More Web Proxy on the site http://driver.im/

Article

Protecting browsers from dns rebinding attacks

Authors:

Collin Jackson,

Dan BonehAuthors Info & Claims

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Pages 421 - 431

https://doi.org/10.1145/1315245.1315298

Published: 28 October 2007 Publication History

Abstract

DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash and Java. These attacks can be used to circumvent firewalls and are highly cost-effective for sending spam e-mail and defrauding pay-per-click advertisers, requiring less than $100 to temporarily hijack 100,000 IP addresses. We show that the classic defense against these attacks, called "DNS pinning," is ineffective in modern browsers. The primary focus of this work, however, is the design of strong defenses against DNS rebinding attacks that protect modern browsers: we suggest easy-to-deploy patches for plug-ins that prevent large-scale exploitation, provide a defense tool, dnswall, that prevents firewall circumvention, and detail two defense options, policy-based pinning and host name authorization.

References

[1]

Adobe. Flash Player Penetration. http://www.adobe.com/products/player_census/flashplayer/.

[2]

Adobe. Adobe flash player 9 security. http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_securit%y.pdf, July 2006.

[3]

Alexa. Top sites. http://www.alexa.com/site/ds/top_sites?ts_mode=global.

[4]

K. Anvil. Anti-DNS pinning + socket in flash. http://www.jumperz.net/, 2007.

[5]

W. Cheswick and S. Bellovin. A DNS filter and switch for packet-filtering gateways. In Proc. Usenix, 1996.

Digital Library

[6]

N. Chou, R. Ledesma, Y. Teraguchi, and J. Mitchell. Client-side defense against web-based identity theft. In Proc. NDSS, 2004.

[7]

N. Daswani, M. Stoppelman, et al. The anatomy of Clickbot.A. In Proc. HotBots, 2007.

Digital Library

[8]

D. Dean, E. W. Felten, and D. S. Wallach. Java security: from HotJava to Netscape and beyond. In IEEE Symposium on Security and Privacy: Oakland California, May 1996.

Digital Library

[9]

D. Edwards. Your MOMA knows best, December 2005. http://xooglers.blogspot.com/2005/12/your-moma-knows-best.html.

[10]

K. Fenzi and D. Wreski. Linux security HOWTO, January 2004.

Digital Library

[11]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol. HTTP/1.1. RFC 2616, June 1999.

Digital Library

[12]

D. Fisher, 2007. Personal communication.

[13]

D. Fisher et al. Problems with new DNS cache ("pinning" forever). https://bugzilla.mozilla.org/show_bug.cgi?id=162871.

[14]

D. Goodin. Calif. man pleads guilty to felony hacking. Associated Press, Janurary 2005.

[15]

Google. dnswall.http://code.google.com/p/google-dnswall/.

[16]

Google. Google Safe Browsing for Firefox, 2005. http://www.google.com/tools/firefox/safebrowsing/.

[17]

S. Grimm et al. Setting document.domain doesn't match an implicit parent domain. https://bugzilla.mozilla.org/show_bug.cgi?id=183143.

[18]

J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside: JavaScript malware just got a lot more dangerous. In Blackhat USA, August 2006. Invited talk.

[19]

I. Hickson et al. HTML 5 Working Draft. http://www.whatwg.org/specs/web-apps/current-work/.

[20]

C. Jackson, A. Bortz, D. Boneh, and J. Mitchell. Protecting browser state from web privacy attacks. In Proc. WWW, 2006.

Digital Library

[21]

M. Johns. (somewhat) breaking the same-origin policy by undermining DNS pinning, August 2006. http://shampoo.antville.org/stories/1451301/.

[22]

M. Johns and J. Winter. Protecting the Intranet against "JavaScript Malware" and related attacks. In Proc. DIMVA, July 2007.

Digital Library

[23]

C. K. Karlof, U. Shankar, D. Tygar, and D. Wagner. Dynamic pharming attacks and the locked same-origin policies for web browsers. In Proc. CCS, October 2007.

Digital Library

[24]

V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proc. CCS, 2006.

Digital Library

[25]

G. Maone. DNS Spoofing/Pinning. http://sla.ckers.org/forum/read.php?6,4511,14500.

[26]

G. Maone. NoScript. http://noscript.net/.

[27]

C. Masone, K. Baek, and S. Smith. WSKE: web server key enabled cookies. In Proc. USEC, 2007.

Digital Library

[28]

A. Megacz. XWT Foundation Security Advisory. http://xwt.org/research/papers/sop.txt.

[29]

A. Megacz and D. Meketa. X-RequestOrigin. http://www.xwt.org/x-requestorigin.txt.

[30]

Microsoft. Microsoft Web Enterprise Portal, January 2004. http://www.microsoft.com/technet/itshowcase/content/MSWebTWP.mspx.

[31]

Microsoft. Microsoft phishing filter: A new approach to building trust in e-commerce content, 2005.

[32]

P. Mockapetris. Domain Names. Implementation and Specification. IETF RFC 1035, November 1987.

Digital Library

[33]

C. Nuuja (Adobe), 2007. Personal communication.

[34]

G. Ollmann. The pharming guide. http://www.ngssoftware.com/papers/ThePharmingGuide.pdf, August 2005.

[35]

Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. Address Allocation for Private Internets. IETF RFC 1918, February 1996.

Digital Library

[36]

J. Roskind. Attacks against the Netscape browser. In RSA Conference, April 2001. Invited talk.

[37]

D. Ross. Notes on DNS pinning. http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns-pinning.aspx, 2007.

[38]

J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/projects/security/components/same-origin.html.

[39]

Spamhaus. The spamhaus block list, 2007. http://www.spamhaus.org/sbl/.

[40]

S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by pharming. Technical Report 641, Computer Science, Indiana University, December 2006.

[41]

J. Topf. HTML Form Protocol Attack, August 2001. http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.

[42]

D. Veditz et al. document.domain abused to access hosts behind firewall. https://bugzilla.mozilla.org/show bug.cgi?id=154930.

[43]

W3C. The XMLHttpRequest Object, February 2007. http://www.w3.org/TR/XMLHttpRequest/.

[44]

B. Warner. Home PCs rented out in sabotage-for-hire racket. Reuters, July 2004.

[45]

J. Winter and M. Johns. LocalRodeo: Client-side protection against JavaScript Malware. http://databasement.net/labs/localrodeo/, 2007.

[46]

M. Wong and W. Schlitt. Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail. IETF RFC 4408, April 2006.

Cited By

Tatang DSuurland THolz T(2020)Study of DNS Rebinding Attacks on Smart Home DevicesComputer Security10.1007/978-3-030-42048-2_25(391-401)Online publication date: 22-Feb-2020
https://doi.org/10.1007/978-3-030-42048-2_25
Scholz RWressnegger C(2019)Security Analysis of Devolo HomePlug DevicesProceedings of the 12th European Workshop on Systems Security10.1145/3301417.3312499(1-6)Online publication date: 25-Mar-2019
https://dl.acm.org/doi/10.1145/3301417.3312499
Spaulding JMohaisen A(2018)Defending Internet of Things Against Malicious Domain Names using D-FENS2018 IEEE/ACM Symposium on Edge Computing (SEC)10.1109/SEC.2018.00051(387-392)Online publication date: Oct-2018
https://doi.org/10.1109/SEC.2018.00051
Show More Cited By

Index Terms

Protecting browsers from dns rebinding attacks
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Robust defenses for cross-site request forgery
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the ...
Dynamic pharming attacks and locked same-origin policies for web browsers
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-...
Protecting browsers from DNS rebinding attacks

DNS rebinding attacks subvert the same-origin policy of browsers, converting them into open network proxies. Using DNS rebinding, an attacker can circumvent organizational and personal firewalls, send spam email, and defraud pay-per-click advertisers. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

October 2007

628 pages

ISBN:9781595937032

DOI:10.1145/1315245

General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Sabrina De Capitani di Vimercati
University of Milan, Italy
,
Paul Syverson
Naval Research Laboratory, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2 - October 31, 2007

Virginia, Alexandria, USA

Acceptance Rates

CCS '07 Paper Acceptance Rate 55 of 302 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
1,196
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tatang DSuurland THolz T(2020)Study of DNS Rebinding Attacks on Smart Home DevicesComputer Security10.1007/978-3-030-42048-2_25(391-401)Online publication date: 22-Feb-2020
https://doi.org/10.1007/978-3-030-42048-2_25
Scholz RWressnegger C(2019)Security Analysis of Devolo HomePlug DevicesProceedings of the 12th European Workshop on Systems Security10.1145/3301417.3312499(1-6)Online publication date: 25-Mar-2019
https://dl.acm.org/doi/10.1145/3301417.3312499
Spaulding JMohaisen A(2018)Defending Internet of Things Against Malicious Domain Names using D-FENS2018 IEEE/ACM Symposium on Edge Computing (SEC)10.1109/SEC.2018.00051(387-392)Online publication date: Oct-2018
https://doi.org/10.1109/SEC.2018.00051
Jarassriwilai TDauber TBrownlee NMahanti A(2015)Understanding evolution and adoption of Top-level Domain namesProceedings of the 2015 IEEE 40th Local Computer Networks Conference Workshops (LCN Workshops)10.1109/LCNW.2015.7365915(687-694)Online publication date: 26-Oct-2015
https://dl.acm.org/doi/10.1109/LCNW.2015.7365915
Pieczul OFoley S(2015)The Dark Side of the CodeRevised Selected Papers of the 23rd International Workshop on Security Protocols XXIII - Volume 937910.1007/978-3-319-26096-9_1(1-11)Online publication date: 31-Mar-2015
https://dl.acm.org/doi/10.1007/978-3-319-26096-9_1
Huang LRice AEllingsen EJackson C(2014)Analyzing Forged SSL Certificates in the WildProceedings of the 2014 IEEE Symposium on Security and Privacy10.1109/SP.2014.13(83-97)Online publication date: 18-May-2014
https://dl.acm.org/doi/10.1109/SP.2014.13
Gollmann D(2014)Why Bother Securing DNS?Security Protocols XXII10.1007/978-3-319-12400-1_1(1-8)Online publication date: 29-Oct-2014
https://doi.org/10.1007/978-3-319-12400-1_1
Kitts BZhang JWu GBrandi WBeasley JMorrill KEttedgui JSiddhartha SYuan HGao FAzo PMahato R(2014)Click Fraud Detection: Adversarial Pattern Recognition over 5 Years at MicrosoftReal World Data Mining Applications10.1007/978-3-319-07812-0_10(181-201)Online publication date: 14-Nov-2014
https://doi.org/10.1007/978-3-319-07812-0_10
Kitts BZhang JRoux AMills R(2013)Click Fraud Detection with Bot Signatures2013 IEEE International Conference on Intelligence and Security Informatics10.1109/ISI.2013.6578805(146-150)Online publication date: Jun-2013
https://doi.org/10.1109/ISI.2013.6578805
Brahmasani SSivasankar E(2013)Two level verification for detection of DNS rebinding attacksInternational Journal of System Assurance Engineering and Management10.1007/s13198-013-0153-x4:2(138-145)Online publication date: 13-Apr-2013
https://doi.org/10.1007/s13198-013-0153-x
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents