News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: DNS rebinding attack
Pages: [1]
Topic: DNS rebinding attack  (Read 5914 times)
« on: July 15, 2010, 04:15:06 »
jpgoldberg *
Posts: 4
There are press reports, the most complete of which I found here,
 http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/
saying that many router/firewalls are vulnerable to a "DNS rebinding" attack.  Listed among the vulnerable are DD-WRT, OpenWRT and pfSense.  There is no mention of m0n0wall in the list of tested systems.

If anyone knows more, I would certainly appreciate learning more.  (I don't know what DNS rebinding is; so I can't even begin to guess.)
« Reply #1 on: July 15, 2010, 12:53:35 »
brushedmoss ****
Posts: 446
Yes m0n0wall 1.32 is exposed like pfsense, I have submitted a fix that should be in the next release and hopefully mitigates the problem, though until I see the actual changes to this new attack I can't guarantee it will prevent it.

Edit - Talking with the pfsense folks, pfsense 2 has rebind attack prevention coded in both in the dns forwarder and elsewhere too
« Last Edit: August 25, 2010, 11:28:33 by brushedmoss »
« Reply #2 on: July 15, 2010, 17:12:09 »
jpgoldberg *
Posts: 4
Thanks!  I'll be looking for an update.

If I understand things correctly, the DNS rebinding allows some external source to pretend it is on the LAN side of some NATting router, and so can attack the router from the trusted side.  I would assume that unlike off the shelf routers, few of our users are using the default passwords.  And so, even if vulnerable, the risk is still minimal for most people.

Of course it is likely that I do not understand things correctly.

Cheers,

-j
« Reply #3 on: August 24, 2010, 23:27:49 »
momothefox *
Posts: 49
i get this in logs system,
Quote
Aug 24 23:53:32    last message repeated 2 times
Aug 24 23:43:35    last message repeated 3 times
Aug 24 23:33:57    dnsmasq[135]: possible DNS-rebind attack detected
Aug 24 23:18:45    dnsmasq[135]: possible DNS-rebind attack detected
.
i am using my custom image which i inserted changes made on the SVN server. till r401
i did not see this before.

Note: i did not succeed to add updates to captiveportal.inc and it gave me parse error in system startup.
so i did not update this part.

there is a question here, possible DNS-rebind attack detected, is it blocked?
i might say it is not. because when arp attacks happen. it comes out in reports. as detected.
and if using static arp table it reports of an attempt to modify a permanent entry.
although the system detected it.

regards.
Mohammed Ismail
« Reply #4 on: August 25, 2010, 01:00:16 »
brushedmoss ****
Posts: 446
According to the man page for dnsmasq

Quote
Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.

So I would say yes, it was blocked, however as the check is crude (though effective) you may get this message when it is not an actual rebind attack.

This code change is not 100% complete,  it needs to be off by default (you will have to turn it on) and any domain forwarding needs to be automatically excluded (as it may break if using private ip space etc.)
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines