Fallstreak Hole of Internet Clouds: Unraveling the Threat of Hosting-Based Domain Takeovers

Mingming Zhang, Xiang Li, Baojun Liu, Jianyu Lu, Yiming Zhang, Jianjun Chen, Haiixn Duan, Shuang Hao, Xiaofeng Zheng

Last updated on Feb 27, 2024 5 min read Blog

Paper title：**Detecting and Measuring Security Risks of Hosting-Based Dangling Domains （published by ACM SIGMETRICS 2023）

Domain names, vital for tasks like digital certificate authentication, face growing vulnerabilities in our evolving digital landscape. A key threat is hosting-based domain takeover, where adversaries exploit domains resolved to expired or unreferenced endpoints of public hosting platforms (e.g., CDN, web hosting, OSS). With more organizations using hosting services, the ephemeral resource allocation in such environments is problematic. If not effectively monitored, transient hosting service endpoints can be exploited, leading to breaches even at major companies like Microsoft.

Recent research introduces a new detection method for hosting-based dangling domains and assesses the complexity of this growing threat.

Hosting-Based Domain Takeover

In the digital era, companies often use public platforms like CDNs for web hosting. But what’s the mechanism behind this, and where are the potential vulnerabilities?

Figure 1 illustrates the hosting setup process involving two stages:

1. Domain Ownership Validation (Step 1-3), where a customer, Alice, proves her domain ownership using a challenge token (e.g., a DNS TXT value) assigned by the platform.

2. Service Allocation & Domain Connection (Step 4-6), where post-verification, the platform provides 1-2 service endpoints (e.g., CNAME), and Alice activates the service by adding CNAME records.

png

Figure 1. Domain hosting procedures

But what happens when things go wrong?

The Chinks in the Armor: Hosting Vulnerabilities

Hosting service vulnerabilities stem from poor domain ownership validation, allowing attackers to reuse the released endpoints. If the DNS records aren’t promptly purged after service expiration, they become dangling and exploitable. This mirrors the ‘use-after-free’ programming bug, where domains point to freed resources that can be maliciously reused.

The Anatomy of a Hosting-Based Domain Takeover

Figure 2 depicts the threat model. Mallory uses the same CNAME endpoints, bypasses domain connection validation, and hijacks Alice’s domain name.

png

Figure 2. Hosting-based domain takeover procedures

HostingChecker: A Novel Detection Framework

The HostingChecker framework, introduced at ACM SIGMETRICS 2023, aims to identify public hosting services and detect vulnerable domains on discontinued endpoints. The challenges are 1) the diversity of service types and hosting strategies, making manual inspection difficult, and 2) the need for efficient detection of vulnerable popular domains at scale.

The inspiration behind HostingChecker’s design stems from three key observations:

1) Service endpoint naming conventions (Figure 3): Across the board, hosting services, whether they’re CDNs, OSS, or web hosts, tend to follow similar endpoint naming practices.

png

Figure 3. Examples of service endpoint names and naming patterns

2) High domain dependency (Figure 4): Hosting service endpoints can serve numerous of domains, resulting in high domain dependency—many main domains pointing to a single shared domain suffix.

png

Figure 4. Domain Dependency and Domain Dependency Number

3) Domain name resolution characteristics: The domain resolution chains can indicate if domains are hosted on public services. Certain DNS responses can also indicate service status - e.g., when a service expires, the assigned CNAME may become an NXDOMAIN.

Based on the above observations, we design the novel framework of HostingChecker (Figure 5). Its main functions include:

1) Discovering Vulnerable Hosting Services: HostingChecker leverages passive DNS traffic, recognizing service endpoints by their naming patterns. A meticulous manual analysis then zeroes in on the vulnerable services.

2) Pinpointing Vulnerable Domains: HostingChecker builds DNS chains from passive data, and identifies domains hosted on risky services through pattern comparisons. Further detection of dangling domains is done through proactive HTTP and DNS probes.

png

Figure 5.Overview of HostingChecker

Major Findings and Insights

We deployed HostingChecker using a representative passive DNS dataset, 114DNS, which processes 600 billion DNS queries per day. Running from December 2021 to July 2022, it examined the top 1M Tranco domains and specific .edu and .gov domains, revealing widespread hosting service vulnerabilities.

I Vulnerability Assessment of Hosting Services

As shown in Table 1, HostingChecker identified 165 hosting services and 995 endpoint patterns in the 114DNS dataset, with 65 services found vulnerable. These include famous cloud object storage services (e.g. Alibaba OSS and Huawei OBS), CDNs (e.g. Baidu and Cloudflare), and website builders (e.g. Wix).

Table 1.Vulnerable Hosting Services

png

II Domain Connection Vulnerabilities in Hosting Services

We summarized various domain validation methods (i.e. Figure 1 steps 3-5) for hosting services and found significant security risks even among the most popular large providers. As shown in Table 2, the top 20 popular services like Webflow, Fastly, Cloudflare, and Alibaba Cloud, which dominate 70% of the market, weren’t immune. This suggests smaller platforms may be equally at risk.

Table 2. Domain connecting methods employed by major hosting vendors

png

III The magnitude of the Domain Vulnerability Landscape

The scale of domains using vulnerable services paints a worrying picture for the broader digital ecosystem. A staggering 114k domains were found hosted on vulnerable services, posing potential threats like data breaches or malware attacks. Specifically, 10,351 FQDNs under the Tranco Top 1M apex domains, including well-known institutions (e.g., Stanford and Rice) and corporations (e.g., Baidu, Huawei, and Marriott), were confirmed vulnerable.

The threat of domain takeovers is not only omnipresent but also on the rise (Figure 6), demanding continual vigilance. Research indicated the emergence of over 200 new vulnerable domains weekly, emphasizing the persistent and growing nature of this security concern.

png

Figure 6.Detection results of hosting-based dangling domains (weekly cumulative)

Best Practices for Public Hosting Services

HostingChecker is running continuously with 114DNS to find and report vulnerable domains. Our analysis also leads to suggestions to mitigate domain takeover threats:

1) Rigorous Domain Validation: Employ standard validation methods like one-time tokens in TXT records rather than just checking reassignable endpoints.

2) Distinct Endpoints: Use unique, non-collidable endpoints (pairs) for each user and ensure each domain and account is distinctive.

3) Maintain a Historical Record: Keep a record of user-defined labels and hosted domains linked to accounts, preventing attackers from reusing endpoint names.

4) Proactive Security Alerts: Regularly update customers on potential threats. Alerts can include notifications about service expiration, the misconfiguration of wildcard DNS records, and any unusual domain activity.

Concluding Thoughts

The rise in hosting-based domain takeovers highlights the need for strict domain validations and user awareness. For hosting services, collaboration and shared intelligence can strengthen defenses.

For a detailed study, see our paper in the ACM SIGMETRICS 2023 titled ‘Detecting and Measuring Security Risks of Hosting-Based Dangling Domains’.

Academic DNS Domain takeover