DNS rebinding attacks subvert the same-origin policy of browsers, converting them into open network proxies. Using DNS rebinding, an attacker can circumvent organizational and personal firewalls, send spam email, and defraud pay-per-click advertisers. We evaluate the cost effectiveness of mounting DNS rebinding attacks, finding that an attacker requires less than $100 to hijack 100,000 IP addresses. We analyze defenses to DNS rebinding attacks, including improvements to the classic “DNS pinning, ” and recommend changes to browser plug-ins, firewalls, and Web servers. Our defenses have been adopted by plug-in vendors and by a number of open-source firewall implementations.

has fixed the vulnerability described below. Also clarified that our server-side CSRF protection recommendations do not prevent the active network attacks described in [17]. The newest version of this paper can be found at

The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange.