stale NS レコードは危険である。実態を調査してみた。

https://dl.acm.org/doi/abs/10.1145/3372297.3417864

only GoDaddy has protection in place to prevent one from 
claiming the domain not registered through his account.

1. Zombie Awakening

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Zombie Awakening: Stealthy Hijacking of Active Domains through DNS Hosting Referral
Pages 1307–1322

Authors: Eihal Alowaisheq, Siyuan Tang, Zhihao Wang, Fatemah Alharbi, Xiaojing Liao, XiaoFeng Wang

Indiana Universityのひとが多い。

ACM Digital Library

1.1. ABSTRACT

In recent years, the security implication of stale NS records, which point to a nameserver that no longer resolves the domain, has been unveiled. Prior research studied the stale DNS records that point to expired domains. The popularity of DNS hosting services brings in a new category of stale NS records, which reside in the domain's zone (instead of the TLD zone) for an active domain.

To the best of our knowledge, the security risk of this kind of stale NS record has never been studied before.

In our research, we show that this new type of stale NS record can be practically exploited, causing a stealthier hijack of domains associated with the DNS hosting service.

We also performed a large-scale analysis on over 1M high-profile domains, 17 DNS hosting providers and 12 popular public resolver operators to confirm the prevalence of this security risk.

Our research further discovers 628 hijackable domains (e.g., 6 government entities and 2 payment services), 14 affected DNS hosting providers (e.g., Amazon Route 53), and 10 vulnerable public resolver operators (e.g., CloudFlare).

Furthermore, we conducted an in-depth measurement analysis on them, thus providing a better understanding of this new security risk.

Also, we explore the mitigation techniques that can be adopted by different affected parties.

2. history

Menaces of stale NS records in the SLD zone. In recent years,
researchers have identified the security implications of stale NS
records, where the nameserver that the record points to no longer
resolves the domain. 

For instance, prior research [52] looks into
dangling NS (Dare-NS) records, where the nameserver domains that
NS records point to are expired and the adversary could purchase
the domain to hijack this resource. 

Another example of domain
hijacking through stale NS records emerges with the popularity of
DNS hosting services (e.g., Amazon Route 53 [6] and GoDaddy DNS
hosting [36]). At these services, users host their DNS records in the
service provider’s nameservers. Once these records become stale, an
adversary can claim the nameserver domain and direct the traffic.

Some blog posts discussed the exploitation of this vulnerability
[12, 13]. However, the proposed attack works effectively if stale NS
records are in the TLD zone. 

Once a domain is hijacked, it could be
easily noticed by the domain owner because such misconfiguration
appears in the normal resolution path.

TLD下だというのは誤解だと思う。TLD下での指摘ではあるが、delegation chain のすべてで成立するから。

[12] Matthew Bryant. 2016. Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System. https://thehackerblog . com/floating- domains-taking-over-20k-digitalocean-domains-via-a-lax-domain-import- system/.

[13] Matthew Bryant. 2016. The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean. https://thehackerblog . com/the-orphaned-internet-taking-over-120k-domains- via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/.

In our research, we found that the popularity of DNS hosting
services brings in a new category of stale NS records – stale NS
records in the SLD zone: unlike Dare-NS, the nameserver pointed
to by the record still exists.

Also, those stale NS records are in the SLD zone instead of TLD zone, 
which makes the misconfiguration difficult to discover. 

Specifically, the attacker can exploit this vulnerability to hijack a domain through a “hidden” resolution path.

For example, stale NS records in the SLD zone exist when importing
the domain’s zone information from one DNS hosting provider into
a new DNS server, where the nameserver provided by the hosting
provider no longer resolves the domain.
After that, during the domain resolution, the stale NS record at the SLD zone will not be
normally used unless cached, since the nameserver received from
the TLD will directly return the A record to find out the domain’s
IP address, as long as the NS records in the TLD zone (e.g., .com)
are up-to-date (i.e., only pointing to the current nameserver). 

Our research shows that the stale NS records at the SLD can actually be
practically exploited, causing a stealthy hijack of active domains.


CategoryDns CategoryWatch CategoryTemplate

MoinQ: DNS/zombie_ awakening (last edited 2022-04-17 23:17:14 by ToshinoriMaeno)