Java Security: DNS Attack Scenario
The victim has two machines, stooge.victim.org (IP address 10.10.10.1) and
target.victim.org (IP address 10.10.10.2). The attacker has a machine
www.attacker.org (IP address 172.16.16.16).
The victim has a firewall that prevents machines outside the victim's
organization from making unauthorized network connections to any of the
victim's machines. The prevents the attacker from launching a direct attack
on the victim's machines. The victim's security depends on the firewall.
What the attacker does
The attacker creates a bogus machine name "bogus.attacker.org" and creates
a DNS mapping from bogus.attacker.org to the pair of IP addresses
The attacker also writes an innocent-looking Java applet and attaches it
to a web page installed on www.attacker.org.
Triggering the attack
The victim, running his web brower on stooge.victim.org, innocently visits a
web page on www.attacker.org. This causes the attacker's applet to be
loaded into the victim's browser, and to start running.
The applet performs some innocent function that is visible to the victim.
It also silently attacks the victim's machines.
First, the applet asks to create a network connection to bogus.attacker.org.
The Java system looks up the address "bogus.attacker.org," getting the
IP address pair (10.10.10.2, 172.16.16.16). The Java system compares this
address pair to the address of the machine that the applet came from
(172.16.16.16). Since the two have the address 172.16.16.16 in common, Java
allows the connection. However, the Java system actually connects to the
first address on the list, namely 10.10.10.2 (target.victim.org).
The attacker's applet now has a network connection to target.victim.org. It
can proceed to attack the defenses of target.victim.org, using any one of
several common network security weaknesses.
A more sophisticated version of the attack allows the attacker's applet to
systematically attack all of the machines in the victim's organization. The
attacking applet can tell the attacker's DNS server which IP addresses to
return, by encoding the IP addresses into the DNS name that is looked up.
For example, the applet could look up
bogus-10-10-10-2--172-16-16-16.attacker.org if it wanted the DNS server
to return the address pair given above.
Why the attack works
The key to the success of the attack is that the victim's firewall is helpless
to prevent it. The firewall is supposed to protect the victim by preventing
machines outside the firewall from opening arbitrary network connections to
the victim's machines inside the firewall. In this attack, however, the
dangerous network connections come from one of the victim's own machines,
so the firewall is useless.
In effect, the attacker causes the victim's web browser to attack the
victim's own machines.
Since the attacking applet can make network connections back to
attacker.org, the applet can operate under the direction of a "real
attacker" that is running back in attacker.org. For instance, a variant of
the notorious security-probing program "Satan" could be used to direct the
If the attacker can compromise a machine at third-party.org, it can still
carry out the attack on victim.org. The attacker plants his applet on a
web server on www.third-party.org. When the victim loads a web page from
www.third-party.org, the attacking applet is loaded into the victim's
machine. The applet can still use the DNS server at attacker.org to fool
Java into allowing arbitrary connections. As above, the applet can connect
to any desired machine on the internet, so it can attack the victim's
machines, and it can operate under the direction of a program or person
somewhere in attacker.org.
A Web virus
The third-party version of the attack can be used to create a virus. The
virus would be attached to an innocent-looking Web applet. When the applet
was run by some person, the applet would attack machines in that person's
organization. If it penetrated one of those machines, it would append the
attacking code to any web pages it found on the penetrated machines. The
virus could spread from web-server to web-server in this manner.
Note: all of the machine names and IP addresses used in the example are
fictitious. As far as we can tell, there are no real machines with these
addresses connected to the Internet.