Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/18/2019
10:30 AM
Kaan Onarlioglu
Kaan Onarlioglu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Are You Prepared for a Zombie (Domain) Apocalypse?

When a domain registration expires, they can be claimed by new owners. And sometimes, those new owners have malicious intent.

Internet domain name ownership is not perpetual.

Domains are assigned to their owners for a limited amount of time. Once a registration expires, domains are released back to the public to be claimed by potential new owners, on a first-come first-served basis.

Internet citizens won't be strangers to questionable (and sometimes outright abusive) practices around this phenomenon. I'm sure many readers have revisited an interesting website bookmarked for a rainy day, only to return and be greeted by an unrelated page laden with advertisement banners. This is one typical method for exploiting residual traffic to a domain, where a new party registers an expired domain in the hopes that the old website's unsuspecting clientele will bring in ad revenue. Another common situation, this time with clear malicious intent, is mimicking an obsolete website in an attempt to mount phishing attacks on visitors.

These are fairly obvious adversarial scenarios for the security community today. Unfortunately, the problems don't end there. Domain names are not merely pointers to websites, but they are generic identifiers used for addressing a wide variety of resources over the Internet.

For example, reclaim a lapsed domain and you automatically gain access to all future emails destined to previously active mailboxes on that name. Register an abandoned DNS server domain, and you can redirect querying clients to any destination of your choosing. In one notorious case, a security professional was able to acquire the expired name server domains for the ".io zone," giving him the ability to hijack traffic to all .io websites in existence.

And there is yet more trouble. Domain names are used as a trust anchor in many security-critical settings, and ownership of a domain often extends to other seemingly unrelated resources. Consider online services that send password reset links to email addresses on record, treating successful access to that email account as a mechanism for authentication. Hijacking that email domain as discussed above will then have a cascade effect compromising all connected online accounts that belong to the previous owner.

The situation is similar for security mechanisms that assume a permanent domain assignment model. When users grant a website permission to access their camera, microphone, or location, these access control decisions are bound to the website's domain name. Even if the domain's owner eventually changes, previously granted permissions will persist, allowing the new owner to abuse the residual trust put on that domain. Note that Transport Layer Security (TLS) offers very little in the way of protecting users against these problems. TLS only authenticates domains but is oblivious to who owns them. Short of manually inspecting WHOIS records, users are left with no easy way to detect domain ownership changes before the damage is done.

While a quick online search will reveal select high-profile incidents of this nature, inquisitive readers may ask how practical these exploits generally are, how often they are seen in the wild, and whether Internet users are facing a real risk.

As it happens, there is a vibrant and professionally organized scene for domain recycling. Users can visit one of many online domain drop-catch services and place an order for a domain they wish to purchase when its registration lapses. Drop-catch services then mobilize large clusters of computing resources and flood registration systems with requests to claim an expiring domain the moment it becomes available, competing against all other potential registrants on the planet. This resembles the high-frequency trading scene in financial markets, but for domain names instead of stocks.

In a recent experiment I conducted together with fellow scientists from Northeastern University in Boston, we confirmed our concerns regarding the high demand for expiring domain reuse. We observed that just three major drop-catch services operated 75% of all accredited domain registrars, and were responsible for nearly 80% of all domain registration attempts. Up to 10% of .com, and 5% of .org domains were reregistered on the day they expired.

A second venue for domain recycling is auctions held by registrars for domains nearing expiration. Domains obtained through auctions pose a particular threat; they do not go through the typical expiration and reregistration phases, but instead they are transferred from the previous owner to a new party. As a result, domain registration information including the domain’s creation date does not change, making it difficult to spot the ownership change even with careful analysis of WHOIS records. This is problematic because many commercial security products, domain reputation services, and blacklist maintainers base their decisions on the age of a domain, where older domains are considered more trustworthy.

Domains change hands, and evidence shows they do so frequently, facilitated by a thriving ecosystem of drop-catch and auction services. Sadly, domain ownership is heavily relied upon as a trust anchor by many Internet applications and even security mechanisms. The implicit assumption that domains perpetually live pervades. Going forward, we security professionals should incorporate into our threat models the fundamental pitfalls of this assumption and the risks involved therein. When designing future systems, we should strive to have the necessary safeguards to ensure domain ownership cannot be accidentally lost, and if that eventually happens, have sufficient revocation mechanisms to respond and shift trust to a new anchor. Certificate Transparency has worked wonders for monitoring TLS certificates. Maybe we should start thinking about a Domain Transparency initiative.

Acknowledgments: The ideas presented in this article are based on a series of research projects jointly carried out by the author and his colleagues Tobias Lauinger, Ahmet Buyukkayhan, Abdelberi Chaabane, William Robertson, and Engin Kirda.


Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.