Stopping DNS Rebinding Attacks in the Browser

Hazhirpasand, Mohammadreza; Ale Ebrahim, Arash; Nierstrasz, Oscar (2021). Stopping DNS Rebinding Attacks in the Browser. In: 7th International Conference on Information Systems Security and Privacy - ICISSP 2021. Vienna, Austria. Feb 11, 2021 - Feb 13, 2021. 10.5220/0010310705960603

Preview

Text Hazh21a.pdf - Accepted Version Available under License Creative Commons: Attribution-Noncommercial-No Derivative Works (CC-BY-NC-ND). Download (277kB) | Preview

DNS rebinding attacks circumvent the same-origin policy of browsers and severely jeopardize user privacy. Although recent studies have shown that DNS rebinding attacks pose severe security threats to users, up to now little effort has been spent to assess the effectiveness of known solutions to prevent such attacks. We have carried out such a study to assess the protective measures proposed in prior studies. We found that none of the recommended techniques can entirely halt this attack due to various factors, e.g., network layer encryption renders packet inspection infeasible. Examining the previous problematic factors, we realize that a protective measure must be implemented at the browser-level. Therefore, we propose a defensive measure, a browser plug-in called Fail-rebind, that can detect, inform, and protect users in the event of an attack. Afterwards, we discuss the merits and limitations of our method compared to prior methods. Our findings suggest that Fail-rebind does not nec essitate expert knowledge, works on different OSes and smart devices, and is independent of networks and location.

Interest & Impact

Downloads

129 since deposited on 15 Apr 2021
91 in the past 12 months

Citations

5 Citations in Web of Science ®
6 Citations in Scopus

Search

in Google Scholar™

Services

Actions (login required)

Edit item

Actions (login required)

Edit item