DNS Rebinding Prevention for the Weak Host Model Attacks
Bradley Falzon
brad at teambrad.net
Wed Aug 18 00:25:02 UTC 2010
On Wed, Aug 18, 2010 at 1:05 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 08/17/2010 04:31 PM, Florian Weimer wrote:
>>
>> * Bradley Falzon:
>>
>>> Craig Heffner's version of the DNS Rebinding attack, similar to all
>>> DNS Rebinding attacks, requires the DNS Servers to respond with an
>>> Attackers IP Address as well as the Victims IP Address, in a typical
>>> Round Robin fashion. Previous attacks would normally have the Victims
>>> IP Address to be their Private IP.
>>
>> For which protocols is this supposed to work? Why would a
>> security-minded web application serve content under a name it knows
>> cannot be its own?
>>
>
> You're assuming it's an HTTP attack. You can trick flash, java and other
> plugins to circumvent the browsers same-origin policy, and do much more
> subtle things like sending SMTP email.
> _______________________________________________
Just to note here, the possible prevention I am discussing will only
address this specific attack. Where an attack uses the weak host model
to circumvent DNS rebinding protection built within popular browsers
and attack the victims NAT'd router, using the IP address of their WAN
side.
You're point is still valid though, as many modems also permit Telnet
and SNMP access to the device, and allow reconfiguration via a
different protocol that doesn't check/have Host headers.
What could we legitimately break by implementing this kind of
protection, and if no obvious legitimate access could be broken, is
someone able to assist (or point me in the direction of bind-devs) in
writing a patch for bind that would do what we are proposing ?
--
Bradley Falzon
brad at teambrad.net
More information about the bind-users
mailing list