For help, advice and discussion about stuff not related to aviation. Play nice: no religion, no politics and no axe grinding please.
By Colonel Panic
#1857088
My brother-in-law has recently noticed his internet connection seeming to stop for 10-20 secs every now and again, and wondered whether these "rebind attacks" might be related, and if they are a problem? From this screenshot it looks to me that his modem/router (IIRC it is an el-cheapo unit as supplied by his telco) is at least intercepting them.

TIA

Image
User avatar
By stevelup
FLYER Club Member  FLYER Club Member
#1857100
Basically some dodgy code on a web page is trying to log into his router and change the DNS server address to a malicious one.

All subsequent traffic could then be tampered with.

But 1) his router's aware of this exploit and 2) I'm guessing he has a secure password set on it.

So it's interesting rather than a real threat. He should possibly check what site he was on at those times and report it to them though.

kargo.com is an ad tracking website, so the nasty stuff will have been embedded in an ad.

It happened here a bit if you remember a while ago.
User avatar
By rikur_
FLYER Club Member  FLYER Club Member
#1857133
There may be a less harmful explanation.

Firstly to explain DNS rebind attacks .... these are a technique to bypass the cross-domain scripting restrictions in web browsers.
For example, normally a script running under the domain example.com cannot access resources hosted under any other domain than example.com. This is a security feature of web browsers to limit the ability of a malicious script on a web page accessing unintended data/resources.
In a DNS rebind attack the DNS will initially resolve the IP address to an internet webserver where it loads its dodgy script from.
However, the TTL (how long the IP address is cached for) is set to a very short period, and when it is re-queried it returns a different non-routable LAN IP address.
This bypasses the cross-site scripting protections and the browser will let it make queries to the internal LAN device.
A common trick is to target common router IP addresses (e.g. 192.168.0.1) where the attack will often attempt to change the DNS servers of the router to give more control.

Back to the specific example here....
It looks like the router in question is using dnsmaq as its DNS server.
To protect against DNS rebind attached, dnsmaq does not resolve any non-routable IP addresses, and logs the error shown.

However, non-routable IP addresses can arise in a number of legitimate scenarios:
- Ad blocking DNS servers tend to return an IP address of 0.0.0.0 for blocked domains
- Some ad serving tools set the DNS of expired sub-domains to 0.0.0.0 to stop expired code generating hits on their infrastructure

This could be as simple as a tracking pixel for a client that's expired, or the result of up-stream DNS ad blocking.