Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves to an address within the target browser's organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary.
Web browsers enforce security zones based on DNS names in order to prevent cross-zone disclosure of information. In a DNS binding, attack an adversary publishes content on their own server with their own name and DNS server. The first time the target accesses the adversary's content, the adversary's name must be resolved to an IP address. The adversary's DNS server performs this resolution and provides a short Time-To-Live (TTL) in order to prevent the target from caching the value. When the target makes a subsequent request to the adversary's content, the adversary's DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source. Because the same name resolves to both these IP addresses, browsers will place both IP addresses in the same security zone and allow information to flow between the addresses. The adversary can then use scripts in the content the target retrieved from the adversary in the original message to exfiltrate data from the named internal addresses. This allows adversaries to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the adversary identifies, additional attacks are possible. This attack differs from pharming attacks in that the adversary is the legitimate owner of the malicious DNS server and so does not need to compromise behavior of external DNS services.
Skill or Knowledge Level: Medium
Setup DNS server and adversary's web server. Write malicious script to allow victim to connect to web server.
The adversary must serve some web content that a victim accesses initially. This content must include executable content that queries the adversary's DNS name (to provide the second DNS resolution) and then performs the follow-on attack against the internal system. The adversary also requires a customized DNS server that serves an IP address for their registered DNS name, but which resolves subsequent requests by a single client to addresses internal to that client's network.
Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites.
Implementation: Reject HTTP request with an malicious Host header
Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.
A vector specifically crafted to poison DNS cache, so that all traffic is redirected to an unintended destination.
This attack allows adversaries to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the adversary identifies, additional attacks are possible.
[R.275.1] Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao and Dan Boneh. "Protecting Browsers from DNS Rebinding Attacks". In Proceedings of ACM CCS 07.
More information is available — Please select a different filter.