DNS rebinding attack

Dan Kaminsky, director of penetration testing at IOActive, demonstrated the DNS rebinding technique at an RSA conference in April 2008. Kaminsky spent a year researching ways that attackers could exploit aspects of the DNS (domain name system) to circumvent a firewall. Prior to Kaminsky's demonstration, DNS rebinding was considered only theoretically possible. According to Kaminsky, the problem is not with the routers themselves; it is enabled by a "core browser bug." DNS rebinding attacks can also exploit browser plug-ins, such as Flash, Java and Silverlight, that permit direct socket access back to their origins.

Here's a simplified example of how a DNS rebinding exploit might work:
The user is lured to or accidentally visits the attacker's Web site. When a default password is detected and determined, JavaScript coding tricks the user's browser into altering details on the router administration page. Changes made might enable the attacker to administer the device remotely and, as a result, control the owner's Internet communications. Among other possibilities, the attacker could access sensitive data on the network or use the connection to send spam.

As of early April 2008, there have been no reports of actual DNS rebinding attacks. However, the potential for such an attack to occur soon is considerable because very few home users change the default passwords on their routers.

Read more about DNS rebinding attack: - Robert McMillan reports on DNS rebinding. - Stanford University offers a document about preventing DNS rebinding attacks. (PDF) - Hackszine.com describes how DNS rebinding works in greater detail. - Immike.net offers more information about DNS rebinding and preventative measures. - Dan Goodlin discusses Kaminsky's demo of a DNS rebinding attack.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

BROWSE BY TAG Information Security Threats,   Emerging Information Security Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Antispyware buying guide for Indian enterprises This guide designed specifically for Indian businesses explores the key considerations in choosing an antispyware solution and offers an overview of... ATM malware lets attackers take over machines Trustwave investigators say sophisticated malware used in Eastern Europe allows attackers to steal track data, PINs and cash from infected ATMs. FTC shutters rogue ISP for hosting malicious content, botnets Executives at Triple Fiber Network are suspected of recruiting bot herders and hosting botnet command and control servers.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by pharming  (SearchSecurity.com) Drive-by pharming is a vulnerability exploitation method in which the attacker takes advantage of an inadequately unprotected broadband router to gain... JavaScript hijacking  (SearchSecurity.com) JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax...