Re: [AC] Hardening against DNS rebinding attacks - proposal

[Thomas Roessler]

On 2008-06-27 14:18:12 -0700, Jonas Sicking wrote:

 When a preflight OPTIONS request is made, store in the cache what
 IP address was used to make the request. When a subsequent
 non-GET is made, check what IP address the DNS name resolves to,
 and if the IP address is not the same as the one used for the
 OPTIONS request, re-do the preflight OPTIONS check.

This sounds like it will lead into an endless loop of OPTIONS
requests for sites that deploy round-robin DNS.

On 2008-06-28 14:33:33 -0700, Jonas Sicking wrote:

 This is technically not DNS pinning. 

I'd guess that DNS pinning will work significantly better than
what's proposed above.

-- 
Thomas Roessler, W3C  [EMAIL PROTECTED]

Re: [AC] Hardening against DNS rebinding attacks - proposal

[Jonas Sicking]

Maciej Stachowiak wrote:



On Jun 28, 2008, at 2:33 PM, Jonas Sicking wrote:


Maciej Stachowiak wrote:

On Jun 27, 2008, at 2:18 PM, Jonas Sicking wrote:
What is the threat model this defends against? Since any server using 
Access-Control that does not check HOST is vulnerable to a 
conventional XHR DNS rebinding attack. If browsers provide defense 
against DNS rebinding through some form of DNS pinning they can apply 
it to Access-Control too, but I don't understand the benefit of 
pinning only for Access-Control.


To some extent I agree.

It does provide protection for Access-Control implementations outside of
the web-platform. And for vendors that have expressed concern about
deploying the spec without DNS protection (such as microsoft) this could
be an alternative.


Vendors that wanted to do an IP-based restriction already can (unless 
the spec language somehow makes using the cached OPTIONS result 
mandatory, which it should not).


Reading the letter of the spec I'm not sure that it's currently allowed. 
However we should loosen this in the conformance criteria section. We 
should additionally allow for things like refusing to let internet sites 
connect to private IP addresses (something we hope to implement in 
future firefox releases), or other general security policies that UAs have.


I'm not sure what you mean by Access-Control implementations outside of 
the web-platform. Can you describe a specific scenario where this 
mechanism would actually be an effective defense?


In a browser that doesn't support the features that are currently prone 
to DNS rebinding attacks. This includes things like same-site XHR and 
iframes (and arguably script).


Also note that a server can (and should for reasons other than 
Access-Control) protect itself from DNS rebinding attacks by 
checking the 'Host' header.
Given this very simple total server-side defense, I am leery of 
adding a complex (and ultimately ineffective) client-side mitigation.


This unfortunately only works for servers that are accessed through a
DNS name, this is commonly not the case for for example personal routers
with builtin firewalls.


How are such servers accessed instead? By IP address?


Yes.

(If so, wouldn't 
the IP address be in the Host header?)


Looking at rfc2616 it looks like the Host header is empty when a 
connection is made using IP addresses. Though I realized that in the 
DNS-Rebinding scenario the Host header should contain the DNS name of 
the attacking site, which the firewall could use to detect the attack. 
Unfortunately it seems that in reality many don't.


/ Jonas