Thursday, March 01, 2007

Anti-DNS Pinning in the News!

Second Google Desktop attack reported. Now I've seen everything. This is the first time I've seen the esoteric anti-DNS Pinning term actually mentioned by the mainstream media. Talk about guts on behalf of Robert McMillan to cover the story and attempt an easy to understand explanation of what this thing is and does. This has got to be right up there with the press coverage of Back Orifice during a Defcon many years back. The issue in question had to do with RSnake's follow on research into Google Desktop product as sparked by Watchfire’s paper on “Overtaking Google Desktop”.

"Once you can repoint Google to another IP address, instead of Google getting the traffic, the bad guy does," he said.

Very few people, including the experts, have any idea of “DNS Pinning” and how important it actually is. DNS-Pinning is a browser security mechanism preventing secondary DNS lookups by hostile web servers attempting to read data from other domains.

Example:
Why DNS Pinning? Lets try to attack web bank (111.111.111.111)

1) User visits “attacker” website (222.222.222.222) with a DNS timeout of 1 second.
2) Browser receives JavaScript reconnecting to attacker in two seconds. (attacker is down!)
3) Browser re-connects to the DNS server for attacker’s new IP address. (111.111.111.111)
4) Browser connects to 111.111.111.111 thinking that its attacker.

Not entirely useful because of an invalid host header sent to webbank, cookie won’t be sent either, even if the browser allowed step #3. However, its still dangerous enough to add DNS-Pinning to modern web browsers. Basically your browser is instructed not ask for a new IP on a hostname. It is pinned to the original IP.

Enter Anti-DNS Pinning (or forcing the browser to stop this behavior)

1) User visits “attacker” website (222.222.222.222) with a DNS timeout of 1 second.
2) Browser receives JavaScript reconnecting to attacker in two seconds. (attacker firewalls itself!)
3) DNS Pinning is dropped. (Anti-DNS Pinning)
4) Browser re-connects to the DNS server for attacker’s new IP address. (192.168.1.1)
5) Browser connects to 192.168.1.1, from its perspective, thinking that its attacker.
6) Attack can now force read access to places where they couldn’t get to directly.

Now, Anti-Anti-DNS Pinning, a security solution to defend against Anti-DNS Pinning. And finally, Anti-Anti-Anti-DNS Pinning attacks, to circumvent any Anti-Anti-DNS Pinning solution. Head hurt yet? I know its crazy and even I don't have a good handle on all of it.

2 comments:

Anonymous said...

Great explaination Jeremiah! :) It's sure stuff I need to dive into some more.

-Jungsonn

Jeremiah Grossman said...

Hey Jung, thanks. DNS-Pinning has got to be one of the hardest concepts to wrap ones mind around.