Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/18/2019
10:30 AM
Kaan Onarlioglu
Kaan Onarlioglu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Are You Prepared for a Zombie (Domain) Apocalypse?

When a domain registration expires, they can be claimed by new owners. And sometimes, those new owners have malicious intent.

Internet domain name ownership is not perpetual.

Domains are assigned to their owners for a limited amount of time. Once a registration expires, domains are released back to the public to be claimed by potential new owners, on a first-come first-served basis.

Internet citizens won't be strangers to questionable (and sometimes outright abusive) practices around this phenomenon. I'm sure many readers have revisited an interesting website bookmarked for a rainy day, only to return and be greeted by an unrelated page laden with advertisement banners. This is one typical method for exploiting residual traffic to a domain, where a new party registers an expired domain in the hopes that the old website's unsuspecting clientele will bring in ad revenue. Another common situation, this time with clear malicious intent, is mimicking an obsolete website in an attempt to mount phishing attacks on visitors.

These are fairly obvious adversarial scenarios for the security community today. Unfortunately, the problems don't end there. Domain names are not merely pointers to websites, but they are generic identifiers used for addressing a wide variety of resources over the Internet.

For example, reclaim a lapsed domain and you automatically gain access to all future emails destined to previously active mailboxes on that name. Register an abandoned DNS server domain, and you can redirect querying clients to any destination of your choosing. In one notorious case, a security professional was able to acquire the expired name server domains for the ".io zone," giving him the ability to hijack traffic to all .io websites in existence.

And there is yet more trouble. Domain names are used as a trust anchor in many security-critical settings, and ownership of a domain often extends to other seemingly unrelated resources. Consider online services that send password reset links to email addresses on record, treating successful access to that email account as a mechanism for authentication. Hijacking that email domain as discussed above will then have a cascade effect compromising all connected online accounts that belong to the previous owner.

The situation is similar for security mechanisms that assume a permanent domain assignment model. When users grant a website permission to access their camera, microphone, or location, these access control decisions are bound to the website's domain name. Even if the domain's owner eventually changes, previously granted permissions will persist, allowing the new owner to abuse the residual trust put on that domain. Note that Transport Layer Security (TLS) offers very little in the way of protecting users against these problems. TLS only authenticates domains but is oblivious to who owns them. Short of manually inspecting WHOIS records, users are left with no easy way to detect domain ownership changes before the damage is done.

While a quick online search will reveal select high-profile incidents of this nature, inquisitive readers may ask how practical these exploits generally are, how often they are seen in the wild, and whether Internet users are facing a real risk.

As it happens, there is a vibrant and professionally organized scene for domain recycling. Users can visit one of many online domain drop-catch services and place an order for a domain they wish to purchase when its registration lapses. Drop-catch services then mobilize large clusters of computing resources and flood registration systems with requests to claim an expiring domain the moment it becomes available, competing against all other potential registrants on the planet. This resembles the high-frequency trading scene in financial markets, but for domain names instead of stocks.

In a recent experiment I conducted together with fellow scientists from Northeastern University in Boston, we confirmed our concerns regarding the high demand for expiring domain reuse. We observed that just three major drop-catch services operated 75% of all accredited domain registrars, and were responsible for nearly 80% of all domain registration attempts. Up to 10% of .com, and 5% of .org domains were reregistered on the day they expired.

A second venue for domain recycling is auctions held by registrars for domains nearing expiration. Domains obtained through auctions pose a particular threat; they do not go through the typical expiration and reregistration phases, but instead they are transferred from the previous owner to a new party. As a result, domain registration information including the domain’s creation date does not change, making it difficult to spot the ownership change even with careful analysis of WHOIS records. This is problematic because many commercial security products, domain reputation services, and blacklist maintainers base their decisions on the age of a domain, where older domains are considered more trustworthy.

Domains change hands, and evidence shows they do so frequently, facilitated by a thriving ecosystem of drop-catch and auction services. Sadly, domain ownership is heavily relied upon as a trust anchor by many Internet applications and even security mechanisms. The implicit assumption that domains perpetually live pervades. Going forward, we security professionals should incorporate into our threat models the fundamental pitfalls of this assumption and the risks involved therein. When designing future systems, we should strive to have the necessary safeguards to ensure domain ownership cannot be accidentally lost, and if that eventually happens, have sufficient revocation mechanisms to respond and shift trust to a new anchor. Certificate Transparency has worked wonders for monitoring TLS certificates. Maybe we should start thinking about a Domain Transparency initiative.

Acknowledgments: The ideas presented in this article are based on a series of research projects jointly carried out by the author and his colleagues Tobias Lauinger, Ahmet Buyukkayhan, Abdelberi Chaabane, William Robertson, and Engin Kirda.


Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.