Computer attackers may use many techniques to gain access to secure computing systems. One method used by hackers is known as domain-name rebinding. In a domain-name rebinding attack, an attacker may subvert the same-origin policy implemented by a browser in order to gain access to sensitive information and secured servers.
Domain-name rebinding attacks may be relatively simple to implement. The attacker may register a domain delegated to a Domain Name System (DNS) server controlled by the attacker. The attacker may configure the DNS server to respond to DNS queries with relatively short Time To Live (TTL) values. In response to a first DNS query, the DNS server may provide an Internet Protocol (IP) address to a malicious server. The browser may send a second DNS query to refresh the cache after the cache entry (which may have a short time to live) expires. In response to the second request, the DNS server may provide an IP address of a secure system that the attacker desires to access.
One example of how DNS rebinding may be implemented is in the context of a web page with multiple frames. First, an attacker may attract a user to direct a browser to the attacker's domain. The attacker may use advertisements, e-mails, or various other tactics to draw the user to the attacker's domain. The attacker's DNS server may respond to a first DNS query with an IP address of a server controlled by the attacker. After a cached record containing the first IP address expires, the browser may send a second DNS query to the attacker's DNS server, and the DNS server may respond to the second DNS query with an IP address of a legitimate server, such as a bank's server.
As a result of the DNS rebinding, a first frame in the web page may originate from the attacker's server, and a second frame may originate from the bank's server. The frame originating from the attacker's server may be hidden from the user, such that the user only sees the frame originating from the bank. The bank's actual website may be rendered on the browser such that the user may have no reason to doubt that the page is sent from the bank. In fact, site key technology of the bank might even be deployed and work through the browser. The browser may not recognize that the malicious frame and bank's frame originate from different sources. Thus, the attacker may have subverted the same-origin policy of the browser. The attacker's frame may monitor the bank's frame for user keystroke events and may obtain other sensitive information from the bank's website.
One technique that attempts to prevent DNS rebinding attacks is known as DNS pinning. In DNS pinning, a browser may be programmed to ignore the TTL value provided in response to DNS queries. The TTL value may be overridden by a longer TTL value (e.g., a ten minute TTL value). In some situations, the longer TTL value may keep the browser from sending a second DNS query and may therefore be able to keep attackers from performing DNS rebinding.
Attackers have found ways to work around DNS pinning technologies. For example, an attacker's web page may make a request to a non-existing port of the attacker's domain. In this situation, the browser may attempt to refresh its DNS cache by sending out another DNS query. This may allow the attacker to perform DNS rebinding and refresh the DNS cache with an IP address from a different server (override the IP address of the attacker's server with a trusted domain IP address). What is needed, therefore, is more robust protection against DNS rebinding attacks.