DNS rebinding, a cyberattack technique that has been around for over three decades, continues to pose a major threat to businesses due to uneven acceptance of available defenses and updated exploitation techniques. The attack typically involves attracting unsuspecting users to a malicious website and forcing their browsers to send a new domain name system (DNS) request that the attacker’s site responds to with an internal network IP address. This enables the attacker to use a victim’s browser to send requests to servers and devices on the internal network, leaving the attack surfaces of internal web applications exposed to malicious sites.
Although various defenses —including enforcing the Same-Origin Policy by pinning the domain name in the browser and looking for anomalous requests through the targeted user’s DNS service —have been developed to protect against DNS rebinding, they can still be bypassed under certain circumstances. For example, NCC Group recently found that using the 0.0.0.0 address can access Linux and Mac OS systems’ internal IP address, thereby bypassing the current Local Network Access protections.
While DNS rebinding attacks are not often seen in the wild, and companies are hesitant to break internal applications, whose developers often rely on the ability to handle cross-origin requests, many web applications remain vulnerable to the attacks. Moreover, attackers are actively exploiting this technique as Palo Alto Networks’ noted that seven DNS rebinding-related CVEs were released in 2021 and nine in 2022. Meanwhile, it was found that the attackers could use DNS rebinding attacks to gain access to credential data and resources hosted on the internal networks of targeted businesses.
One approach to mitigating this is for web application developers to adopt HTTPS encrypted web protocols. This can prevent their applications from being used in a DNS rebinding attack. However, since it depends on individual developers, it is not scalable. Hence, companies can help bolster their defenses by using DNS services that detect attacks and help remote employees protect their at-home environments.
According to Zhanhao Chen, a principal researcher for network security at Palo Alto Networks, “In the real world, the attacker can build a website with a DNS rebinding script and trick the victim to open it in their browser…Once the malicious website is open on an employee’s browser, the attacker can manipulate or steal information from internal web applications that are vulnerable.”
Every browser does some form of DNS pinning, which prevents the assigning of new network addresses for a particular website or host name for a specific time period. In addition, DNS-based security services, such as Cisco’s Umbrella, prevent anomalous changes in DNS data using suspicious response filters, which identify potential attacks and stop them.
Despite the various available defenses, DNS rebinding attacks continue to pose a significant threat to businesses. As such, organizations must continually educate their staff to spot and avoid such attacks and have the necessary measures and tools in place to detect and respond to them effectively.