Was it DNS? It’s always DNS. In this case, DNS (Domain Name System) is filled with sitting ducks (Ducks Now Sitting) for domain name hijacking. Multiple threat actors have been exploiting this attack vector which we are calling Sitting Ducks since at least 2019 to perform malware delivery, phishing, brand impersonation, and data exfiltration. As of the time of writing, numerous DNS providers enable this through weak or nonexistent verification of domain ownership for a given account. There are an estimated 1M exploitable domains and we have confirmed 30k+ hijacked domains since 2019. Researchers at Infoblox and Eclypsium, who discovered this issue, have been coordinating with law enforcement and national CERTs since discovery in June 2024.
The Sitting Ducks attack is possible under the following circumstances:
- A registered domain, or subdomain of a registered domain, uses the authoritative DNS services of a different provider than the domain registrar; this is called name server delegation.
- A domain is registered with one authoritative DNS provider, and either the domain or a subdomain is configured to use a different DNS provider for authoritative name service.
- The name server delegation is lame, meaning that the authoritative name server does not have information about the domain and therefore can not resolve queries or subdomains.
- The DNS provider is exploitable, meaning that the attacker can claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner’s account at the domain registrar.
While these circumstances may seem unusual, they are very common. Multiple threat actors are actively exploiting this attack vector and we expect the true extent of the issue to be much larger than currently known. Active exploitation has been validated with continued research uncovering expanding risk.
How Can This Be?
Sitting Ducks is a new issue, but it falls into a category of DNS-related research that clearly demonstrates the difficulty of securing this attack surface.
- Lame delegation occurs when a name server is delegated, or assigned, to provide authoritative DNS records, but does not have the information to do so. In certain cases, the registration for the delegated name server may have expired. A lame delegation attack occurs when the malicious actor registers the assigned name server domain. In this scenario, the attacker gains access to all domains that point to that name server domain. We have recently validated an active exploit of this attack using typosquat name server domains. These attacks require the actor to register a domain.
- Dangling DNS records generally contain invalid information, typically due to a forgotten configuration. For example, a dangling CNAME attack takes advantage of DNS CNAME records in which the DNS response “redirects” to a domain name whose registration has lapsed. A malicious actor can register the lapsed domain and confuse users through the forgotten record.
- Domain shadowing or subdomain hijacking is another form of attack that might be confused with Sitting Ducks. This attack allows the malicious actor to create new DNS records within the valid owner’s account. Domain shadowing attacks require the actor to have access to the existing account at either the registrar or the DNS provider.
Sitting Ducks combines a lame delegation with a vulnerable DNS provider that fails to properly validate that the account holder who claims a domain actually controls it. If you point DNS for your domain to a service, you need to be sure that your account on that service (and only accounts you authorized) claims the domain.
A Bit of History
While going through the responsible disclosure process, we found a few other similar discussions of the issue from the threat research community. The first mention we could find happened back in 2016: The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability (by Matthew Bryant). In this case, disclosure to multiple cloud providers provides an explanation as to why some of the providers have a form of defense against this issue.
But, the issue remained in the shadows of the internet, to later come back in 2019: Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com, and was actually exploited against GoDaddy, as reported by Brian Krebs. Then, the issue disappeared off the radar completely yet again.
In 2024, we are seeing another round of exploitation of the issue by multiple threat actors and it is going to take coordinated effort to actually fix the issue.
Recommendations
We recommend that domain owners do the following:
- Check whether you use an authoritative DNS provider independent of your domain registrar. A Sitting Ducks attack exploits confusion between these two different providers. Therefore, if you use the same provider for both, you are not at risk for a Sitting Ducks attack.
- Check whether your domains and subdomains have name server delegation to service providers where accounts have expired or are otherwise invalid. A Sitting Ducks attack exploits these invalid accounts to claim control over a domain from a current/valid account.
- Check with your DNS provider to inquire how the provider explicitly mitigates this attack. If your provider has deployed mitigations, you are not at significant risk for a Sitting Ducks attack.
- The non-profit Shadowserver Foundation has established a monitoring service that can help domain owners determine if they have issues like this one, and will soon do daily reports to signed up users.
For DNS service providers, we recommend the following mitigations:
- In order to claim a domain name, issue the account holder a random name server host that requires a change at the registrar. This helps verify ownership.
- Ensure that the newly assigned name server hosts do not match previous name server assignments. This avoids edge cases that may break the above verification.
- Do not allow the account holder to modify the name server hosts after their assignment. This complicates hijacking attempts.
The infrastructure supply chain is everywhere, including the core services of the Internet. Eclypsium greatly appreciates its partnership with Infoblox on this research. If you would like to discuss the issue in detail, please contact Infoblox Threat intel at [email protected] or Eclypsium at [email protected]. If you would like to get even more details about this research, please visit the Infoblox blog.
