Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 2008. 11. 13. Systems Modeling & Simulation Lab. Kim.

Published byLorin Wilkinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 2008. 11. 13. Systems Modeling & Simulation Lab. Kim."— Presentation transcript:

1 Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 2008. 11. 13. Systems Modeling & Simulation Lab. Kim Jeong Hoon

2 2 of 15 Outline 1. Introduction 2. Network access in the browsers 3. DNS rebinding vulnerabilities 4. Attacks using DNS rebinding 5. Defense against rebinding 6. Conclusion

3 3 of 15 Introduction (1) DNS rebinding attack DNS rebinding attack Exploit DNS rebinding vulnerability Exploit DNS rebinding vulnerability Subert the same-origin policy of browsers Subert the same-origin policy of browsers Exploit the interaction between browsers and their plug-ins Exploit the interaction between browsers and their plug-ins Circumvent firewalls Circumvent firewalls Sending spam e-mail Sending spam e-mail Defrauding pay-per-click advertisers Defrauding pay-per-click advertisers Two servers belong to the same origin Two servers belong to the same origin Share a host name Share a host name

4 4 of 15 Network Access in the browsers Same-origin policy Same-origin policy Provides partial resource isolation by restricting access according to Provides partial resource isolation by restricting access according to origin origin Access within same origin Access within same origin Both content and browser scripts can read and write using the HTTP Both content and browser scripts can read and write using the HTTP protocol protocol Plug-ins can access network sockets directly Plug-ins can access network sockets directly Access between different origins Access between different origins Content from one origin can make HTTP requests to servers in Content from one origin can make HTTP requests to servers in another origin another origin Prohibited access Prohibited access Some types of network access are prohibited even within the same Some types of network access are prohibited even within the same origin origin

5 5 of 15 DNS Rebinding vulnerabilities(1) Standard rebinding vulnerabilities Standard rebinding vulnerabilities Single browser to connect to multiple IP with the same host name Single browser to connect to multiple IP with the same host name Multiple A records Multiple A records Indicating the IP addresses of the host Indicating the IP addresses of the host Confuse the security policy of the JVM Confuse the security policy of the JVM Time-Varying DNS Time-Varying DNS The origin attack on Java was extended The origin attack on Java was extended Pinning in current Browsers Pinning in current Browsers Browsers defend against the standard rebinding attack by “pinning” host Browsers defend against the standard rebinding attack by “pinning” host names to IP names to IP Flash 9 Flash 9 The Flash plug-in permits the socket connections to the target The Flash plug-in permits the socket connections to the target

6 6 of 15 DNS Rebinding vulnerabilities(2) Multi-Pin Vulnerability Multi-Pin Vulnerability Multiple technologies maintain separate DNS pin Multiple technologies maintain separate DNS pin Java : JVM maintains DNS pins separately from the browser Java : JVM maintains DNS pins separately from the browser LiveConnect LiveConnect Browser pins to the attack’s IP Browser pins to the attack’s IP JVM pins to the target’s IP JVM pins to the target’s IP Applets with proxies Applets with proxies Client uses an HTTP proxy : JVM requests the applet by host name Client uses an HTTP proxy : JVM requests the applet by host name Another DNS resolver involved the proxy : pins to the target’s IP Another DNS resolver involved the proxy : pins to the target’s IP Relative paths Relative paths If a server hosts an HTML page that embeds an applet using relative path If a server hosts an HTML page that embeds an applet using relative path Flash Flash When the attacker’s movie attempts to open a socket, When the attacker’s movie attempts to open a socket, Flash does a second DNS resolution and would pin to the target’s IP Flash does a second DNS resolution and would pin to the target’s IP

7 7 of 15 Attacks using DNS rebinding (1) Firewall circumvention Firewall circumvention To access machines behind firewalls that the attacker cannot access To access machines behind firewalls that the attacker cannot access directly directly Spidering the Intranet Spidering the Intranet Intranet host names are often guessable and occasionally disclosed publicly Intranet host names are often guessable and occasionally disclosed publicly If the server responds with an HTML page, the attacker can follow links and If the server responds with an HTML page, the attacker can follow links and search forms on that page search forms on that page Compromising unpatched machines Compromising unpatched machines Network administrators often do not patch internal machines Network administrators often do not patch internal machines The attacks against the client itself originate from localhost and so bypass The attacks against the client itself originate from localhost and so bypass software firewalls and other security checks software firewalls and other security checks Abusing Internal Open Services Abusing Internal Open Services Network printers often accept print jobs from internal machines without Network printers often accept print jobs from internal machines without additional authenication additional authenication The attacker can use direct socket access to command network printers to The attacker can use direct socket access to command network printers to exhaust their toner and paper supplies exhaust their toner and paper supplies

8 8 of 15 Attacks using DNS rebinding (2) IP Hijacking IP Hijacking To access publicly available servers from the client’s IP To access publicly available servers from the client’s IP Committing Click Fraud Committing Click Fraud Advertisers can drain competitor’s bugets by clicking on their advertisements. Advertisers can drain competitor’s bugets by clicking on their advertisements. Fraudulent pulishers can increase their advertising revenue by generating Fraudulent pulishers can increase their advertising revenue by generating fake clicks fake clicks Sending Spam Sending Spam By hijacking a client’s IP, an attacker can send spam from IP with clean By hijacking a client’s IP, an attacker can send spam from IP with clean reputations (SMTP servers) reputations (SMTP servers) Defeating IP-based Authenication Defeating IP-based Authenication After hijacking an authorized IP address, the attacker can access the service, After hijacking an authorized IP address, the attacker can access the service, defeating the authenication mechanism defeating the authenication mechanism Framing Clients Framing Clients An attacker who hijacks an IP can perform misdeeds and frame the client An attacker who hijacks an IP can perform misdeeds and frame the client

9 9 of 15 Experiment Methodology Methodology Tested DNS rebinding by running Tested DNS rebinding by running a Flash 9 advertisement a Flash 9 advertisement Two machines : attacker, target Two machines : attacker, target Attacker : DNS, Flash policy, Apache web server Attacker : DNS, Flash policy, Apache web server Target : Apache web server Target : Apache web server Required only that the client view the ad Required only that the client view the ad Results Results Received 50,951 impressions from Received 50,951 impressions from 44,924 unique IP addresses 44,924 unique IP addresses Ran the rebinding experiment Ran the rebinding experiment on the 44,301 impressions (86.9%) on the 44,301 impressions (86.9%) Successful on 30,636(60.1%) Successful on 30,636(60.1%) impressions and 27,480 unique IP impressions and 27,480 unique IP

10 10 of 15 Defense against rebinding (1) Fixing Firewall Circumvention Fixing Firewall Circumvention By filtering packets at the firewall or by modifying the DNS resolvers By filtering packets at the firewall or by modifying the DNS resolvers used by clients on the network used by clients on the network Enterprise Enterprise A firewall administrator for an organization can force all internal machines A firewall administrator for an organization can force all internal machines to use a DNS server that is configured not to resolve external names to to use a DNS server that is configured not to resolve external names to internal IP. (300 line C program, dnswall) internal IP. (300 line C program, dnswall) Consumer Consumer Many consumer firewalls can be augmented with dnswall to block DNS Many consumer firewalls can be augmented with dnswall to block DNS responses that contain private IP responses that contain private IP Software Software Software firewalls can prevent their own circumvention by blocking DNS Software firewalls can prevent their own circumvention by blocking DNS resolutions to 127.*.*.* resolutions to 127.*.*.*

11 11 of 15 Defense against rebinding (2) Fixing Plug-ins Fixing Plug-ins Flash Flash Flash could fix most of its rebinding vulnerabilities by considering a policy Flash could fix most of its rebinding vulnerabilities by considering a policy valid for a socket connection only if it obtained the policy from the same IP valid for a socket connection only if it obtained the policy from the same IP address and from the same host name address and from the same host name Java Java A safer approach is to use the CONNECT method, which provides a proxied A safer approach is to use the CONNECT method, which provides a proxied socket connection to an external machine socket connection to an external machine Java LiveConnect Java LiveConnect If the browser implements pinning, LiveConnect and the browser will use a If the browser implements pinning, LiveConnect and the browser will use a common pin database, removing multi-pin vulnerabilities common pin database, removing multi-pin vulnerabilities

12 12 of 15 Defense against rebinding (3) Fixing Browser (Default-Deny Sockets) Fixing Browser (Default-Deny Sockets) Checking Host Header Checking Host Header User agents include a Host Header in HTTP requests User agents include a Host Header in HTTP requests Reject incoming HTTP requests with unexpected Host headers Reject incoming HTTP requests with unexpected Host headers Finer-grained Origins Finer-grained Origins Refine origins to include additional information (server’s IP, public key) Refine origins to include additional information (server’s IP, public key) When the attacker rebinds attack.com to the target, the browser will consider When the attacker rebinds attack.com to the target, the browser will consider the rebound host name to be a new origin the rebound host name to be a new origin Smarter Pinning Smarter Pinning If a host name resolved to 171.64.78.10, the client would also accept any IP If a host name resolved to 171.64.78.10, the client would also accept any IP beginning with 171.64.78 for that host name beginning with 171.64.78 for that host name

13 13 of 15 Defense against rebinding (4) Fixing Browser (Default-Deny Sockets) Fixing Browser (Default-Deny Sockets) Policy-based Pinning Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re- Browsers consult server-supplied policies to determine when it is safe to re- pin a host name from one IP to another, providing robustness without pin a host name from one IP to another, providing robustness without degrading security degrading security Pinning Pitfalls Pinning Pitfalls Common Pin Database Common Pin Database Cache : objects in the cache must be retrieved by both URL and originating Cache : objects in the cache must be retrieved by both URL and originating IP IP document.domain = document.domain; document.domain = document.domain; Browser vendors appear reluctant to expose such an interface and pinning in Browser vendors appear reluctant to expose such an interface and pinning in the OS either changes the semantics of DNS for other application the OS either changes the semantics of DNS for other application

14 14 of 15 Defense against rebinding (5) Fixing Browser (Default-Allow Sockets) Fixing Browser (Default-Allow Sockets) Host Name Authorization Host Name Authorization Trusted Policy Providers Trusted Policy Providers Clients and DNS resolvers can also check policy by querying a trusted policy Clients and DNS resolvers can also check policy by querying a trusted policy provider provider Trusted policy providers can greatly reduce the false positive rate Trusted policy providers can greatly reduce the false positive rate For host names with multiple IP addresses, only authrized IP should be For host names with multiple IP addresses, only authrized IP should be included in the result included in the result ex) *.auth.ip.in-addr.arpa ex) *.auth.ip.in-addr.arpa

15 15 of 15 Conclusion An Attacker can exploit DNS rebinding vulnerabilities An Attacker can exploit DNS rebinding vulnerabilities Circumvent firewal Circumvent firewal Hijack IP addresses Hijack IP addresses Policy-based pinning Policy-based pinning Host name autherization Host name autherization Propose two defense options Propose two defense options Deploy these defenses quickly before attackers exploit DNS rebinding on Deploy these defenses quickly before attackers exploit DNS rebinding on a large scale a large scale Vendors and network administrators Vendors and network administrators

Download ppt "Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 2008. 11. 13. Systems Modeling & Simulation Lab. Kim."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.

Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.

1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.

Similar presentations

Ads by Google