-
Notifications
You must be signed in to change notification settings - Fork 139
Speed
Most DNS rebinding attack tools require about one minute for the rebinding to happen. Singularity can achieve DNS rebinding in just 3 seconds in certain configurations using the right settings. This page explains how you can configure Singularity to improve the speed.
The default conservative DNS rebinding strategy “first then second” waits until the browser’s DNS cache expires and then returns the IP address of the target service. This usually takes about one minute. We can achieve DNS rebinding in just 3 seconds using the “multiple answers” rebinding strategy. The multiple answers DNS rebinding strategy returns two IP addresses in the DNS response: The IP address of the attacker (public IP address) and the IP address of the target service (e.g. private IP address or localhost).
Example DNS request/response:
dig s-35.185.206.165-127.0.0.1-123-ma-e.d.rebind.it
;; QUESTION SECTION:
;s-35.185.206.165-127.0.0.1-123-ma-e.d.rebind.it. IN A
;; ANSWER SECTION:
s-35.185.206.165-127.0.0.1-123-ma-e.d.rebind.it. 0 IN A 35.185.206.165
s-35.185.206.165-127.0.0.1-123-ma-e.d.rebind.it. 0 IN A 127.0.0.1
The browser chooses the public IP address over the private/localhost IP address and will make HTTP requests to the Singularity web interface to load the attack payload. Right after the victim made these request, Singularity will block the victim’s IP address using iptables firewall rules with TCP reset packages. This causes the browser to switch to the second IP address returned in our DNS response which points to the target service. This technique allows us to improve the speed down to 3 seconds when the following conditions are met:
- The target IP address is 127.0.0.1 on Windows using IE, Chrome, or Firefox
- The target IP address is 0.0.0.0 on Linux and macOS using Firefox, Chrome (Chromium on Linux), or Safari (macOS)
This technique can also be used against targets listening on private IP addresses (on an internal network for example) but does not work as reliably as against targets listening on the localhost.
To summarize, we can use the multiple answers rebinding strategy to achieve DNS rebinding in 3 seconds for target services listening on the localhost.
Singularity includes the cache flooding technique that can be used with the very reliable “first then second” rebinding strategy to achieve a rebinding speed of up the 5 seconds. Browsers have a limited size of DNS entries in their cache. This local cache can be flooded with entries to force the browser to evict old entries, flush its cache and cause the browser to make a new DNS request where Singularity can respond with the target IP address.
When the DNS cache flooding technique is enabled, Singularity performs ~1000 DNS queries to evict cached DNS entries in the browser. Using cache flooding we can improve the speed considerably from the standard 1 minute when the following conditions are met:
- 5 seconds in Safari on iOS with any target
- 15-40 seconds in Chrome & Chromium on macOS, Linux, and Windows with any target
In summary, using the cache flooding technique in combination with the reliable “first then second” rebinding strategy we can achieve DNS rebinding in 5 seconds on iOS and 15-40 seconds in the Chrome/Chromium browser.