Re: DNS Rebinding Prevention for the Weak Host Model Attacks
I am looking at the deny-answer-* section for this, but we just need
to ensure we minimally affect legitimate applications. This is why I
was proposing we only action when the source is apart of the answer AS
WELL as another answer. Blocking based on just the source would affect
dyn-dns type applications when resolving from the source network - as
well as other applications, such as domain controllers, that maybe
querying then finding out it is themselves.
My concern is breaking current applications, for example, let's assume
example.com has dc1.example.com and dc2.example.com. Both of these
being Windows Domain Controllers. If dc1.example.com queries for the
round-robin address dc.example.com it may result in dc1.example.com
and dc2.example.com being in the answer - my proposed logic would
SERVFAIL that.
From my understanding though, Windows DC's are usually deployed
managing their own DNS, so I don't think this would normally happen -
but - is there an example where this is widely deployed and possible
to impact applications ?
If it can impact applications, but it's very small, an opt-out service
could be possible. Alternatively, simply logging maybe good enough.
But I still feel within bind would be a great place for this checking
to occur.
On Thu, Aug 19, 2010 at 1:51 AM, Kevin Darcy k...@chrysler.com wrote:
deny-answer-addresses { %source%; };
deny-answer-aliases { %source%; };
Maybe?
- Kevin
On 8/17/2010 12:22 AM, Bradley Falzon wrote:
bind-users,
In light of Craig Heffner's recent Black Hat talk (here:
https://media.blackhat.com/bh-us-10/whitepapers/Heffner/BlackHat-USA-2010-Heffner-How-to-Hack-Millions-of-Routers-wp.pdf
and here: http://rebind.googlecode.com) I would like to propose a
possible solution in line with the 'DNS rebinding attack prevention'
provided in version 9.7.
Craig Heffner's version of the DNS Rebinding attack, similar to all
DNS Rebinding attacks, requires the DNS Servers to respond with an
Attackers IP Address as well as the Victims IP Address, in a typical
Round Robin fashion. Previous attacks would normally have the Victims
IP Address to be their Private IP.
BIND, in version 9.7, developed two new options: deny-answer-addresses
and deny-answer-aliases. Within these ranges an ISP or Corporation
could put in the list of RFC1918 Addresses or other address clients
should never be resolving to. However, Craig's attack would bypass
these rules: the Victims IP is actually the Victims WAN IP - not their
internal address. An ISP would be unable to place their entire IP pool
into the 'deny-answer-*' options, allocated to customers, because this
would break many legitimate uses.
I would like to know though, what if bind was given the option that
allowed an ISP to block and/or log DNS requests (again with a
SERVFAIL), based on if the query-source was in the response along with
at least one other address.
Basically:
if ( query.source = query.result[0] count(query.result) 1 ) {
return (servfail)
}
If the Source IP of the client was also at least one of the results,
log and return a SERVFAIL. The rule would permit queries with a single
response.
Craig Heffner's method is serious for ISP's that supply their
customers modems that are vulnerable. The proper protections on the
customers modems would be a logistical nightmare.
Placing these protections, along with the current DNS Rebinding
protections already in 9.7 would be a great step forward in
realistically protecting these types of attacks.
I would propose three parameters for this. The first mode being
completely off (and I assume the default); the second, Permissive,
would only log the attacks; the third, Enforcing, would log and block
the attacks.
This would allow ISPs to upgrade to these specific versions of bind,
turn on Permissive parameter first and Enforcing if the attacks become
well known or impact is minimal.
What are your thoughts on this ? What could these protection break the
legitimate use for ?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Bradley Falzon
b...@teambrad.net
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Rebinding Prevention for the Weak Host Model Attacks
On Wed, Aug 18, 2010 at 1:01 AM, Florian Weimer fwei...@bfk.de wrote: * Bradley Falzon: Craig Heffner's version of the DNS Rebinding attack, similar to all DNS Rebinding attacks, requires the DNS Servers to respond with an Attackers IP Address as well as the Victims IP Address, in a typical Round Robin fashion. Previous attacks would normally have the Victims IP Address to be their Private IP. For which protocols is this supposed to work? Why would a security-minded web application serve content under a name it knows cannot be its own? My concern about the attack is in regards to common NAT routers. I am no expert on this subject matter and do completely agree, these kind of routers need better security checking (such as Host Header checks), but conversely, HTTP daemons available on embedded platforms, in my limited experience, have been mostly HTTP 1.0 compliant only as such do not support the Host header. But you are completely correct is saying the devices themselves should offer protection, the fact is though, many devices do not (even if they are HTTP 1.1 compliant, many are simply ignoring the unknown Host Header) and in order to upgrade these would require common people to upgrade their modems firmware - or the ISP assisting them. Addressing the attack as a patch in bind would allow an ISP to patch their DNS Caches as opposed to upgrading all customers firmware. The long term solution being as you've outlined - these NAT routers need to offer more forms of robust protection. -- Bradley Falzon b...@teambrad.net ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Rebinding Prevention for the Weak Host Model Attacks
On Wed, Aug 18, 2010 at 1:05 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/17/2010 04:31 PM, Florian Weimer wrote: * Bradley Falzon: Craig Heffner's version of the DNS Rebinding attack, similar to all DNS Rebinding attacks, requires the DNS Servers to respond with an Attackers IP Address as well as the Victims IP Address, in a typical Round Robin fashion. Previous attacks would normally have the Victims IP Address to be their Private IP. For which protocols is this supposed to work? Why would a security-minded web application serve content under a name it knows cannot be its own? You're assuming it's an HTTP attack. You can trick flash, java and other plugins to circumvent the browsers same-origin policy, and do much more subtle things like sending SMTP email. ___ Just to note here, the possible prevention I am discussing will only address this specific attack. Where an attack uses the weak host model to circumvent DNS rebinding protection built within popular browsers and attack the victims NAT'd router, using the IP address of their WAN side. You're point is still valid though, as many modems also permit Telnet and SNMP access to the device, and allow reconfiguration via a different protocol that doesn't check/have Host headers. What could we legitimately break by implementing this kind of protection, and if no obvious legitimate access could be broken, is someone able to assist (or point me in the direction of bind-devs) in writing a patch for bind that would do what we are proposing ? -- Bradley Falzon b...@teambrad.net ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Rebinding Prevention for the Weak Host Model Attacks
bind-users,
In light of Craig Heffner's recent Black Hat talk (here:
https://media.blackhat.com/bh-us-10/whitepapers/Heffner/BlackHat-USA-2010-Heffner-How-to-Hack-Millions-of-Routers-wp.pdf
and here: http://rebind.googlecode.com) I would like to propose a
possible solution in line with the 'DNS rebinding attack prevention'
provided in version 9.7.
Craig Heffner's version of the DNS Rebinding attack, similar to all
DNS Rebinding attacks, requires the DNS Servers to respond with an
Attackers IP Address as well as the Victims IP Address, in a typical
Round Robin fashion. Previous attacks would normally have the Victims
IP Address to be their Private IP.
BIND, in version 9.7, developed two new options: deny-answer-addresses
and deny-answer-aliases. Within these ranges an ISP or Corporation
could put in the list of RFC1918 Addresses or other address clients
should never be resolving to. However, Craig's attack would bypass
these rules: the Victims IP is actually the Victims WAN IP - not their
internal address. An ISP would be unable to place their entire IP pool
into the 'deny-answer-*' options, allocated to customers, because this
would break many legitimate uses.
I would like to know though, what if bind was given the option that
allowed an ISP to block and/or log DNS requests (again with a
SERVFAIL), based on if the query-source was in the response along with
at least one other address.
Basically:
if ( query.source = query.result[0] count(query.result) 1 ) {
return (servfail)
}
If the Source IP of the client was also at least one of the results,
log and return a SERVFAIL. The rule would permit queries with a single
response.
Craig Heffner's method is serious for ISP's that supply their
customers modems that are vulnerable. The proper protections on the
customers modems would be a logistical nightmare.
Placing these protections, along with the current DNS Rebinding
protections already in 9.7 would be a great step forward in
realistically protecting these types of attacks.
I would propose three parameters for this. The first mode being
completely off (and I assume the default); the second, Permissive,
would only log the attacks; the third, Enforcing, would log and block
the attacks.
This would allow ISPs to upgrade to these specific versions of bind,
turn on Permissive parameter first and Enforcing if the attacks become
well known or impact is minimal.
What are your thoughts on this ? What could these protection break the
legitimate use for ?
--
Bradley Falzon
b...@teambrad.net
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
