[SecTor Review] Black Ops 2007: DNS Rebinding Attacks
SecTor Day #2
Speaker: Dan Kaminsky
Presentation (ppt)
Audio (wmv)
This was the first talk I attended on day 2. Dan demonstrated DNS Rebinding attacks and how they can be dangerous to internal networks. The talk was filled with technical data and live demos.
While the demo had been setup in advance it was nice to see how quickly and efficiently the attack could be pulled off if you were prepared.
One interesting event occurred when another speaker (who had presented on DNSSEC) argued that DNSSEC is the solution to this problem. Kaminsky was able to make short work of the individual and put him in his place... even though he attempted to persist with his argument.
There are solutions to some forms of DNS rebinding, unfortunately they could take years to implement, even if they were.
The first would be to rewrite DNS servers to not allow RFC 1912 addresses from external sources.
Another would be to rewrite DNS to operate with its own version of the three way handshake. The server receives an IP after resolving the domain name and rather than pass it to the host, it performs a reverse resolution on the IP, ignoring any mappings that occur in its cache. Sure this increases the load on servers, but I'm fairly certain they'd be able to handle it... A problem that can occur here is with virtual hosts, and unfortunately they are becoming more and more common. The problem here is that you need all virtual hosts to be returned when an IP is resolved, and that doesn't seem likely.
Right now, the most effective step you can take is to have firewall rules on the border of your network to either drop DNS responses with internal IPs or to rewrite them on the fly. This doesn't, however, stop an attack from rebinding to a different external IP.
For more information on DNS Rebinding, there's a great paper available from a team at Stanford CS on the subject.