Saturday, August 4, 2018

DNS Rebinding attacks

As we all know, DNS is used to translate Domain names into IP addresses. DNS uses UDP so it has had a long history of being abused by hackers for DoS. To make matters worse it doesn't have authentication or encryption so Man in the Middle (MiTM) attacks are possible.

Since DNS is used everytime you use the Internet it is hard to overstate the importance of a good DNS service. Companies like OpenDNS (Now Cisco Umbrella) and Quad 9 (www.quad9.net) have added security features like Malware detection and malicious site protection. These services are free for home use and paid for businesses.

Recently an old type of attack using DNS has become popular again - DNS Rebinding. Tripwire has a good explanation of what a DNS rebinding attack is - Practical Attacks with DNS Rebinding.

Armis.com gives this definition for DNS Rebinding. See the references for the link to Armis.com's DNS Rebinding Exposes Half a Billion Devices in the Enterprise. There is a link in the reference section to a youtube video on how it works.

**************************************************
DNS Rebinding Attacks Explained

DNS rebinding takes advantage of a nearly decade-old flaw in web browsers that allows a remote attacker to bypass a victim’s network firewall and use their web browser as a proxy to communicate directly with vulnerable devices on the local network. An example of a vulnerable device is one that is running an unauthenticated protocol like Universal Plug and Play (UPnP) or HTTP (used on unencrypted web servers). These protocols are commonly used to host administrative consoles (for routers, printers, IP cameras) or to allow easy access to the device’s services (for example, streaming video players), and are pervasive in businesses.
**************************************************

Preventing the Attack

There are several things you should do on your home network to prevent attacks:
  • Change default credentials - A lot of script based attacks work because the default credentials weren't changed.
  • Change the internal network IP address scheme - The scripts work by trying to log into common IP addresses used by network devices like 192.168.1.1 or 192.168.0.1 
  • Disable uPnP - Universal Plug and Play can be abused by attackers. If you are a gamer there are plenty of sites that will explain how to port forward once you turn off uPnP.
  • Update the firmware on you network devices - This is a MUST DO and is overlooked my most home users
  • Install DD-WRT on your SOHO router - There is a link in the reference section below.
  • Use OpenDNS 

Configuring OpenDNS to block rebinding attacks

I had been using Quad9 recently because it's fast, new and supports DNS over TLS along with DNSSec but decided to switch to OpenDNS because they offer rebinding filtering. Here is their explanation:

**************************************************
Block internal IP addresses

When enabled, DNS responses containing IP addresses listed in RFC1918 will be filtered out. This helps to prevent DNS Rebinding attacks. For example, if badstuff.attacker.com points to 192.168.1.1, this option would filter out that response.

The three blocks of IP addresses filtered in responses are:

10.0.0.0     - 10.255.255.255  (10/8)
172.16.0.0   - 172.31.255.255  (172.16/12)
192.168.0.0  - 192.168.255.255 (192.168/16)
**************************************************

To take advantage of this feature you need to create an OpenDNS account at https://login.opendns.com. Once you have an account, login and click on the Settings tab. At the bottom you will see a link "Keep your network's IP up-to-date with our free software." It says Mac and Windows but there is a Linux client also.

When you click the link it start the download. Once it finishes, run the program. It will ask you to log into OpenDNS. The updater will show the public IP address of your router.


Once you do that, go back to OpenDNS in the browser and click settings again. You should see the public IP address of your router listed under Add a network. Click Add This Network.



If you look at the updater now, you will see your public IP address listed. Back on the OpenDNS page click down arrow next to --Select a Network-- and select your network. On the dialog that opens, click on security and put a check in the box next to "Block Internal IP addresses"




Now, if a script tries to use an RFC1918 address to spoof a domain it will get filtered by OpenDNS. This isn't a silver bullet but just one more layer of defense.

Testing the Filter

Steve Gibson of Gibson Research wrote a DNS benchmark way back in 2010 that is free and works well for benchmarking DNS performance. He also created some DNS addresses for testing rebinding. There is a link to the original 2010 podcast (episode 260) and the July 24, 2018 update in the reference section.

To test if your DNS server filters RFC1918 addresses, open a terminal or cmd window and enter the following:

nslookup net4.rebindtest.com
nslookup net10.rebindtest.com
nslookup net127.rebindtest.com
nslookup net172.rebindtest.com
nslookup net192.rebindtest.com

Below is the output before I configured the OpenDNS filter. Notice that the address returned for net172.rebindtest.com is 172.16.0.1 which would allow a malicious script to bypass the Same Origin Policy of the browser.


nslookup net172.rebindtest.com
Server:  10.208.0.1
Address: 10.208.0.1#53

Non-authoritative answer:
Name: net172.rebindtest.com
Address: 172.16.0.1
Name: net172.rebindtest.com
Address: ::ffff:172.16.0.1

Below is the output after the filter was enabled. Notice that the address returned is 146.112.61.109.


nslookup net172.rebindtest.com
Server:  127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: net172.rebindtest.com
Address: 146.112.61.109
Name: net172.rebindtest.com
Address: ::ffff:146.112.61.109

What is 146.112.61.109 you ask? You could use nslookup to find out but I wanted to show the dig (DNS Information Groper) command. It's built into Linux/Mac and you can install it on Windows. Here is a blog I wrote on installing dig DNS Information Groper for Windows

146.112.61.109 is the address OpenDNS uses for hit-block.opendns.com so the filter is working!


dig -x 146.112.61.109

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> -x 146.112.61.109
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1651
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;109.61.112.146.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
109.61.112.146.in-addr.arpa. 3600 IN    PTR    hit-block.opendns.com.

;; Query time: 18 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Aug 04 23:38:43 PDT 2018
;; MSG SIZE  rcvd: 91



References
Dear developers, beware of DNS Rebinding
How DNS Rebinding Attacks Impacts The Enterprise - youtube video
Half a billion smart devices vulnerable to decade-old DNS rebinding attacks 
DNS Rebinding Exposes Half a Billion Devices in the Enterprise
DNS Rebinding - Security Now podcast from 2010. Still applicable today.
Security Now 673 - Show notes
GRC DNS Benchmark - Windows only
DNS Information Groper for Windows - How to install dig on Windows
DD-WRT
Convert code samples into HTML for blogger
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)