Scribd
Upload
3 views1 page

DNS domain lock-up attack and DNS rebinding attack

The document describes two types of DNS attacks: the DNS domain lock-up attack, which disrupts the TCP handshake by sending random data packets to exhaust server connections, and the DNS rebinding attack, which exploits DNS vulnerabilities to bypass the same-origin policy, allowing malicious scripts to access other domains. In a DNS domain lock-up attack, attackers keep the server engaged by sending false responses, while in a DNS rebinding attack, attackers manipulate DNS lookups to redirect requests to the victim's home network. Both attacks pose significant security risks by disrupting legitimate connections and enabling unauthorized access to sensitive information.

Uploaded by

naim_tex
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views1 page

DNS domain lock-up attack and DNS rebinding attack

The document describes two types of DNS attacks: the DNS domain lock-up attack, which disrupts the TCP handshake by sending random data packets to exhaust server connections, and the DNS rebinding attack, which exploits DNS vulnerabilities to bypass the same-origin policy, allowing malicious scripts to access other domains. In a DNS domain lock-up attack, attackers keep the server engaged by sending false responses, while in a DNS rebinding attack, attackers manipulate DNS lookups to redirect requests to the victim's home network. Both attacks pose significant security risks by disrupting legitimate connections and enabling unauthorized access to sensitive information.

Uploaded by

naim_tex
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

DNS domain lock-up attack and DNS rebinding attack

DNS domain lock-up attack


The DNS domain lock-up attack is a form of DDoS attack with specially set up special domains and
resolvers that also interrupt the handshake between the server and the client by not sending out the
correct response but by replying with random data packets. They keep the server engaged and waiting
for a proper reply (which never comes) exhausting the reserve of available connections.
The main difference between this and the TCP SYN flood is that the DNS domain lock-up attack
happens in the next phase of a three-way TCP handshake. To successfully establish a connection, the
client sends out a SYN message, the server replies with a SYN-ACK message and waits for an ACK
message back from the client. DNS domain lock-up attack deliberately slows down the handshake,
sending back ACK messages from the attacker-side. These false domains respond by sending a
random or useless packet data to keep the DNS resolver occupied, unable to resolve the handshake.
This completely negates all other legitimate connections for actual users.

DNS rebinding attack


DNS rebinding attacks use DNS vulnerabilities to bypass the web browser’s same-origin policy,
allowing one domain to make requests to another – something that can have far-reaching
consequences. For example, using DNS rebinding, an attacker may be able to gain control of your
entire home network.

Picture this: you’re browsing a shady website, which happens to have a malicious script running:
<script src=”http://clear-your-bank-account.com/ad.js“>.
For protection, the script will typically only be able to access the domain you are currently browsing
and not some other domain (such as your-bank.com) because of the same-origin policy. This is one of
the most essential safety measures of the internet, and all browsers enforce this. It ensures that a
malicious script running on one website will not be able to send requests to another website, and thus
won’t be able to, for example, clear your bank account.
This, however, is very much exploitable using DNS rebinding.
When performing a DNS rebinding attack, the hacker registers a web domain, i.e., malware.com, and
assigns it to its own DNS server, giving the lookup response a very short time to live (TTL) to prevent
DNS caching and forcing your browser to perform repeated lookups. The attacker then gets his victim
to load malware.com on their browser (this can be done via phishing or a number of other means).
When the victim loads the website, it triggers the malicious script on site.
This is where it gets interesting: the script starts making weird requests, which will depend on the
attacker’s goal. It’s not a problem if the requests only get as far as malware.com. However, since the
set TTL time is very low, another DNS lookup is performed, only now the response is a different IP
address – the victim’s home router, for example.
The reason this works is the DNS links different IP addresses to the same domain name, thus
bypassing the browser’s same origin policy.

You might also like