protecting browsers from dns rebinding attacks collin jackson adam barth andrew bortz acm ccs 2007 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 PowerPoint Presentation
Download Presentation
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007

play fullscreen
1 / 15
Download Presentation

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 - PowerPoint PPT Presentation

taariq
142 Views
Download Presentation

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Protecting Browsers from DNS Rebinding AttacksCollin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 2008. 11. 13.Systems Modeling & Simulation Lab.Kim Jeong Hoon

  2. Outline 1. Introduction 2. Network access in the browsers 3. DNS rebinding vulnerabilities 4. Attacks using DNS rebinding 5. Defense against rebinding 6. Conclusion

  3. Introduction (1) • DNS rebinding attack • Exploit DNS rebinding vulnerability • Subert the same-origin policy of browsers • Exploit the interaction between browsers and their plug-ins • Circumvent firewalls • Sending spam e-mail • Defrauding pay-per-click advertisers • Two servers belong to the same origin • Share a host name

  4. Network Access in the browsers • Same-origin policy • Provides partial resource isolation by restricting access according to • origin • Access within same origin • Both content and browser scripts can read and write using the HTTP • protocol • Plug-ins can access network sockets directly • Access between different origins • Content from one origin can make HTTP requests to servers in • another origin • Prohibited access • Some types of network access are prohibited even within the same • origin

  5. DNS Rebinding vulnerabilities(1) • Standard rebinding vulnerabilities • Single browser to connect to multiple IP with the same host name • Multiple A records • Indicating the IP addresses of the host • Confuse the security policy of the JVM • Time-Varying DNS • The origin attack on Java was extended • Pinning in current Browsers • Browsers defend against the standard rebinding attack by “pinning” host • names to IP • Flash 9 • The Flash plug-in permits the socket connections to the target

  6. DNS Rebinding vulnerabilities(2) • Multi-Pin Vulnerability • Multiple technologies maintain separate DNS pin • Java : JVM maintains DNS pins separately from the browser • LiveConnect • Browser pins to the attack’s IP • JVM pins to the target’s IP • Applets with proxies • Client uses an HTTP proxy : JVM requests the applet by host name • Another DNS resolver involved the proxy : pins to the target’s IP • Relative paths • If a server hosts an HTML page that embeds an applet using relative path • Flash • When the attacker’s movie attempts to open a socket, • Flash does a second DNS resolution and would pin to the target’s IP

  7. Attacks using DNS rebinding (1) • Firewall circumvention • To access machines behind firewalls that the attacker cannot access • directly • Spidering the Intranet • Intranet host names are often guessable and occasionally disclosed publicly • If the server responds with an HTML page, the attacker can follow links and • search forms on that page • Compromising unpatched machines • Network administrators often do not patch internal machines • The attacks against the client itself originate from localhost and so bypass • software firewalls and other security checks • Abusing Internal Open Services • Network printers often accept print jobs from internal machines without • additional authenication • The attacker can use direct socket access to command network printers to • exhaust their toner and paper supplies

  8. Attacks using DNS rebinding (2) • IP Hijacking • To access publicly available servers from the client’s IP • Committing Click Fraud • Advertisers can drain competitor’s bugets by clicking on their advertisements. • Fraudulent pulishers can increase their advertising revenue by generating • fake clicks • Sending Spam • By hijacking a client’s IP, an attacker can send spam from IP with clean • reputations (SMTP servers) • Defeating IP-based Authenication • After hijacking an authorized IP address, the attacker can access the service, • defeating the authenication mechanism • Framing Clients • An attacker who hijacks an IP can perform misdeeds and frame the client

  9. Experiment • Methodology • Tested DNS rebinding by running • a Flash 9 advertisement • Two machines : attacker, target • Attacker : DNS, Flash policy, Apache web server • Target : Apache web server • Required only that the client view the ad • Results • Received 50,951 impressions from • 44,924 unique IP addresses • Ran the rebinding experiment • on the 44,301 impressions (86.9%) • Successful on 30,636(60.1%) • impressions and 27,480 unique IP

  10. Defense against rebinding (1) • Fixing Firewall Circumvention • By filtering packets at the firewall or by modifying the DNS resolvers • used by clients on the network • Enterprise • A firewall administrator for an organization can force all internal machines • to use a DNS server that is configured not to resolve external names to • internal IP. (300 line C program, dnswall) • Consumer • Many consumer firewalls can be augmented with dnswall to block DNS • responses that contain private IP • Software • Software firewalls can prevent their own circumvention by blocking DNS • resolutions to 127.*.*.*

  11. Defense against rebinding (2) • Fixing Plug-ins • Flash • Flash could fix most of its rebinding vulnerabilities by considering a policy • valid for a socket connection only if it obtained the policy from the same IP • addressand from the same host name • Java • A safer approach is to use the CONNECT method, which provides a proxied • socket connection to an external machine • Java LiveConnect • If the browser implements pinning, LiveConnect and the browser will use a • common pin database, removing multi-pin vulnerabilities

  12. Defense against rebinding (3) • Fixing Browser (Default-Deny Sockets) • Checking Host Header • User agents include a Host Header in HTTP requests • Reject incoming HTTP requests with unexpected Host headers • Finer-grained Origins • Refineorigins to include additional information (server’s IP, public key) • When the attacker rebinds attack.com to the target, the browser will consider • the rebound host name to be a new origin • Smarter Pinning • If a host name resolved to 171.64.78.10, the client would also accept any IP • beginning with 171.64.78 for that host name

  13. Defense against rebinding (4) • Fixing Browser (Default-Deny Sockets) • Policy-based Pinning • Browsers consult server-supplied policies to determine when it is safe to re- • pin a host name from one IP to another, providing robustness without • degrading security • Pinning Pitfalls • Common Pin Database • Cache : objects in the cache must be retrieved by both URL and originating • IP • document.domain = document.domain; • Browser vendors appear reluctant to expose such an interface and pinning in • the OS either changes the semantics of DNS for other application

  14. Defense against rebinding (5) • Fixing Browser (Default-Allow Sockets) • Host Name Authorization • For host names with multiple IP addresses, only authrized IP should be • included in the result • ex) *.auth.ip.in-addr.arpa • Trusted Policy Providers • Clients and DNS resolvers can also check policy by querying a trusted policy • provider • Trusted policy providers can greatly reduce the false positive rate

  15. Conclusion • An Attacker can exploit DNS rebinding vulnerabilities • Circumvent firewal • Hijack IP addresses • Propose two defense options • Policy-based pinning • Host name autherization • Vendors and network administrators • Deploy these defenses quickly before attackers exploit DNS rebinding on • a large scale