How DNS Rebinding Works
DNS rebinding allows an attacker to completely bypass the same origin policy. It does this by dynamically switching the target IP address for a host name the attacker controls. One scenario might work like this:
- You connect to abcde.badsite.com, which resolves to IP 126.96.36.199 with a very short TTL
- The DNS server in control of *.badsite.com immediately points abcde.badsite.com to 10.0.0.1
- The DNS server resets abcde.badsite.com to 188.8.131.52 and after some period of time, your browser reconnects and sends 184.108.40.206 its findings
With Flash, It Gets Even Better
Flash 9 adds a Socket library to the developer’s toolkit. So instead of the limited web crawling payload, a small flash movie can be sent to the client which can do a full network scan of your internal network, send spam through your corporate SMTP server, or even serve as a general purpose VPN bridge right through your firewall.
Defending Against DNS Rebinding
There have been a number of suggestions made as far as defending your network against this kind of attack, including disabling the Flash plugin, using a personal firewall to restrict browser access to ports 80 and 443, and making sure all your web sites have no default virtual host, but instead require a valid Host header.
It seems like the real moral of the story here, though, is not to be lured into using a Firewall and unaddressable IPs as your only line of defense. This means keeping machines patched, not using IP address-based authentication, and, in general, presuming that the attacker can obtain access to your internal network.