DNS rebinding attack

DNS rebinding is an exploit in which the attacker uses JavaScript in a malicious Web page to gain control of the victim's router. The attack works on widely-used routers such as D-Link and Linksys and could, in fact, target any device that uses a default password and Web-based administration.

Dan Kaminsky, director of penetration testing at IOActive, demonstrated the DNS rebinding technique at an RSA conference in April 2008. Kaminsky spent a year researching ways that attackers could exploit aspects of the DNS (domain name system) to circumvent a firewall. Prior to Kaminsky's demonstration, DNS rebinding was considered only theoretically possible. According to Kaminsky, the problem is not with the routers themselves; it is enabled by a "core browser bug." DNS rebinding attacks can also exploit browser plug-ins, such as Flash, Java and Silverlight, that permit direct socket access back to their origins.

Here's a simplified example of how a DNS rebinding exploit might work:
The user is lured to or accidentally visits the attacker's Web site. When a default password is detected and determined, JavaScript coding tricks the user's browser into altering details on the router administration page. Changes made might enable the attacker to administer the device remotely and, as a result, control the owner's Internet communications. Among other possibilities, the attacker could access sensitive data on the network or use the connection to send spam.

As of early April 2008, there have been no reports of actual DNS rebinding attacks. However, the potential for such an attack to occur soon is considerable because very few home users change the default passwords on their routers.

This was last updated in April 2008

Continue Reading About DNS rebinding attack

Dig Deeper on Threats and vulnerabilities