DNS Rebinding Prevention for the Weak Host Model Attacks

[Bradley Falzon]

On Wed, Aug 18, 2010 at 1:01 AM, Florian Weimer <fweimer at bfk.de> wrote:
> * Bradley Falzon:
>
>> Craig Heffner's version of the DNS Rebinding attack, similar to all
>> DNS Rebinding attacks, requires the DNS Servers to respond with an
>> Attackers IP Address as well as the Victims IP Address, in a typical
>> Round Robin fashion. Previous attacks would normally have the Victims
>> IP Address to be their Private IP.
>
> For which protocols is this supposed to work?  Why would a
> security-minded web application serve content under a name it knows
> cannot be its own?
>

My concern about the attack is in regards to common NAT routers. I am
no expert on this subject matter and do completely agree, these kind
of routers need better security checking (such as Host Header checks),
but conversely, HTTP daemons available on embedded platforms, in my
limited experience, have been mostly HTTP 1.0 compliant only as such
do not support the Host header.

But you are completely correct is saying the devices themselves should
offer protection, the fact is though, many devices do not (even if
they are HTTP 1.1 compliant, many are simply ignoring the unknown Host
Header) and in order to upgrade these would require common people to
upgrade their modems firmware - or the ISP assisting them.

Addressing the attack as a patch in bind would allow an ISP to patch
their DNS Caches as opposed to upgrading all customers firmware. The
long term solution being as you've outlined - these NAT routers need
to offer more forms of robust protection.

-- 
Bradley Falzon
brad at teambrad.net