Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates

Infrastructure-as-a-Service (IaaS), and more generallythe “cloud,” like Amazon Web Services (AWS) or MicrosoftAzure, have changed the landscape of system operations on theInternet. Their elasticity allows operators to rapidly allocate anduse resources as needed, from virtual machines, to storage, tobandwidth, and even to IP addresses, which is what made thempopular and spurred innovation.In this paper, we show that the dynamic component pairedwith recent developments in trust-based ecosystems (e.g., SSLcertificates) creates so far unknown attack vectors. Specifically, wediscover a substantial number of stale DNS records that point toavailable IP addresses in clouds, yet, are still actively attempted tobe accessed. Often, these records belong to discontinued servicesthat were previously hosted in the cloud. We demonstrate that itis practical, and time and cost efficient for attackers to allocateIP addresses to which stale DNS records point. Consideringthe ubiquity of domain validation in trust ecosystems, like SSLcertificates, an attacker can impersonate the service using avalid certificate trusted by all major operating systems andbrowsers. The attacker can then also exploit residual trust inthe domain name for phishing, receiving and sending emails, orpossibly distribute code to clients that load remote code from thedomain (e.g., loading of native code by mobile apps, or JavaScriptlibraries by websites).Even worse, an aggressive attacker could execute the attackin less than 70 seconds, well below common time-to-live (TTL) forDNS records. In turn, it means an attacker could exploit normalservice migrations in the cloud to obtain a valid SSL certificatefor domains owned and managed by others, and, worse, that shemight not actually be bound by DNS records being (temporarily)stale, but that she can exploit caching instead.We introduce a new authentication method for trust-based domainvalidation that mitigates staleness issues without incurringadditional certificate requester effort by incorporating existingtrust of a name into the validation process. Furthermore, weprovide recommendations for domain name owners and cloudoperators to reduce their and their clients’ exposure to DNSstaleness issues and the resulting domain takeover attacks.Information and Communication Technolog

Something From Nothing (There): Collecting Global IPv6 Datasets from DNS

Current large-scale IPv6 studies mostly rely on non-public datasets, asmost public datasets are domain specific. For instance, traceroute-based datasetsare biased toward network equipment. In this paper, we present a new methodologyto collect IPv6 address datasets that does not require access to restrictednetwork vantage points. We collect a new dataset spanning more than 5.8 millionIPv6 addresses by exploiting DNS’ denial of existence semantics (NXDOMAIN).This paper documents our efforts in obtaining new datasets of allocated IPv6 addresses,so others can avoid the obstacles we encountered

In rDNS We Trust: Revisiting a Common Data-Source’s Reliability

Reverse DNS (rDNS) is regularly used as a data source in Internet measurement research. However, existing work is polarized on its reliability, and new techniques to collect active IPv6 datasets have not yet been sufficiently evaluated. In this paper, we investigate active and passive data collection and practical use aspects of rDNS datasets.We observe that the share of non-authoritatively answerable IPv4 rDNS queries reduced since earlier studies and IPv6 rDNS has less non-authoritatively answerable queries than IPv4 rDNS. Furthermore, we compare passively collected datasets with actively collected ones, and we show that they enable observing the same effects in rDNS data. While highlighting opportunities for future research, we find no immediate challenges to the use of rDNS as active and passive data-source for Internet measurement research.Information and Communication Technolog