| CARVIEW |
- About FIRST
- Mission Statement
- Strategy Framework
- History
- Sustainable Development Goals
- Organization
- FIRST Policies
- Anti-Corruption Policy
- Antitrust Policy
- Bylaws
- Board duties
- Bug Bounty Program
- Code of Conduct
- Conflict of Interest Policy
- Document Record Retention and Destruction Policy
- FIRST Press Policy
- General Event Registration Refund Policy
- Guidelines for Site Selection for all FIRST events
- Identity & Logo Usage
- Mailing List Policy
- Media Policy
- Privacy Policy
- Registration Terms & Conditions
- Services Terms of Use
- Standards Policy
- Statement on Diversity & Inclusion
- Translation Policy
- Travel Policy
- Uniform IPR Policy
- Whistleblower Protection Policy
- Partnerships
- Newsroom
- Procurement
- Jobs
- Contact
- Membership
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)
- Standards & Publications
- Events
- Education
- Blog
DNS Abuse Detection: DNS rebinding
Definition
DNS rebinding is a type of attack where a malicious website directs a client to a local network
address, allowing the attacker to bypass the same-origin policy and gain access to the victim's
local resources. - https://capec.mitre.org/data/definitions/275.html
Advice
Monitor domain names which have a low TTL value. In order to do this, DNS telemetry would need to be collected in a passive manner using something like dnstap (https://dnstap.info/) or Zeek (https://zeek.org/).
It is also important to take into account false positives - i.e a large number of legitimate domain names are configured with a low TTL value.
Another method to detect DNS rebinding is to use DNS Response Policy Zones (RPZ) and log/block domain names pointing at RFC1918/private address space.
Specifically, by using Response IP Address Policy Trigger (https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3) in a recursive resolver and a corresponding zone file containing a list of RFC1918/private address space.
Examples
SpaceX Wi-Fi Router Vulnerability
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52235
SpaceX Starlink Wi-Fi router GEN 2 before 2023.53.0 and Starlink Dish before 07dd2798-ff15-4722-a9ee-de28928aed34 allow CSRF (e.g., for a reboot) via a DNS Rebinding attack.
Omise.co
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice