This seems like a potentially huge Internet security problem. You have to scroll down a ways to see what to do about it, and the instructions are a little…sparse. I’d want to protect both my Frontier router and my Orbi mesh.
4 thoughts on “DNS Rebinding”
Comments are closed.
So all a server needs to defend against this attack is pay attention to the server name the client is asking for, and if it isn’t the right server name do something harmless. Which is probably far more than most IoT device designers think of. And more than a lot of server admins on the wild wild web consider. Standard authentication probably also reduces vulnerability some, though a login cookie may leave the gates open.
As I understand it, the server doesn’t get told the name the browser asked for, except in some cases when it’s connecting via SSL. Otherwise, the browser looks up the IP address, and connects to that, then requests the relevant web page.
Just another reason I keep everything important in the house on a separate network to the unimportant stuff.
Part of the HTTP protocol (1.0 or later) is the client telling the server which server it wants. This allows a single web server to answer for multiple sites. This would not work for most Internet services, but HTTP(S) connection is what a web client can do readily, and what many IoT devices use.
For HTTPS, this happens after the secure transport layer is negotiated, which presents a difficulty if the sites covered can’t share a certificate. The server, by the certificate it delivers, is telling the client which site(s) the server covers.
Well for new routers any *PnP I disable out-of-the-box. Also disable remote management and change the admin password. Also always download latest firmware rev and push it to the device via local switch port or USB connection. I NEVER take any of this for granted.
Putting IoT devices on a separate subnet from PCs on the home network will help. But if you open a channel to them from inside the home network from any device that can route to WAN you run the risk of discovery thanks to DNS rebinding and malware network scanners. IoT devices should not use “in the clear” non-encrypted ports for anything. Until then isolate IoT devices by subnet and do not allow WAN connectable devices to talk to them. Use a throwaway cheap smartphone w/o WAN connectivity configured on that subnet and its apps to act as a remote control if you must have it. The pain in the ass is that the apps have to be downloaded over USB to it from a PC. But only rarely. Or better yet, live without the IofT.