Internet domain name ownership is not perpetual.
Domains are assigned to their owners for a limited amount of time. Once a registration expires, domains are released back to the public to be claimed by potential new owners, on a first-come first-served basis.
Internet citizens won't be strangers to questionable (and sometimes outright abusive) practices around this phenomenon. I'm sure many readers have revisited an interesting website bookmarked for a rainy day, only to return and be greeted by an unrelated page laden with advertisement banners. This is one typical method for exploiting residual traffic to a domain, where a new party registers an expired domain in the hopes that the old website's unsuspecting clientele will bring in ad revenue. Another common situation, this time with clear malicious intent, is mimicking an obsolete website in an attempt to mount phishing attacks on visitors.
These are fairly obvious adversarial scenarios for the security community today. Unfortunately, the problems don't end there. Domain names are not merely pointers to websites, but they are generic identifiers used for addressing a wide variety of resources over the Internet.
For example, reclaim a lapsed domain and you automatically gain access to all future emails destined to previously active mailboxes on that name. Register an abandoned DNS server domain, and you can redirect querying clients to any destination of your choosing. In one notorious case, a security professional was able to acquire the expired name server domains for the ".io zone," giving him the ability to hijack traffic to all .io websites in existence.
And there is yet more trouble. Domain names are used as a trust anchor in many security-critical settings, and ownership of a domain often extends to other seemingly unrelated resources. Consider online services that send password reset links to email addresses on record, treating successful access to that email account as a mechanism for authentication. Hijacking that email domain as discussed above will then have a cascade effect compromising all connected online accounts that belong to the previous owner.
The situation is similar for security mechanisms that assume a permanent domain assignment model. When users grant a website permission to access their camera, microphone, or location, these access control decisions are bound to the website's domain name. Even if the domain's owner eventually changes, previously granted permissions will persist, allowing the new owner to abuse the residual trust put on that domain. Note that Transport Layer Security (TLS) offers very little in the way of protecting users against these problems. TLS only authenticates domains but is oblivious to who owns them. Short of manually inspecting WHOIS records, users are left with no easy way to detect domain ownership changes before the damage is done.
While a quick online search will reveal select high-profile incidents of this nature, inquisitive readers may ask how practical these exploits generally are, how often they are seen in the wild, and whether Internet users are facing a real risk.
As it happens, there is a vibrant and professionally organized scene for domain recycling. Users can visit one of many online domain drop-catch services and place an order for a domain they wish to purchase when its registration lapses. Drop-catch services then mobilize large clusters of computing resources and flood registration systems with requests to claim an expiring domain the moment it becomes available, competing against all other potential registrants on the planet. This resembles the high-frequency trading scene in financial markets, but for domain names instead of stocks.
In a recent experiment I conducted together with fellow scientists from Northeastern University in Boston, we confirmed our concerns regarding the high demand for expiring domain reuse. We observed that just three major drop-catch services operated 75% of all accredited domain registrars, and were responsible for nearly 80% of all domain registration attempts. Up to 10% of .com, and 5% of .org domains were reregistered on the day they expired.
A second venue for domain recycling is auctions held by registrars for domains nearing expiration. Domains obtained through auctions pose a particular threat; they do not go through the typical expiration and reregistration phases, but instead they are transferred from the previous owner to a new party. As a result, domain registration information including the domain’s creation date does not change, making it difficult to spot the ownership change even with careful analysis of WHOIS records. This is problematic because many commercial security products, domain reputation services, and blacklist maintainers base their decisions on the age of a domain, where older domains are considered more trustworthy.
Domains change hands, and evidence shows they do so frequently, facilitated by a thriving ecosystem of drop-catch and auction services. Sadly, domain ownership is heavily relied upon as a trust anchor by many Internet applications and even security mechanisms. The implicit assumption that domains perpetually live pervades. Going forward, we security professionals should incorporate into our threat models the fundamental pitfalls of this assumption and the risks involved therein. When designing future systems, we should strive to have the necessary safeguards to ensure domain ownership cannot be accidentally lost, and if that eventually happens, have sufficient revocation mechanisms to respond and shift trust to a new anchor. Certificate Transparency has worked wonders for monitoring TLS certificates. Maybe we should start thinking about a Domain Transparency initiative.
Acknowledgments: The ideas presented in this article are based on a series of research projects jointly carried out by the author and his colleagues Tobias Lauinger, Ahmet Buyukkayhan, Abdelberi Chaabane, William Robertson, and Engin Kirda.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.