Eight-year-old “Sitting Ducks” DNS weakness exploited to hijack web domains with impunity

The vast global Domain Name System (DNS) is so fundamental to the way the web works that service providers and their customers are sure to configure and manage it carefully.

That’s the theory — now for the reality.

In a small but far from harmless number of cases, the global DNS system is being negligently administered, badly enough to allow multiple Russian cybercriminal groups to hijack hundreds of domains each day.

That’s according to a research collaboration between security companies Infoblox and Eclypsium which reveals the scale of a small family of DNS hijacking techniques they collectively nickname “Sitting Ducks.”

“There are an estimated 1M exploitable domains and we have confirmed 30k+ hijacked domains since 2019,” Eclypsium said in a blog post. 

More than a dozen criminal groups were exploiting the issue, Infoblox said, with some domains being hijacked by multiple groups. Most had belonged to large companies, and were then used to push all manner of scams.

Incredibly, the fact these weaknesses exist has been known about for at least eight years, when a researcher published two blogs on the matter.

That apparently prompted action from cloud providers, but not much else. Sitting Ducks has recurred since then in other attacks, and continues to this day even as national CERTs grapple with the latest incarnations.

“While DNS serves as the backbone for internet communication, it is often overlooked as a strategic attack surface,” said Infoblox.  

Rogue DNS

DNS is the normally invisible hierarchical system of servers that makes the web usable. Each time you visit a website (xyz.com), DNS is the system that resolves that name into the underlying IP address understood by internet computers.

It’s so critical that when a website is running slowly (or not at all), it’s most likely the DNS resolution that’s gone awry, either because it’s under a distributed denial of service (DDoS) attack, or it’s been misconfigured.

But it follows that if you can somehow hijack DNS for a given domain, you can route any visitors it receives to your own rogue site.

It’s this potential that explains why new ways to hack DNS pop up on a surprisingly regular basis. The battle is always to spot them before serious damage is done.

DNS’s biggest problem is that, while some organizations pay a lot of attention to it, many don’t. And there seems to be no foolproof system to implement collective remediation.

Ducking under the radar

Infoblox said it discovered the DNS weaknesses that make Sitting Ducks possible while studying hijacked domains used by Russian criminal traffic distribution system, 404TDS. How, it wondered, had the attackers hijacked so many domains with impunity?

DNS hacks usually fall into obvious types, such as DNS poisoning (manipulating DNS records to redirect users), domain shadowing (adding malicious sub-domains to a DNS record), or CNAME attacks (hijacking lapsed sub-domains).

Sitting Ducks turned out to be different, and had to do with weaknesses in the way domains are administered, or not administered. In some cases, domains were becoming “lame”.

This happens when the entity registering a domain delegates what is called authoritative DNS to a second provider. For example, a domain is registered legally with one provider, but the DNS resolution itself is handled by a server belonging to a second provider.

But that server isn’t configured correctly and so can’t resolve DNS queries. That allows criminals to step in to claim that domain at the second provider, bypassing the need to prove they are the owner, the records for which are held by the first.

One would assume this would be easy to counter by simply introducing authentication at delegated providers. This happens in many cases, but not all.

“While these conditions may seem unusual, they are not. Multiple threat actors are actively exploiting this attack vector, and we expect the true exploitation to be larger than is currently known,” said Infoblox.

Interestingly, many of the hijacked domains were defensive ones registered with brand protection registrars to fend off lookalike domains and typosquatters.

That might explain why their lame state wasn’t spotted. Someone hijacking a well-known domain would be detected immediately. Doing the same for one of that brand’s defensive domains wouldn’t.

Naming the hack

Perhaps the cleverest aspect of this discovery is that Infoblox and Eclypsium have given the weakness a catchy name. Security mavens frown on this fashion, but there is an argument that it makes it harder to forget to do something about it.

Their recommendations for organizations:

• Check whether they are using a separate authoritative DNS provider from their domain registrar. That increases the risk.
• Check whether their domains and subdomains “have name server delegation to service providers where accounts have expired or are otherwise invalid.”
• Check whether their service provider has any mitigations against the attack.

In addition, organizations such as the Shadowserver Foundation have established monitoring services that can detect the problem.