In article <mailman.352.1282059097.15649.bind-us...@lists.isc.org>, Florian Weimer <fwei...@bfk.de> wrote:
> * Bradley Falzon: > > > Craig Heffner's version of the DNS Rebinding attack, similar to all > > DNS Rebinding attacks, requires the DNS Servers to respond with an > > Attackers IP Address as well as the Victims IP Address, in a typical > > Round Robin fashion. Previous attacks would normally have the Victims > > IP Address to be their Private IP. > > For which protocols is this supposed to work? Why would a > security-minded web application serve content under a name it knows > cannot be its own? Home routers generally don't have names, and they don't implement virtual hosting, so the programmers of the configuration interface presumably didn't see the need to use the Host header. In fact, one of the recommendations in the paper that was referenced is that routers should check the Host header. It should either be the router's hostname (if it has one) or the router's IP. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
