Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 2008. 11. 13. Systems Modeling & Simulation Lab. Kim.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
System and Network Security Practices COEN 351 E-Commerce Security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
1 Web Server Concepts Dr. Awad Khalil Computer Science Department AUC.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
Enabling Embedded Systems to access Internet Resources.
World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.
 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.
Final Introduction ---- Web Security, DDoS, others
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Robust Defenses for Cross-Site Request Forgery
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Securing Internet Access Designing an Internet Acceptable Use Policy Securing Access to the Internet by Private Network Users Restricting Access to Content.
Proxy Servers.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
The Intranet.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Security fundamentals Topic 10 Securing the network perimeter.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Role Of Network IDS in Network Perimeter Defense.
Cryptography and Network Security
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Security fundamentals
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
The Intranet.
Web Development Web Servers.
Internet and Intranet.
Host of Troubles : Multiple Host Ambiguities in HTTP Implementations
Introduction to Networking
Firewalls.
Internet and Intranet.
6.6 Firewalls Packet Filter (=filtering router)
Unit 27: Network Operating Systems
Auditing Etsy The Security of Etsy
Firewalls Jiang Long Spring 2002.
Internet and Intranet.
AbbottLink™ - IP Address Overview
Internet and Intranet.
Presentation transcript:

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim Jeong Hoon

2 of 15 Outline 1. Introduction 2. Network access in the browsers 3. DNS rebinding vulnerabilities 4. Attacks using DNS rebinding 5. Defense against rebinding 6. Conclusion

3 of 15 Introduction (1) DNS rebinding attack DNS rebinding attack Exploit DNS rebinding vulnerability Exploit DNS rebinding vulnerability Subert the same-origin policy of browsers Subert the same-origin policy of browsers Exploit the interaction between browsers and their plug-ins Exploit the interaction between browsers and their plug-ins Circumvent firewalls Circumvent firewalls Sending spam Sending spam Defrauding pay-per-click advertisers Defrauding pay-per-click advertisers Two servers belong to the same origin Two servers belong to the same origin Share a host name Share a host name

4 of 15 Network Access in the browsers Same-origin policy Same-origin policy Provides partial resource isolation by restricting access according to Provides partial resource isolation by restricting access according to origin origin Access within same origin Access within same origin Both content and browser scripts can read and write using the HTTP Both content and browser scripts can read and write using the HTTP protocol protocol Plug-ins can access network sockets directly Plug-ins can access network sockets directly Access between different origins Access between different origins Content from one origin can make HTTP requests to servers in Content from one origin can make HTTP requests to servers in another origin another origin Prohibited access Prohibited access Some types of network access are prohibited even within the same Some types of network access are prohibited even within the same origin origin

5 of 15 DNS Rebinding vulnerabilities(1) Standard rebinding vulnerabilities Standard rebinding vulnerabilities Single browser to connect to multiple IP with the same host name Single browser to connect to multiple IP with the same host name Multiple A records Multiple A records Indicating the IP addresses of the host Indicating the IP addresses of the host Confuse the security policy of the JVM Confuse the security policy of the JVM Time-Varying DNS Time-Varying DNS The origin attack on Java was extended The origin attack on Java was extended Pinning in current Browsers Pinning in current Browsers Browsers defend against the standard rebinding attack by “pinning” host Browsers defend against the standard rebinding attack by “pinning” host names to IP names to IP Flash 9 Flash 9 The Flash plug-in permits the socket connections to the target The Flash plug-in permits the socket connections to the target

6 of 15 DNS Rebinding vulnerabilities(2) Multi-Pin Vulnerability Multi-Pin Vulnerability Multiple technologies maintain separate DNS pin Multiple technologies maintain separate DNS pin Java : JVM maintains DNS pins separately from the browser Java : JVM maintains DNS pins separately from the browser LiveConnect LiveConnect Browser pins to the attack’s IP Browser pins to the attack’s IP JVM pins to the target’s IP JVM pins to the target’s IP Applets with proxies Applets with proxies Client uses an HTTP proxy : JVM requests the applet by host name Client uses an HTTP proxy : JVM requests the applet by host name Another DNS resolver involved the proxy : pins to the target’s IP Another DNS resolver involved the proxy : pins to the target’s IP Relative paths Relative paths If a server hosts an HTML page that embeds an applet using relative path If a server hosts an HTML page that embeds an applet using relative path Flash Flash When the attacker’s movie attempts to open a socket, When the attacker’s movie attempts to open a socket, Flash does a second DNS resolution and would pin to the target’s IP Flash does a second DNS resolution and would pin to the target’s IP

7 of 15 Attacks using DNS rebinding (1) Firewall circumvention Firewall circumvention To access machines behind firewalls that the attacker cannot access To access machines behind firewalls that the attacker cannot access directly directly Spidering the Intranet Spidering the Intranet Intranet host names are often guessable and occasionally disclosed publicly Intranet host names are often guessable and occasionally disclosed publicly If the server responds with an HTML page, the attacker can follow links and If the server responds with an HTML page, the attacker can follow links and search forms on that page search forms on that page Compromising unpatched machines Compromising unpatched machines Network administrators often do not patch internal machines Network administrators often do not patch internal machines The attacks against the client itself originate from localhost and so bypass The attacks against the client itself originate from localhost and so bypass software firewalls and other security checks software firewalls and other security checks Abusing Internal Open Services Abusing Internal Open Services Network printers often accept print jobs from internal machines without Network printers often accept print jobs from internal machines without additional authenication additional authenication The attacker can use direct socket access to command network printers to The attacker can use direct socket access to command network printers to exhaust their toner and paper supplies exhaust their toner and paper supplies

8 of 15 Attacks using DNS rebinding (2) IP Hijacking IP Hijacking To access publicly available servers from the client’s IP To access publicly available servers from the client’s IP Committing Click Fraud Committing Click Fraud Advertisers can drain competitor’s bugets by clicking on their advertisements. Advertisers can drain competitor’s bugets by clicking on their advertisements. Fraudulent pulishers can increase their advertising revenue by generating Fraudulent pulishers can increase their advertising revenue by generating fake clicks fake clicks Sending Spam Sending Spam By hijacking a client’s IP, an attacker can send spam from IP with clean By hijacking a client’s IP, an attacker can send spam from IP with clean reputations (SMTP servers) reputations (SMTP servers) Defeating IP-based Authenication Defeating IP-based Authenication After hijacking an authorized IP address, the attacker can access the service, After hijacking an authorized IP address, the attacker can access the service, defeating the authenication mechanism defeating the authenication mechanism Framing Clients Framing Clients An attacker who hijacks an IP can perform misdeeds and frame the client An attacker who hijacks an IP can perform misdeeds and frame the client

9 of 15 Experiment Methodology Methodology Tested DNS rebinding by running Tested DNS rebinding by running a Flash 9 advertisement a Flash 9 advertisement Two machines : attacker, target Two machines : attacker, target Attacker : DNS, Flash policy, Apache web server Attacker : DNS, Flash policy, Apache web server Target : Apache web server Target : Apache web server Required only that the client view the ad Required only that the client view the ad Results Results Received 50,951 impressions from Received 50,951 impressions from 44,924 unique IP addresses 44,924 unique IP addresses Ran the rebinding experiment Ran the rebinding experiment on the 44,301 impressions (86.9%) on the 44,301 impressions (86.9%) Successful on 30,636(60.1%) Successful on 30,636(60.1%) impressions and 27,480 unique IP impressions and 27,480 unique IP

10 of 15 Defense against rebinding (1) Fixing Firewall Circumvention Fixing Firewall Circumvention By filtering packets at the firewall or by modifying the DNS resolvers By filtering packets at the firewall or by modifying the DNS resolvers used by clients on the network used by clients on the network Enterprise Enterprise A firewall administrator for an organization can force all internal machines A firewall administrator for an organization can force all internal machines to use a DNS server that is configured not to resolve external names to to use a DNS server that is configured not to resolve external names to internal IP. (300 line C program, dnswall) internal IP. (300 line C program, dnswall) Consumer Consumer Many consumer firewalls can be augmented with dnswall to block DNS Many consumer firewalls can be augmented with dnswall to block DNS responses that contain private IP responses that contain private IP Software Software Software firewalls can prevent their own circumvention by blocking DNS Software firewalls can prevent their own circumvention by blocking DNS resolutions to 127.*.*.* resolutions to 127.*.*.*

11 of 15 Defense against rebinding (2) Fixing Plug-ins Fixing Plug-ins Flash Flash Flash could fix most of its rebinding vulnerabilities by considering a policy Flash could fix most of its rebinding vulnerabilities by considering a policy valid for a socket connection only if it obtained the policy from the same IP valid for a socket connection only if it obtained the policy from the same IP address and from the same host name address and from the same host name Java Java A safer approach is to use the CONNECT method, which provides a proxied A safer approach is to use the CONNECT method, which provides a proxied socket connection to an external machine socket connection to an external machine Java LiveConnect Java LiveConnect If the browser implements pinning, LiveConnect and the browser will use a If the browser implements pinning, LiveConnect and the browser will use a common pin database, removing multi-pin vulnerabilities common pin database, removing multi-pin vulnerabilities

12 of 15 Defense against rebinding (3) Fixing Browser (Default-Deny Sockets) Fixing Browser (Default-Deny Sockets) Checking Host Header Checking Host Header User agents include a Host Header in HTTP requests User agents include a Host Header in HTTP requests Reject incoming HTTP requests with unexpected Host headers Reject incoming HTTP requests with unexpected Host headers Finer-grained Origins Finer-grained Origins Refine origins to include additional information (server’s IP, public key) Refine origins to include additional information (server’s IP, public key) When the attacker rebinds attack.com to the target, the browser will consider When the attacker rebinds attack.com to the target, the browser will consider the rebound host name to be a new origin the rebound host name to be a new origin Smarter Pinning Smarter Pinning If a host name resolved to , the client would also accept any IP If a host name resolved to , the client would also accept any IP beginning with for that host name beginning with for that host name

13 of 15 Defense against rebinding (4) Fixing Browser (Default-Deny Sockets) Fixing Browser (Default-Deny Sockets) Policy-based Pinning Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re- Browsers consult server-supplied policies to determine when it is safe to re- pin a host name from one IP to another, providing robustness without pin a host name from one IP to another, providing robustness without degrading security degrading security Pinning Pitfalls Pinning Pitfalls Common Pin Database Common Pin Database Cache : objects in the cache must be retrieved by both URL and originating Cache : objects in the cache must be retrieved by both URL and originating IP IP document.domain = document.domain; document.domain = document.domain; Browser vendors appear reluctant to expose such an interface and pinning in Browser vendors appear reluctant to expose such an interface and pinning in the OS either changes the semantics of DNS for other application the OS either changes the semantics of DNS for other application

14 of 15 Defense against rebinding (5) Fixing Browser (Default-Allow Sockets) Fixing Browser (Default-Allow Sockets) Host Name Authorization Host Name Authorization Trusted Policy Providers Trusted Policy Providers Clients and DNS resolvers can also check policy by querying a trusted policy Clients and DNS resolvers can also check policy by querying a trusted policy provider provider Trusted policy providers can greatly reduce the false positive rate Trusted policy providers can greatly reduce the false positive rate For host names with multiple IP addresses, only authrized IP should be For host names with multiple IP addresses, only authrized IP should be included in the result included in the result ex) *.auth.ip.in-addr.arpa ex) *.auth.ip.in-addr.arpa

15 of 15 Conclusion An Attacker can exploit DNS rebinding vulnerabilities An Attacker can exploit DNS rebinding vulnerabilities Circumvent firewal Circumvent firewal Hijack IP addresses Hijack IP addresses Policy-based pinning Policy-based pinning Host name autherization Host name autherization Propose two defense options Propose two defense options Deploy these defenses quickly before attackers exploit DNS rebinding on Deploy these defenses quickly before attackers exploit DNS rebinding on a large scale a large scale Vendors and network administrators Vendors and network administrators

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.