1. Introduction

The DNS rebinding attack is an attempt to fool the same origin policy,
employed by the majority of browsers.This attack exploit a gap of most browsers implementation and therefore
it can be very harmful as unlike "pharming", the attacker doesn't need to compromise a valid web site. The attacker
can easily have everything under his/her control.

2. How the attack works

Suppose Bob visits his preferred website www.se-rocks.com. This is a popular and realiable site about cars.
The owner of this site saw that he could make some money putting some advertisment for car stores on his site.
An attacker passing as a possible car dealer contacts the owner of www.se-rocks.com. After that,
an advertisement is shown everytime a user enters www.se-rocks.com.
Bob is happy using his computer and after reading an article, he finds at the bottom of the website a nice deal.
He clicks on it, and he is redirect to the attacker website. The attacker associates the host name of his web site with a very
short TTL(Time-to-live), let's suppose 1 second. In other words, doing this, the attacker is saying that the host name www.badguy.com
is only valid for 1 second. If it is valid for just 1 second, the client knows that after 1 second,
a new request should be made, as this indicates that the IP may be not valid anymore for this host name.
So back again when he first accessed www.badguy.com , he already downloaded
a malicious Javascript. Now when the script runs in his browser, somewhere in the code, a new request for the
website is launched. At this time, the attacker managed to change the old IP for a new one, which is not a public
IP address. Now the remaining part of this script tries to establish a connection with any computer(could be a printer, home server , or any other equipment
with an valid IP address) inside this same network. In our case, imagine for example that the second request to www.badguy.com
resolved to 10.1.1.3 . That would attack the computer of Alice which is in the same network as Bob.
An example of possible attack would be an attacker trying to waste resources of a printer, for example telling the printer
to print a document 1000 times.Some other attacks would be, Spidering the Intranet, Abusing internal open services,
Committing Click Fraud, Sending Spam, Defeating IP-based Authentication and Framing Clients.
For further information about these attacks read the amazing paper Protecting Browsers from DNS Rebinding Attacks

Fig 1 - An overview of a DNS Rebinding attack pt.1

Fig 2 - An overview of a DNS Rebinding attack pt.2

3. Understanding the same origin policy

The same origin policy says that a script cannot access another script that resides
in a different origin. A browser understands same origin if the following are attended:

1. Same protocol
2. Same domain
3. Same port

Take a look at some examples :

4.Protection against the attack

A way found by the browsers to protect against the attack, is DNS pinning.
By using that the browser bypasses the TTL(Time-To-Live) field found in DNS records, and each browser
employs a policy to pin a certain host name to the corresponding IP address.
Now even if an attacker which controls a DNS server, associates a host name with an IP with a short TTL
, a browser simply ignores it and employes its own policy.With no surprises tests show that is easy to circumvent
the policy employed by these browsers.Again take a look in the paper "Protecting Browsers from DNS Rebinding Attacks",
as they give details about how efficient is the policy employed by the different browsers ("Internet Explorer" "Firefox" "Safari").
Extra protection and security tools are shown in this same paper.

5. References

This article was based on the paper:  Protecting Browsers from DNS Rebinding Attacks