ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Protecting browsers from DNS rebinding attacks
Full text PdfPdf (670 KB)
Source
ACM Transactions on the Web (TWEB) archive
Volume 3 ,  Issue 1  (January 2009) table of contents
Article No. 2  
Year of Publication: 2009
ISSN:1559-1131
Authors
Collin Jackson  Stanford University, Stanford, CA
Adam Barth  Stanford University, Stanford, CA
Andrew Bortz  Stanford University, Stanford, CA
Weidong Shao  Stanford University, Stanford, CA
Dan Boneh  Stanford University, Stanford, CA
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 53,   Downloads (12 Months): 458,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1462148.1462150
What is a DOI?

ABSTRACT

DNS rebinding attacks subvert the same-origin policy of browsers, converting them into open network proxies. Using DNS rebinding, an attacker can circumvent organizational and personal firewalls, send spam email, and defraud pay-per-click advertisers. We evaluate the cost effectiveness of mounting DNS rebinding attacks, finding that an attacker requires less than $100 to hijack 100,000 IP addresses. We analyze defenses to DNS rebinding attacks, including improvements to the classic “DNS pinning,” and recommend changes to browser plug-ins, firewalls, and Web servers. Our defenses have been adopted by plug-in vendors and by a number of open-source firewall implementations.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Adobe. 2006. Adobe Flash Player 9 security. http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf.
 
2
Adobe. 2008. Flash Player penetration. http://www.adobe.com/products/player_census/flash- player/.
 
3
Alexa. 2007. Top sites. http://www.alexa.com/site/ds/top_sites?ts_mode=global.
 
4
Anvil, K. 2007. Anti-DNS pinning + socket in flash. http://www.jumperz.net/.
 
5
Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. DNS security introduction and requirements. RFC 4033.
 
6
Bortz, A., Barth, A., and Jackson, C. 2007. Google dnswall. http://code.google.com/p/google-dnswall/.
 
7
Cheshire, S., Aboba, B., and Guttman, E. 2005. Dynamic configuration of IPv4 link-local addresses. IETF RFC 3927.
 
8
Bill Cheswick , Steven M. Bellovin, A DNS filter and switch for packet-filtering gateways, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.2-2, July 22-25, 1996, San Jose, California
 
9
Neil Daswani , Michael Stoppelman, The anatomy of Clickbot.A, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.11-11, April 10, 2007, Cambridge, MA
 
10
D. Dean , Felten , Wallach, Java Security: From HotJava to Netscape and Beyond, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.190, May 06-08, 1996
 
11
Edwards, D. 2005. Your MOMA knows best. http://xooglers.blogspot.com/2005/12/your-moma-knows-best.html.
 
12
Fainelli, F. 2008. The OpenWrt embedded development framework. In Free and Open Source Software Developers' European Meeting.
 
13
Kevin Fenzi , Dave Wreski, Linux Security Howto, iUniverse, Incorporated, 2000
 
14
R. Fielding , J. Gettys , J. Mogul , H. Frystyk , L. Masinter , P. Leach , T. Berners-Lee, Hypertext Transfer Protocol -- HTTP/1.1, RFC Editor, 1999
 
15
Fisher, D. 2007. Personal communication.
 
16
Fisher, D. et al. 2003. Problems with new DNS cache (“pinning” forever). https://bugzilla.mozilla.org/show_bug.cgi?id=162871.
 
17
Gajek, S., Schwenk, J., and Xuan, C. 2008. On the insecurity of Microsoft's identity metasystem. Tech. Rep. HGI-TR-2008-003, Horst Görtz Institute for IT Security, Ruhr University Bochum. May. http://demo.nds.rub.de/cardspace/.
 
18
Goodin, D. 2005. Calif. man pleads guilty to felony hacking. Assoc. Press.
 
19
Gottschall, S. et al. 2008. Dd-wrt (version 24). http://www.dd-wrt.com/.
 
20
Grimm, S. et al. 2002. Setting document.domain doesn't match an implicit parent domain. https://bugzilla.mozilla.org/show_bug.cgi?id=183143.
 
21
Grossman, J. and Niedzialkowski, T. 2006. Hacking intranet Websites from the outside: JavaScript malware just got a lot more dangerous. In Blackhat USA. Invited talk.
 
22
Haupt, E. 2008. dnswall FreeBSD port. http://www.freebsd.org/cgi/cvsweb.cgi/ports/dns/dnswall/.
 
23
R. Hinden , S. Deering, Internet Protocol Version 6 (IPv6) Addressing Architecture, RFC Editor, 2003
 
24
Hinden, R. and Haberman, B. 2005. Unique local IPv6 unicast addresses. IETF RFC 4193.
 
25
Jackson, C. and Barth, A. 2008. Beware of finer-grained origins. In Web 2.0 Security and Privacy.
 
26
Johns, M. 2006. (Somewhat) breaking the same-origin policy by undermining DNS pinning. http://shampoo.antville.org/stories/1451301/.
 
27
Martin Johns , Justus Winter, Protecting the Intranet Against "JavaScript Malware" and Related Attacks, Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, July 12-13, 2007, Lucerne, Switzerland  [doi>10.1007/978-3-540-73614-1_3]
28
Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315254]
 
29
Kelley, S. 2008. Dnsmasq (version 2.41). http://www.thekelleys.org.uk/dnsmasq/doc.html.
 
30
Klein, A. 2006. Host header cannot be trusted as an anti anti DNS-pinning measure. http://www.securityfocus.com/archive/1/445490.
31
V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180434]
 
32
Maone, G. 2007a. DNS spoofing/pinning. http://sla.ckers.org/forum/read.php?6,4511,14500.
 
33
Maone, G. 2007b. NoScript. http://noscript.net/.
 
34
Megacz, A. 2002. XWT Foundation security advisory. http://www.megacz.com/research/sop.txt.
 
35
Megacz, A. and Meketa, D. 2003. X-RequestOrigin. http://www.xwt.org/x-requestorigin.txt.
 
36
D. Meyer, Administratively Scoped IP Multicast, RFC Editor, 1998
 
37
Microsoft. 2004. Microsoft Web enterprise portal. http://www.microsoft.com/technet/itshowcase/content/MSWebTWP.mspx.
 
38
Microsoft. 2008. Socket class (System.Net.Sockets). http://msdn.microsoft.com/en-us/library/system.net.sockets.socket(VS.95).aspx.
 
39
Mitre. 2007a. CVE-2007-5273.
 
40
Mitre. 2007b. CVE-2007-5274.
 
41
Mitre. 2007c. CVE-2007-5275.
 
42
Mitre. 2007d. CVE-2007-6244.
 
43
Mitre. 2008. CVE-2008-1192.
 
44
P. V. Mockapetris, Domain names - implementation and specification, RFC Editor, 1987
 
45
Nuuja, C. 2007. Personal communication.
 
46
Ollmann, G. 2005. The pharming guide. http://www.ngssoftware.com/papers/ThePharmingGuide. pdf.
 
47
Y. Rekhter , B. Moskowitz , D. Karrenberg , G. J. de Groot , E. Lear, Address Allocation for Private Internets, RFC Editor, 1996
 
48
Reynolds, J. and Postel, J. 1994. Assigned numbers. IETF RFC 1700.
 
49
Roskind, J. 2001. Attacks against the Netscape browser. In RSA Conference. Invited talk.
 
50
Ross, D. 2007. Notes on DNS pinning. http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns-pinning.aspx.
 
51
Ruderman, J. 2001. JavaScript security: Same origin. http://www.mozilla.org/projects/security/components/same-origin.html.
 
52
Soref, J. 2003. DNS: Spoofing and pinning. http://viper.haque.net/~timeless/blog/11/.
 
53
Spamhaus. 2007. The Spamhaus block list. http://www.spamhaus.org/sbl/.
 
54
Stamm, S., Ramzan, Z., and Jakobsson, M. 2006. Drive-By pharming. Tech. Rep. 641, Computer Science Department, Indiana University. December.
 
55
Topf, J. 2001. HTML form protocol attack. http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.
 
56
Veditz, D. et al. 2002. Document.domain abused to access hosts behind firewall. https://bugzilla.mozilla.org/show_bug.cgi?id=154930.
 
57
Warner, B. 2004. Home PCs rented out in sabotage-for-hire racket. Reuters.
 
58
Winter, J. and Johns, M. 2007. LocalRodeo: Client-Side protection against JavaScript Malware. http://databasement.net/labs/localrodeo/.

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)


General Terms:
Design, Experimentation, Security


Keywords:
DNS, Same-origin policy, click fraud, firewall, spam

Collaborative Colleagues:
Collin Jackson: colleagues
Adam Barth: colleagues
Andrew Bortz: colleagues
Weidong Shao: colleagues
Dan Boneh: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player