Contents:
DNS rebinding compromises the way domain names are resolved and is a technique threat actors use in cyberattacks. In this type of DNS attack, a malicious website directs users to launch a client-side script that will attack other devices in the network.
Browsers usually try to prevent that by enabling a same-origin policy that is supposed to protect websites from each other. However, DNS rebinding techniques allow threat actors to overthrow same-origin policies. They trick browsers into mixing network resources that are controlled by different entities into a single origin. Basically, they succeed in turning browsers into open proxies.
DNS rebinding uses browsers to facilitate communication between a command-and-control server and a web application on an internal network. Therefore, the same-origin policy (SOP) and time to live (TTL) are important concepts that we need to explain. This will help us understand how DNS rebinding works.
The Same-Origin Policy
The Same-Origin Policy (SOP) is one of the browsers` security mechanisms. SOP manages how websites loaded from one origin may interact with resources from other origins. Two websites have the same origin if they use the same protocol (HTTP, HTTPS, etc.), the same hostname, and port.
The Same-Origin Policy makes isolating malicious docs possible. It denies malicious websites to run JavaScript in a browser and read data from a webmail service the user forgot to log off from, for example.
The Time to Live (TTL)
The period of time that a record can be cached before a server queries again the DNS name server for a response is called Time to Live (TTL). TTL is measured in seconds and is mostly set by the authoritative name server.
How Does a DNS Rebinding Attack Work
- Registering a domain – The threat actor registers a domain name (malicious.com). He will later use phishing, adware, or compromised websites to lure the victims into accessing the malicious domain.
- DNS delegation – The hacker configures the DNS settings for malicious.com to delegate its resolution to a DNS server they control. Thus, they will be able to manipulate the DNS responses for the domain.
- DNS resolution – The victim`s browser attempts to resolve the domain name, and sends a DNS request to the responsible DNS server. Instead, the malicious DNS server receives the request.
- At first, the malicious server might retrieve a legitimate IP address. In this way, it attempts to make everything look like a normal browsing experience.
- Setting a short TTL – The legitimate DNS response the malicious server retrieved has a very short Time-to-Live (TTL) value. The threat actors set it like that in order to avoid the response being cached by the victim’s browser or intermediary DNS servers.
- Rebinding response – Shortly after, the hacker`s DNS server sends a subsequent DNS response that points to another IP address, that leads to their C&C server.
- The breaching – Once the victim’s browser gets the malicious IP address and establishes communication with the C2 server, the server will respond with malicious code embedded in a webpage. Further on, the threat actor will be able to exploit vulnerabilities in the victim’s browser or network to bypass the Same-Origin Policy (SOP). This is why the malicious code gets to interact with resources on the victim’s network and access sensitive information.
- The result – From there on, the attacker will be able to collect and exfiltrate sensitive data from the victim’s network or gain control over vulnerable devices or systems.
DNS Rebinding Risks and Vulnerabilities
A successful DNS rebinding attack usually exploits a series of vulnerabilities:
- Cross-Site Scripting—XSS,
- Default or Misconfigured DNS settings,
- Poorly implemented Same-Origin Policy (SOP) that allows scripts from different origins to interact with restricted resources,
- Absence of hostname validation.
At first, threat actors used DNS rebinding to exploit vulnerable IoT devices, but lately, they have been using the technique to attack corporate networks too. There are two main types of attacks that result from exploiting DNS rebinding vulnerabilities.
Firewall Circumvention
In this case, the threat actor leverages DNS rebinding to access endpoints behind firewalls. Evading firewall detection enables hackers to potentially spider an organization`s Intranet and consequently gain access to sensitive documents.
Compromising unpatched devices is another risk. Lack of time is a common reason why companies often fail to patch endpoints in a timely manner. This is why medium and large organizations use automated patching solutions to prevent hackers from exploiting known vulnerabilities.
Firewall circumvention also enables threat actors to abuse internal open services. If they are able to read and write arbitrary sockets, hackers will be also able to collect and exfiltrate data from internally shared documents.
IP Hijacking
The vulnerabilities are used for accessing public servers from the client`s IP address. In order for the attack to succeed, the client should first load some active content. After that, the hacker`s code can communicate with any device that is in the client`s reach.
Click Fraud is not a cyberattack, yet it is an illegitimate activity that leverages DNS rebinding. Immoral publishers can use it to generate fake clicks and obtain a more glamorous report for their advertisers, for example.
Usually, email servers blacklist IP addresses reported to send spam. So, in order to carry on with their email phishing campaign, malicious actors hijack clients’ IP addresses to avoid blockage.
Additionally, malicious actors can use a hijacked IP address as a proxy and attempt to obtain unauthorized access to a computer system. This is an efficient method to compromise the forensic efforts of the victim organizations and leave no traces. Security analysts will observe that the attack was generated from the hijacked IP address. Thus, the logs will only involve the client, not the threat actor.
How to Prevent a DNS Rebinding Attack?
Safeguarding a company`s assets and network remains a complicated challenge due to the extremely dynamic threat landscape SOC teams confront. So, DNS layer security and proper DNS configuration are critical steps to include in any defense strategy.
Some of the best practices that prevent malicious actors to use DNS rebinding techniques against your company are:
Prevent firewall circumvention
To achieve that, deny external host names to resolve to internal IP addresses and enforce traffic filtering.
Implement DNS pinning
DNS pinning techniques prevent the caching of malicious DNS responses. Chrome and Firefox browsers already use DNS pinning techniques to prevent or at least mitigate DNS rebinding attacks. DNS pinning forces the browser to cache the DNS results for a fixed period, no matter what value the TLL of the DNS records was set to.
Validate input
Input validation and sanitization on the client and the server to avoid potential injection attacks. Also, filter potentially malicious characters, enforce an input format and use a whitelist of approved values.
Implement network segmentation
Create separate segments inside your network and apply a Zero Trust Network Access (ZTNA) policy. In the case of a successful DNS rebinding attack, the impact will be limited to the initially compromised network segment.
Never miss a patch
Threat actors are constantly scanning for vulnerabilities. So, make sure that you patch in a timely manner your DNS server, web browser, and other assets.
Know your DNS resolver
Only use a DNS resolver that is configured to detect and prevent DNS rebinding attacks. Of course, DNS response validation and DNSSEC features are must haves.
Use rate limiting mechanisms
Enforce rate limiting mechanisms to avoid excessive DNS queries from a single IP or domain. Unexpected high volume of DNS requests is often generated by hackers.
Heimdal®`s Solution for DNS Security
Heimdal’s DNS Security – Network offers companies robust protection against various DNS attacks, including rebinding. Its comprehensive set of features and capabilities also make it compatible with existing security solutions. Thus, it is easy to integrate into your environment without disruptions.
The Heimdal solution prevents DNS rebinding attacks through its revolutionary DNS filtering engine, DarkLayer Guard®. It intercepts DNS queries, analyzes data packets, and blocks connections exhibiting suspicious behavior.
Additionally, the product`s VectorN Detection® component uses machine learning to identify compromise patterns. Apart from DNS hijacking detection and network traffic visibility, it offers AI-based threat prediction. This way, it is able to detect and block domains that other engines did not yet mark as malicious, with an accuracy of 96%.
Furthermore, for an enhanced level of security and privacy, Heimdal DNS Security Network also supports DNS over HTTPS (DoH).
Heimdal® Network DNS Security
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.