No system is an island - Using Windows And Tech Step By Step

Recently,I came across an article which revisited the concept of rebinding DNS queries,the methodology for the same was explained in a whitepaper from 1996 by Stanford students.

The way DNS rebinding attacks work is somewhat interesting.
Lets say I am logged onto my client box(aka victim) surfing the web.I come across an online ad whih serves active content like Flash and java scripts.
To perform a DNS rebinding attack, bad guy answers DNS queries for their own domain with the IP address of their server but a very short time-to-live (TTL). Using javascript, or some other mechanism, the attacker initiates a second request to their domain from the victim’s machine. Since the TTL has expired, another DNS query is sent to the attacker’s DNS server. This time, the server responds with the IP address of a target server that the attacker wishes to connect to (e.g., an internal web server).
The beauty here is firewalls are fooled in allowing this as it is a legitimate request and open up the machines on the corporate LAN to the bad outside world.

To avoid this,browsers do have an in-built mechanism called pinning which will associate DNS entries to their respective IP addresses for a foxed time period(30 mins for Internet Explorer and 30-120 seconds for Mozilla Firefox).
Folks at Stanford carried out a demonstration wherein they setup an attacker that changed the IP addresses from its own to an internal machine which was accepted by the victim boxes and after a span of 3 days or so,these guys were able to obtain about 100.3 machine days of network access.
The dangerous thing about DNS rebinding is that users dont have to click on the malicious links,all they need to do is view the ad/webpage which will initiate the attack.
Hope this was an interesting post,will try to do this sometime in my lab just to see how it goes.

Peace.