Secure Internet Programming
* History
* People
* Partners
* Research
* Publications
* FAQ
* Links
DNS Attack Scenario (February 1996)

Scenario

The victim has two machines, stooge.victim.org (IP address 10.10.10.1) and target.victim.org (IP address 10.10.10.2). The attacker has a machine www.attacker.org (IP address 172.16.16.16).

The victim has a firewall that prevents machines outside the victim's organization from making unauthorized network connections to any of the victim's machines. The prevents the attacker from launching a direct attack on the victim's machines. The victim's security depends on the firewall.

What the attacker does

The attacker creates a bogus machine name "bogus.attacker.org" and creates a DNS mapping from bogus.attacker.org to the pair of IP addresses (10.10.10.2, 172.16.16.16).

The attacker also writes an innocent-looking Java applet and attaches it to a web page installed on www.attacker.org.

Triggering the attack

The victim, running his web brower on stooge.victim.org, innocently visits a web page on www.attacker.org. This causes the attacker's applet to be loaded into the victim's browser, and to start running.

The applet performs some innocent function that is visible to the victim. It also silently attacks the victim's machines.

First, the applet asks to create a network connection to bogus.attacker.org. The Java system looks up the address "bogus.attacker.org," getting the IP address pair (10.10.10.2, 172.16.16.16). The Java system compares this address pair to the address of the machine that the applet came from (172.16.16.16). Since the two have the address 172.16.16.16 in common, Java allows the connection. However, the Java system actually connects to the first address on the list, namely 10.10.10.2 (target.victim.org).

The attacker's applet now has a network connection to target.victim.org. It can proceed to attack the defenses of target.victim.org, using any one of several common network security weaknesses.

A more sophisticated version of the attack allows the attacker's applet to systematically attack all of the machines in the victim's organization. The attacking applet can tell the attacker's DNS server which IP addresses to return, by encoding the IP addresses into the DNS name that is looked up. For example, the applet could look up bogus-10-10-10-2--172-16-16-16.attacker.org if it wanted the DNS server to return the address pair given above.

Why the attack works

The key to the success of the attack is that the victim's firewall is helpless to prevent it. The firewall is supposed to protect the victim by preventing machines outside the firewall from opening arbitrary network connections to the victim's machines inside the firewall. In this attack, however, the dangerous network connections come from one of the victim's own machines, so the firewall is useless.

In effect, the attacker causes the victim's web browser to attack the victim's own machines.

Using SATAN

Since the attacking applet can make network connections back to attacker.org, the applet can operate under the direction of a "real attacker" that is running back in attacker.org. For instance, a variant of the notorious security-probing program "Satan" could be used to direct the attack.

Third-party attacks

If the attacker can compromise a machine at third-party.org, it can still carry out the attack on victim.org. The attacker plants his applet on a web server on www.third-party.org. When the victim loads a web page from www.third-party.org, the attacking applet is loaded into the victim's machine. The applet can still use the DNS server at attacker.org to fool Java into allowing arbitrary connections. As above, the applet can connect to any desired machine on the internet, so it can attack the victim's machines, and it can operate under the direction of a program or person somewhere in attacker.org.

A Web virus

The third-party version of the attack can be used to create a virus. The virus would be attached to an innocent-looking Web applet. When the applet was run by some person, the applet would attack machines in that person's organization. If it penetrated one of those machines, it would append the attacking code to any web pages it found on the penetrated machines. The virus could spread from web-server to web-server in this manner.

Note: all of the machine names and IP addresses used in the example are fictitious. As far as we can tell, there are no real machines with these addresses connected to the Internet.


Princeton University
Department of Computer Science
Contact: sip@cs.princeton.edu