Abuse of dangling DNS records on cloud platforms

By on 4 Apr 2024

Category: Tech matters

Tags: , ,

1 Comment

Blog home

Adapted from Kelly Sikkema's original at Unsplash.

Accurately operating digital resources is crucial for the security of the Internet. Managing resources requires not only creating and configuring them but also releasing them correctly after they are no longer required. However, in practice, when organizations release resources of services that are no longer needed, they often do not purge the infrastructure that was set up for them, creating dangling resources.

In this article, we report on our longitudinal research study (between 2020 and 2023) of such dangling resource abuse. Across 12 cloud platforms, we identified 20,904 hijacks that hosted malicious content. We detected hijacked domains in 219 Top-Level Domains (TLDs) and abuses on popular clouds.

Dangling resources

The concept of dangling records is related to dangling pointers in programming, which occur when a variable’s memory is deallocated. Similarly, DNS records become dangling when domain owners forget to purge the records. For example, a domain owner does not remove a mapping foo.com A of service foo.com to a cloud IP address from the authoritative DNS server after the resource at is discontinued and released.

Adversaries who manage to take over the released resources referenced by the existing DNS record can initiate attacks against clients trying to access the domain. In our example, if an adversary can take over it can obtain control over all the records that point to that IP address since all requests to foo.com are sent to the adversary.

Taking over dangling resources is easy while detecting real-life abuses is hard

To find dangling resources an adversary has to collect domain names (for example, via passiveDNS or Certificate Transparency (CT)), and check which domain names are hosted on a cloud. The adversary then needs to identify hostnames that are not reachable and register them through an account with the cloud provider. All the traffic to the resources that the adversary successfully registered will be sent to the adversary via the now reactivated DNS record. These malicious changes in control over resources are hard to detect.

The fundamental challenge in detecting real-life abuses is detecting malicious versus legitimate changes in resources. The hijacked resources often do not stand out and even have valid certificates. Approaches that look for changes in the infrastructure or in the content do not work, since changes are often legitimate and happen not only in abused but also in legitimate resources.

In addition, the huge data volumes involved and lack of known indicators make finding abuses equivalent to looking for a needle in a haystack. This is one of the reasons that before our research last year, there were no studies of real-life abuses of dangling records. In our research, we found that the key to finding real-life abuses was a combination of longitudinal data analysis from multiple sources with clustering of changes according to similarities and manual keyword derivation. Applying this approach we derived indicators that enabled detection of real-life hijacks.

There are several new insights that we derived from our study; we briefly explain the main ones below.

IP address takeovers are not common

One of the insights from our study is that the type of resource is not the main consideration in a hijack; the selection of resources by attackers is financially motivated. Attackers target dangling resources which can be easily and cost-effectively taken over. These requirements do not apply to IP addresses on cloud platforms. IP addresses are typically randomly allocated from a large pool and are more expensive to reactivate.

We found that the attackers target released resources that are cheap and can be directly determined by entering freetext, while avoiding resources that are expensive and require effort to obtain, such as the lottery-based IP assignment from a pool of IP addresses.

How adversaries abuse hijacked dangling records

We found that some actors collect a wide range of diverse domains in a coordinated effort. These are then homogeneously used for the same purpose of referring traffic or manipulating search rankings. The adversaries aim at maximizing the number of domains recruited for a campaign. We did not find evidence of targeted takeovers of individual domains, for example, for political reasons.

The main abuse (75%) of hijacked, dangling resources is to generate traffic to adversarial services. The attackers target domains with established reputations and exploit that reputation to increase the ranking of their malicious content by search engines and, as a result, generate page impressions for the content they control. The content is mostly gambling and other adult content. We see a possible explanation in the population size (fourth largest in the world) and strict illegality of gambling in Indonesia, leading to a prevalence of online gambling and a need to advertise it through illicit means.

Once they control the content, sources of income are either advertisements displayed directly on the websites hosted on the hijacked domains or referral (click-through) to another site, where they earn a small amount for each page impression, a higher amount for account registration and even more for money spent. Attackers use different techniques to generate traffic (mostly with Blackhat Search Engine Optimization (SEO)) and increase the click-through rate to the target site that pays for the traffic. 

The other categories of abuse included malware distribution, cookie theft, and fraudulent certificates. Overall, we find that the hacking groups successfully attacked domains in 31% of the Fortune 500 companies and 25.4% of the Global 500 companies, some over long periods. Many of the victim organizations were abused more than once, with one even suffering abuse across more than 100 different subdomains.

We found that a large amount of abused domain names were removed within 15 days. At the same time, more than ⅓ of the domains last longer than 65 days, some more than a year. This gives the adversaries time to monetize content by exploiting the reputation of the abused domains. We found that hijacks are performed on groups of domains concurrently. Analysing our dataset, we saw an initial period of hijacks in 2020, followed by a period of relative inactivity in early 2021, and finally a ramping up of activity throughout late 2021, 2022, and 2023. The number of concurrently hijacked domains continuously increases during our study period, indicating a growing problem.

Recommendations for mitigations

We recommend that cloud platforms either do not allow user-created resource names to be publicly visible (for example, through DNS records) and/or disallow the re-registration of recently released resource names. We also recommend purging stale DNS records.

In addition, cloud platforms should keep track of released resources using our methodology and alert owners of registered domains about changes to the content or sitemap. Since we observe that attackers issue certificates for hijacked domains, we recommend that cloud providers also monitor CT logs for unusual patterns across domains hosted on their platforms to help detect potential large-scale abuse campaigns.

In our research, we focused on resources on cloud platforms. Nevertheless, our results can be used to identify abuse in other third-party services. For instance, while Content Management Systems (CMS) like WordPress are not included in our dataset, we expect a large number of hijacks of [freetext].wordpress.com subdomains, since WordPress also implements freetext subdomain registration for its blogs.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *