It's always nice reading these things about your favourite firewall
Ozzik last edited by
Heffner also called on router vendors to build in DNS Rebinding mitigations into their routers directly.
"The only router software that I know of that does this now is pfsense," Heffner said. "They contacted me when my Black Hat talk abstract went up."
mhab12 last edited by
Agreed - the interaction between the devs and community here are about as good as it gets. Thanks for all that you do.
HiTekRedNek last edited by
And just how does PFSense mitigate against this type of attack compared to competitors?
dszp last edited by
Well, the main way is by not allowing webGUI access using a hostname other than the one assigned to pfSense in version 2.0. There is an exception list for other hostnames used if needed, or IP address can be used without restriction, as that is not a security risk with DNS Rebinding attacks. These protections are on by default in 2.0 beta currently, even when upgrading from 1.x. It's always recommended to change the default administration password for the webGUI as well, and if you do this and are not logged into the webGUI (or are not logged into the same web browser used for other tasks), even attempts at DNS Rebinding attacks are unlikely to succeed because they would need to rely on a flaw in the LAN administration code to authenticate/change the firewall (this is the case even in 1.x). So the main recommendations beyond the build-in protections are: 1) use a different web browser for administration than for web browsing, and 2) change the default password to something secure (do this anyway!).
At least that's what I'm familiar with. I'm sure someone else may have information about additional precautions taken.