The victim has two machines, stooge.victim.org (IP address 10.10.10.1)
and target.victim.org (IP address 10.10.10.2). The attacker has a
machine www.attacker.org (IP address 172.16.16.16).
The victim has a firewall that prevents machines outside the victim's
organization from making unauthorized network connections to any of the
victim's machines. The prevents the attacker from launching a direct
attack on the victim's machines. The victim's security depends on
What the attacker does
The attacker creates a bogus machine name "bogus.attacker.org" and
creates a DNS mapping from
bogus.attacker.org to the pair of IP addresses (10.10.10.2,
The attacker also writes an innocent-looking Java applet and attaches it
to a web page installed on www.attacker.org.
Triggering the attack
The victim, running his web brower on stooge.victim.org, innocently
visits a web page on www.attacker.org. This causes the attacker's
applet to be loaded into the victim's browser, and to start running.
The applet performs some innocent function that is visible to the victim.
It also silently attacks the victim's machines.
First, the applet asks to create a network connection to
bogus.attacker.org. The Java system looks up the address
"bogus.attacker.org," getting the IP address pair (10.10.10.2,
172.16.16.16). The Java system compares this address pair to the
address of the machine that the applet came from (172.16.16.16).
Since the two have the address 172.16.16.16 in common, Java
allows the connection. However, the Java system actually connects
to the first address on the list, namely 10.10.10.2 (target.victim.org).
The attacker's applet now has a network connection to target.victim.org.
It can proceed to attack the defenses of target.victim.org, using
any one of several common network security weaknesses.
A more sophisticated version of the attack allows the attacker's
applet to systematically attack all of the machines in the victim's
organization. The attacking applet can tell the attacker's DNS
server which IP addresses to return, by encoding the IP addresses
into the DNS name that is looked up. For example, the applet could
look up bogus-10-10-10-2--172-16-16-16.attacker.org if it wanted
the DNS server to return the address pair given above.
Why the attack works
The key to the success of the attack is that the victim's firewall
is helpless to prevent it. The firewall is supposed to protect the
victim by preventing machines outside the firewall from opening
arbitrary network connections to the victim's machines inside the
firewall. In this attack, however, the dangerous network connections
come from one of the victim's own machines, so the firewall is useless.
In effect, the attacker causes the victim's web browser to attack the
victim's own machines.
Since the attacking applet can make network connections back to
attacker.org, the applet can operate under the direction of a "real
attacker" that is running back in attacker.org. For instance, a
variant of the notorious security-probing program "Satan" could be
used to direct the attack.
If the attacker can compromise a machine at third-party.org, it can
still carry out the attack on victim.org. The attacker plants his
applet on a web server on www.third-party.org. When the victim
loads a web page from www.third-party.org, the attacking applet is
loaded into the victim's machine. The applet can still use the
DNS server at attacker.org to fool Java into allowing arbitrary
connections. As above, the applet can connect to any desired
machine on the internet, so it can attack the victim's machines, and
it can operate under the direction of a program or person somewhere
A Web virus
The third-party version of the attack can be used to create a virus.
The virus would be attached to an innocent-looking Web applet. When
the applet was run by some person, the applet would attack machines
in that person's organization. If it penetrated one of those
machines, it would append the attacking code to any web pages it
found on the penetrated machines. The virus could spread from
web-server to web-server in this manner.
Note: all of the machine names and IP addresses used in the example
are fictitious. As far as we can tell, there are no real machines
with these addresses connected to the Internet.