DNS Rebinding Bundle detects DNS rebind attacks in the network.
DNS Rebind is network attack that uses a malicious web page running client-side script that attacks / scans the private network of the victim.
How does this attack work?
- Attacker with a DNS server with registered domain can run this attack to anyone visiting a malicious website the attacker created.
- The attacker configures DNS server to respond with a very short TTL value, preventing DNS to be cached in victim's computer.
- The first DNS request responds with an ip address of attacker's malicious website. The malicious code will then send another DNS request to the DNS server, which the DNS server responds with an IP address of private IP address to attack something in victim's private network.
- This bypasses Same-Origin-Policy because the DNS name stays the same. it is only the ip address that changes.
More information about attacks that can be done with this attack can be read here
RequirementsExtraHop version 6.2 or later
- Download and Apply the bundle to your EDA
- Assign DNS Rebinding Detection V2 trigger to DNS Server Device Group