================================================================================================================================== | # Title : Starlink DNS Rebinding Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : indoushka | ================================================================================================================================== [+] Summary : This Python script implements a lightweight DNS rebinding detection system designed to monitor suspicious domain-to-IP resolution changes in real time. It behaves like a mini EDR sensor focused specifically on identifying DNS rebinding and IP-flapping patterns. The tool continuously resolves a list of domains and tracks their historical IP resolutions. It analyzes changes over time to detect potentially malicious behavior, especially transitions from public to private IP ranges. [+] Key detection capabilities: Public → Private IP transition detection: Flags when a domain resolves from a public IP to a private/internal IP space, a common DNS rebinding indicator Rapid IP flapping detection: Identifies domains that resolve to multiple different IPs within a short window Time-windowed history tracking: Uses bounded deques to store recent DNS resolution history efficiently Thread-safe alert logging (lightweight): Stores and prints security events with severity and metadata Private IP classification: Uses ipaddress module to correctly identify RFC1918 internal ranges [+] Operational behavior: Continuously monitors configured target domains in a loop Performs periodic DNS resolution every few seconds Maintains historical resolution state per domain Triggers high-severity alerts when suspicious patterns are detected Overall, this script provides a simple but effective DNS rebinding monitoring mechanism suitable for lab environments, security research, or integration into larger threat detection pipelines. [+] POC : #!/usr/bin/env python3 import socket import time import threading import ipaddress from collections import defaultdict, deque class DNSRebindingDetector: def __init__(self, window=60): self.domain_history = defaultdict(lambda: deque(maxlen=20)) self.alerts = deque(maxlen=100) self.window = window def is_private_ip(self, ip): try: return ipaddress.ip_address(ip).is_private except: return False def resolve_domain(self, domain): try: return socket.gethostbyname(domain) except: return None def analyze(self, domain): ip = self.resolve_domain(domain) if not ip: return now = time.time() self.domain_history[domain].append((ip, now)) history = list(self.domain_history[domain]) if len(history) < 2: return old_ip = history[-2][0] new_ip = history[-1][0] if (not self.is_private_ip(old_ip)) and self.is_private_ip(new_ip): self.alert(domain, old_ip, new_ip, "PUBLIC_TO_PRIVATE_REBINDING") unique_ips = set([h[0] for h in history]) if len(unique_ips) >= 3: self.alert(domain, old_ip, new_ip, "RAPID_IP_FLAPPING") def alert(self, domain, old_ip, new_ip, reason): event = { "domain": domain, "old_ip": old_ip, "new_ip": new_ip, "reason": reason, "severity": "HIGH", "timestamp": time.time() } self.alerts.append(event) print("\n[ DNS REBINDING ALERT]") print(event) def monitor(self, domains): while True: for d in domains: self.analyze(d) time.sleep(2) if __name__ == "__main__": targets = [ "example.com", "test.local" ] detector = DNSRebindingDetector() detector.monitor(targets) Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================