Unravelling the threat of hosting-based domain takeovers

By on 9 Jul 2024

Category: Tech matters

Tags: , , , ,

Blog home

Generated by AI.

Domain names, vital for tasks like digital certificate authentication, face growing vulnerabilities in our evolving digital landscape. A key threat is hosting-based domain takeover, where adversaries exploit domains resolved to expired or unreferenced endpoints of public hosting platforms (for example, Content Delivery networks (CDNs), web hosting, and Operational Support Systems (OSS)). With more organizations using hosting services, temporary resource allocation in such environments is problematic. Transient hosting service endpoints can be exploited if not effectively monitored, leading to breaches even at major companies like Microsoft.

Recent research introduces a new detection method for hosting-based dangling domains and assesses the complexity of this growing threat.

Hosting-based domain takeover

In the digital era, companies often use public platforms like CDNs for web hosting. But what’s the mechanism behind this, and where are the potential vulnerabilities?

Figure 1 illustrates the hosting setup process involving two stages:

  1. Domain ownership validation (Steps 1-3), where a customer, Alice, proves her domain ownership using a challenge token (for example, a DNS TXT value) assigned by the platform.
  2. Service allocation and domain connection (Steps 4-6), where the platform provides 1-2 service endpoints (such as CNAME) post-verification, and Alice activates the service by adding CNAME records.
Figure 1 — Domain hosting procedures.
Figure 1 — Domain hosting procedures.

But what happens when things go wrong?

The chinks in the armour: Hosting vulnerabilities

Hosting service vulnerabilities stem from poor domain ownership validation, allowing attackers to reuse the released endpoints. If the DNS records aren’t promptly purged after service expiration, they become dangling and exploitable. This mirrors the ‘use-after-free’ programming bug, where domains point to freed resources that can be maliciously reused.

The anatomy of a hosting-based domain takeover

Figure 2 depicts the threat model. Mallory uses the same CNAME endpoints, bypasses domain connection validation, and hijacks Alice’s domain name.

Figure 2 — Hosting-based domain takeover procedures.
Figure 2 — Hosting-based domain takeover procedures.

HostingChecker: A novel detection framework

The HostingChecker framework, introduced at ACM SIGMETRICS 2023, aims to identify public hosting services and detect vulnerable domains on discontinued endpoints. The challenges are:

  • The diversity of service types and hosting strategies makes manual inspection difficult.
  • The need for efficient detection of vulnerable popular domains at scale.

The inspiration behind HostingChecker’s design stems from three key observations:

  1. Service endpoint naming conventions (Figure 3): Across the board, hosting services, whether they’re CDNs, OSS, or website builders, tend to follow similar endpoint naming practices.
Figure 3 — Examples of service endpoint names and naming patterns.
Figure 3 — Examples of service endpoint names and naming patterns.
  1. High domain dependency (Figure 4): Hosting service endpoints can serve numerous domains, resulting in high domain dependency — many apex domain names pointing to a single shared domain suffix.
Figure 4 — Domain dependency and domain dependency number.
Figure 4 — Domain dependency and domain dependency number.
  1. Domain name resolution characteristics: The domain resolution chains can indicate if domains are hosted on public services. Certain DNS responses can also indicate service status. For example, when a service expires, the assigned CNAME may become an NXDOMAIN.

Based on the above observations, we designed the novel framework of HostingChecker (Figure 5). Its main functions include:

  1. Discovering vulnerable hosting services: HostingChecker leverages passive DNS traffic to recognize service endpoints by their naming patterns. Meticulous manual analysis is then performed to identify vulnerable services.
  2. Pinpointing vulnerable domains: HostingChecker builds DNS chains from passive data, and identifies domains hosted on risky services through pattern comparisons. Further detection of dangling domains is done through proactive HTTP and DNS probes.
Figure 5  — Overview of HostingChecker.
Figure 5 — Overview of HostingChecker.

Major findings and insights

We deployed HostingChecker using a representative passive DNS dataset, 114DNS, which processes 600 billion DNS queries per day. From December 2021 to July 2022, it examined the top 1M Tranco domains and specific .edu and .gov domains, revealing widespread hosting service vulnerabilities.

Vulnerability assessment of hosting services

As shown in Table 1, HostingChecker identified 165 hosting services and 995 endpoint patterns in the 114DNS dataset, with 65 services found vulnerable. These include famous cloud object storage services (such as Alibaba OSS and Huawei OBS), CDNs (such as Baidu and Cloudflare), and website builders (like Wix). 

Categories# Vendors# Endpoint patterns# Services
Cloud Storage77130118129
Website Builder51401561056044
Table 1 —  Vulnerable hosting services.

Domain connection vulnerabilities in hosting services

We summarized various domain validation methods (Figure 1, steps 3-5) for hosting services and found significant security risks even among the most popular large providers. As shown in Table 2, public hosting providers employ diverse domain connection methods, but most (7/9) of them are exploitable for domain takeover.

MethodTypeConnect a custom domain to…ServicesExploitable
CNAMEM1Fixed canonical domains12
M2Any canonical domains customized by any users70
M3New canonical domains customized by new users12
M4The canonical domains allocated from a candidate pool5
M5Canonical domains containing newly generated random labels47
NSM6Fixed nameservers1
M7The nameservers allocated from a candidate pool5
IPM8Fixed IPs8
M9The IPs allocated from a candidate pool4
Table 2 — Domain connecting methods employed by major hosting vendors.

The magnitude of the domain vulnerability landscape

The scale of domains using vulnerable services paints a worrying picture for the broader digital ecosystem. About 114k domains were found hosted on vulnerable services, posing potential threats like data breaches or malware attacks. Specifically, 10,351 FQDNs under the Tranco Top 1M domains, including well-known institutions (such as Stanford and Rice) and corporations (like Baidu, Huawei, and Marriott), were confirmed vulnerable. 

The threat of domain takeovers is prevalent and on the rise (Figure 6), demanding continual vigilance. Research indicated the emergence of over 200 new vulnerable domains weekly, emphasizing the persistent and growing nature of this security concern.

Figure 6 — Detection results of hosting-based dangling domains (weekly cumulative).
Figure 6 — Detection results of hosting-based dangling domains (weekly cumulative).

Best practices for public hosting services

HostingChecker is running continuously with 114DNS to find and report vulnerable domains. Our analysis also leads to suggestions to mitigate domain takeover threats:

  1. Strict Domain Validation: Employ standard validation methods like one-time tokens in TXT records rather than just checking reassignable endpoints.
  2. Distinct endpoints: Use unique, non-collidable endpoints (pairs) for each user and ensure each domain and account is distinctive.
  3. Maintain a historical record: Keep a record of user-defined labels and hosted domains linked to accounts, preventing attackers from reusing endpoint names.
  4. Proactive security alerts: Regularly update customers on potential threats. Alerts can include notifications about service expiration, the misconfiguration of wildcard DNS records, and any unusual domain activity.

Concluding thoughts

The rise in hosting-based domain takeovers highlights the need for strict domain validations and user awareness. For hosting services, collaboration and shared intelligence can strengthen defences. 

For a detailed study, see our paper in the ACM SIGMETRICS 2023 titled ‘Detecting and Measuring Security Risks of Hosting-Based Dangling Domains’.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *