Vulnerabilities / Threats

3/18/2019
10:30 AM
Kaan Onarlioglu
Kaan Onarlioglu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Are You Prepared for a Zombie (Domain) Apocalypse?

When a domain registration expires, they can be claimed by new owners. And sometimes, those new owners have malicious intent.

Internet domain name ownership is not perpetual.

Domains are assigned to their owners for a limited amount of time. Once a registration expires, domains are released back to the public to be claimed by potential new owners, on a first-come first-served basis.

Internet citizens won't be strangers to questionable (and sometimes outright abusive) practices around this phenomenon. I'm sure many readers have revisited an interesting website bookmarked for a rainy day, only to return and be greeted by an unrelated page laden with advertisement banners. This is one typical method for exploiting residual traffic to a domain, where a new party registers an expired domain in the hopes that the old website's unsuspecting clientele will bring in ad revenue. Another common situation, this time with clear malicious intent, is mimicking an obsolete website in an attempt to mount phishing attacks on visitors.

These are fairly obvious adversarial scenarios for the security community today. Unfortunately, the problems don't end there. Domain names are not merely pointers to websites, but they are generic identifiers used for addressing a wide variety of resources over the Internet.

For example, reclaim a lapsed domain and you automatically gain access to all future emails destined to previously active mailboxes on that name. Register an abandoned DNS server domain, and you can redirect querying clients to any destination of your choosing. In one notorious case, a security professional was able to acquire the expired name server domains for the ".io zone," giving him the ability to hijack traffic to all .io websites in existence.

And there is yet more trouble. Domain names are used as a trust anchor in many security-critical settings, and ownership of a domain often extends to other seemingly unrelated resources. Consider online services that send password reset links to email addresses on record, treating successful access to that email account as a mechanism for authentication. Hijacking that email domain as discussed above will then have a cascade effect compromising all connected online accounts that belong to the previous owner.

The situation is similar for security mechanisms that assume a permanent domain assignment model. When users grant a website permission to access their camera, microphone, or location, these access control decisions are bound to the website's domain name. Even if the domain's owner eventually changes, previously granted permissions will persist, allowing the new owner to abuse the residual trust put on that domain. Note that Transport Layer Security (TLS) offers very little in the way of protecting users against these problems. TLS only authenticates domains but is oblivious to who owns them. Short of manually inspecting WHOIS records, users are left with no easy way to detect domain ownership changes before the damage is done.

While a quick online search will reveal select high-profile incidents of this nature, inquisitive readers may ask how practical these exploits generally are, how often they are seen in the wild, and whether Internet users are facing a real risk.

As it happens, there is a vibrant and professionally organized scene for domain recycling. Users can visit one of many online domain drop-catch services and place an order for a domain they wish to purchase when its registration lapses. Drop-catch services then mobilize large clusters of computing resources and flood registration systems with requests to claim an expiring domain the moment it becomes available, competing against all other potential registrants on the planet. This resembles the high-frequency trading scene in financial markets, but for domain names instead of stocks.

In a recent experiment I conducted together with fellow scientists from Northeastern University in Boston, we confirmed our concerns regarding the high demand for expiring domain reuse. We observed that just three major drop-catch services operated 75% of all accredited domain registrars, and were responsible for nearly 80% of all domain registration attempts. Up to 10% of .com, and 5% of .org domains were reregistered on the day they expired.

A second venue for domain recycling is auctions held by registrars for domains nearing expiration. Domains obtained through auctions pose a particular threat; they do not go through the typical expiration and reregistration phases, but instead they are transferred from the previous owner to a new party. As a result, domain registration information including the domain’s creation date does not change, making it difficult to spot the ownership change even with careful analysis of WHOIS records. This is problematic because many commercial security products, domain reputation services, and blacklist maintainers base their decisions on the age of a domain, where older domains are considered more trustworthy.

Domains change hands, and evidence shows they do so frequently, facilitated by a thriving ecosystem of drop-catch and auction services. Sadly, domain ownership is heavily relied upon as a trust anchor by many Internet applications and even security mechanisms. The implicit assumption that domains perpetually live pervades. Going forward, we security professionals should incorporate into our threat models the fundamental pitfalls of this assumption and the risks involved therein. When designing future systems, we should strive to have the necessary safeguards to ensure domain ownership cannot be accidentally lost, and if that eventually happens, have sufficient revocation mechanisms to respond and shift trust to a new anchor. Certificate Transparency has worked wonders for monitoring TLS certificates. Maybe we should start thinking about a Domain Transparency initiative.

Acknowledgments: The ideas presented in this article are based on a series of research projects jointly carried out by the author and his colleagues Tobias Lauinger, Ahmet Buyukkayhan, Abdelberi Chaabane, William Robertson, and Engin Kirda.


Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11486
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
CVE-2019-11487
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
CVE-2018-7576
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
CVE-2018-8825
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
CVE-2019-10688
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.