DNS Abuse Detection: DNS rebinding

Definition

DNS rebinding is a type of attack where a malicious website directs a client to a local network
address, allowing the attacker to bypass the same-origin policy and gain access to the victim's
local resources. - https://capec.mitre.org/data/definitions/275.html

Advice

Monitor domain names which have a low TTL value. In order to do this, DNS telemetry would need to be collected in a passive manner using something like dnstap (https://dnstap.info/) or Zeek (https://zeek.org/).

It is also important to take into account false positives - i.e a large number of legitimate domain names are configured with a low TTL value.

Another method to detect DNS rebinding is to use DNS Response Policy Zones (RPZ) and log/block domain names pointing at RFC1918/private address space.

Specifically, by using Response IP Address Policy Trigger (https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3) in a recursive resolver and a corresponding zone file containing a list of RFC1918/private address space.

Examples

SpaceX Wi-Fi Router Vulnerability

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52235
SpaceX Starlink Wi-Fi router GEN 2 before 2023.53.0 and Starlink Dish before 07dd2798-ff15-4722-a9ee-de28928aed34 allow CSRF (e.g., for a reboot) via a DNS Rebinding attack.

Omise.co

https://hackerone.com/reports/1379656

• DNS Abuse SIG
  • Stakeholder Advice
    • Detection
      • DGA Domains
      • Domain Name Compromise
      • Lame Delegations
      • Cache Poisoning
      • DNS Rebinding
      • DNS Server Compromise
      • Local Resolver Hijacking
      • Stub Resolver Hijacking
  • Code of Conduct & Other Policies
  • Examples of DNS Abuse