Secure Internet Programming
* History
* People
* Partners
* Research
* Publications
* Links
DNS Attack Scenario (February 1996)


The victim has two machines, (IP address and (IP address The attacker has a machine (IP address

The victim has a firewall that prevents machines outside the victim's organization from making unauthorized network connections to any of the victim's machines. The prevents the attacker from launching a direct attack on the victim's machines. The victim's security depends on the firewall.

What the attacker does

The attacker creates a bogus machine name "" and creates a DNS mapping from to the pair of IP addresses (,

The attacker also writes an innocent-looking Java applet and attaches it to a web page installed on

Triggering the attack

The victim, running his web brower on, innocently visits a web page on This causes the attacker's applet to be loaded into the victim's browser, and to start running.

The applet performs some innocent function that is visible to the victim. It also silently attacks the victim's machines.

First, the applet asks to create a network connection to The Java system looks up the address "," getting the IP address pair (, The Java system compares this address pair to the address of the machine that the applet came from ( Since the two have the address in common, Java allows the connection. However, the Java system actually connects to the first address on the list, namely (

The attacker's applet now has a network connection to It can proceed to attack the defenses of, using any one of several common network security weaknesses.

A more sophisticated version of the attack allows the attacker's applet to systematically attack all of the machines in the victim's organization. The attacking applet can tell the attacker's DNS server which IP addresses to return, by encoding the IP addresses into the DNS name that is looked up. For example, the applet could look up if it wanted the DNS server to return the address pair given above.

Why the attack works

The key to the success of the attack is that the victim's firewall is helpless to prevent it. The firewall is supposed to protect the victim by preventing machines outside the firewall from opening arbitrary network connections to the victim's machines inside the firewall. In this attack, however, the dangerous network connections come from one of the victim's own machines, so the firewall is useless.

In effect, the attacker causes the victim's web browser to attack the victim's own machines.


Since the attacking applet can make network connections back to, the applet can operate under the direction of a "real attacker" that is running back in For instance, a variant of the notorious security-probing program "Satan" could be used to direct the attack.

Third-party attacks

If the attacker can compromise a machine at, it can still carry out the attack on The attacker plants his applet on a web server on When the victim loads a web page from, the attacking applet is loaded into the victim's machine. The applet can still use the DNS server at to fool Java into allowing arbitrary connections. As above, the applet can connect to any desired machine on the internet, so it can attack the victim's machines, and it can operate under the direction of a program or person somewhere in

A Web virus

The third-party version of the attack can be used to create a virus. The virus would be attached to an innocent-looking Web applet. When the applet was run by some person, the applet would attack machines in that person's organization. If it penetrated one of those machines, it would append the attacking code to any web pages it found on the penetrated machines. The virus could spread from web-server to web-server in this manner.

Note: all of the machine names and IP addresses used in the example are fictitious. As far as we can tell, there are no real machines with these addresses connected to the Internet.

Princeton University
Department of Computer Science