IP addresses. We show that the classic defense against these attacks, called "DNS pinning," is ineffective in modern browsers. The primary focus of this work, however, is the design of strong defenses against DNS rebinding attacks that protect modern browsers: we suggest easy-to-deploy patches for plug-ins that prevent large-scale exploitation, provide a defense tool, dnswall, that prevents firewall circumvention, and detail two defense options, policy-based pinning and host name authorization.

[1]  Sean W. Smith,et al.  WSKE: Web Server Key Enabled Cookies , 2007, Financial Cryptography.

[2]  Kevin Fenzi,et al.  Linux Security Howto , 2000 .

[3]  C. Jackson,et al.  Beware of Finer-Grained Origins , 2008 .

[4]  Bill Cheswick,et al.  A DNS filter and switch for packet-filtering gateways , 1996 .

[5]  Sebastian Gajek,et al.  On the Insecurity of Microsoft's Identity Metasystem , 2008 .

[6]  Jochen Topf,et al.  The HTML Form Protocol Attack , 2001 .

[7]  David Meyer,et al.  Administratively Scoped IP Multicast , 1998, RFC.

[8]  Jon Postel,et al.  Assigned Numbers , 1979, RFC.

[9]  Stuart Cheshire,et al.  Dynamic Configuration of IPv4 Link-Local Addresses , 2005, RFC.

[10]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[11]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[12]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[13]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[14]  David A. Wagner,et al.  Dynamic pharming attacks and locked same-origin policies for web browsers , 2007, CCS '07.

[15]  Meng Weng Wong,et al.  Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1 , 2006, RFC.

[16]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[17]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[18]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[19]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[20]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[21]  Robert M. Hinden,et al.  Unique Local IPv6 Unicast Addresses , 2005, RFC.

[22]  Martin Johns,et al.  Protecting the Intranet Against "JavaScript Malware" and Related Attacks , 2007, DIMVA.

[23]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[24]  Neil Daswani,et al.  The Anatomy of Clickbot.A , 2007, HotBots.

[25]  Stephen E. Deering,et al.  Internet Protocol Version 6 (IPv6) Addressing Architecture , 2003, RFC.