What is a DNS Rebinding Attack?
DNS Rebinding Attacks are where the attacker tricks the user into binding with malicious websites and then making the user browser or device access unintended domains. Such attacks are normally used to compromise the system and exploit it as proxy for attacking the internal network.
How DNS Rebinding Attacks work?
The attacker registers a domain (such as attacker.com) and delegates it to a DNS server under the attacker’s control. The server is configured to respond with a very short time to live (TTL) record, preventing the response from being cached. When the victim browses to the malicious domain, the attacker’s DNS server first responds with the IP address of a server hosting the malicious client-side code. For instance, they could point the victim’s browser to a website that contains malicious JavaScript or Flash scripts that are intended to execute on the victim’s computer.
The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim’s browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, they could reply with an internal IP address or the IP address of a target somewhere else on the Internet.
Experts from Armis claim that nearly all types of smart devices are vulnerable to DNS Rebinding Attacks, including smarts TVs, routers, printers, CCTV Cameras and smart phones.
How to avoid DNS Rebinding Attacks?
- Enabling HTTPS console only and turning off HTTP console.
- For routers, disable access to admin console from any external network.
- For web browsers, DNS pinning can be implemented. This will lock the IP address which is received in the first DNS response.
- Implement private DNS filtering in the firewall.
- For devices, always change the default names and password.