Artificial Reality | The PatternEx Blog

Collections of the thoughts and the people behind the PatternEx Virtual Analyst Platform powered by AI2.

Detecting DNS Rebinding Attacks

Unless you have possibly been in North Korea since mid-July (working on denuclearization issues?), then you have by now heard about the DNS rebinding vulnerability that IoT devices are subject to (CVE-2018–11315). There are two aspects to this matter that are particularly noteworthy. First, DNS rebinding attacks are not new. In fact, the first such attack was reported over ten years ago (CVE-2007-5232)! Second, is the number of IoT devices potentially vulnerable in this latest CVE - half a billion devices. That is a lot of exposure sitting on your organization’s and your personal network at home. (BleepingComputer blog post, “Half a Billion IoT Devices Vulnerable to DNS Rebinding Attacks” from July 20th has a good breakdown on that number.)

Of course, what makes DNS rebinding attacks so dangerous is their ability to bypass your firewalls and likely your IDS / IPS too. A malicious device on an external network can be used to enter your internal networks and move laterally across your organizational and / or home networks. While the Mitre CVE database lists over 600 CVEs dealing with DNS vulnerabilities, and 24 of those deal with rebinding, remediation efforts for rebiding have been publicly discussed since at least February 2009 (e.g., Paul Wouters’s Black Hat presentation, “Defending your DNS in a post-Kaminsky world”). And yet….

 Let’s be clear, there is no protection built into most of these devices, so you will need to provide other protection for / around them. One of preventive measures that should be implemented is to never allow a DNS Response to specify IP addresses that may never appear in “external” domain names. For example, non- routable addresses (RFC 1918, Address Allocation for Private Internets), and routable address space used internally (a very bad practice, but it happens) should not be allowed from external DNS servers.

However, what really makes this situation scary to me, is that it involves a failure of detection too. While some firewalls or routers may provide messages such as “Packet dropped - DNS Rebind attack,” not all do. And even of your firewall(s) or router(s) are providing such messages, are you actually aggregating the logs of those vulnerable devices (e.g., IP cameras, IP phones, printers) into your SIEM? (Probably not.) And, even if you are aggregating those logs into your SIEM, have you written any correlations to detect DNS rebinding attacks? For most organizations, I doubt so. Given the huge number of vulnerable devices, the large number of models represented, from a large number of vendors providing a very large number of log formats, and the scalability of writing correlations is in serious doubt. Detection of these attacks on home devices is probably far, far worse - close to non-existent.

Bring in the AI. Since device protection is effectively out of the question. And, since protection around these devices is questionable, large scale, effective detection in near real-time of modeled malicious behaviors is required. AI can do that; humans writing correlations cannot. So mitigation of this threat comes down to much better detection - more devices, modeled behaviors, near real-time. Many of these vulnerable devices will run on large IoT platforms, such as GE Predix, Google Cloud IoT, or Samsung’s ARTIK where speed, precision, and scale are demanded. In other words, the use of AI for detection of cyber attacks.

Interested in learning more?  Request a meeting here.

Request a PatternEx Demo

Topics: SIEM SOC Threat Intel

Subscribe Now