DNS Vulnerability: ‘Sitting Ducks’ Exposes Millions of Domains to Hijacking

A recently discovered vulnerability in the Domain Name System (DNS), dubbed ‘Sitting Ducks,’ has left millions of domains susceptible to hijacking. This attack vector, actively exploited since 2019, enables threat actors to deliver malware, phish, impersonate brands, and exfiltrate data.

Researchers at Infoblox and Eclypsium identified the vulnerability, coordinating with law enforcement and national Computer Emergency Response Teams (CERTs) since June 2024. The issue arises when a registered domain or subdomain uses authoritative DNS services from a provider different from the domain registrar, a process known as name server delegation.

If the authoritative name server lacks information about the domain, it results in a ‘lame delegation.’ Attackers can then claim ownership of the domain at the delegated DNS provider without accessing the legitimate owner’s account at the registrar.

One Million Domains

The researchers estimate around one million domains are exploitable, with over 30,000 confirmed hijacked domains since 2019. The true extent of the issue is believed to be much larger, with ongoing research uncovering expanding risks.

The Sitting Ducks vulnerability is a new entry in a series of DNS-related issues highlighting the difficulty of securing this attack surface. Some key exploitation techniques include:

• Lame Delegation Attacks: These occur when a malicious actor registers an assigned name server domain, gaining control over all domains pointing to that server.
• Dangling DNS Records: These attacks exploit invalid DNS records, such as a CNAME record redirecting to a domain whose registration has lapsed. Attackers can register the lapsed domain and mislead users.
• Domain Shadowing: This involves creating new DNS records within the valid owner’s account, requiring access to the existing account at the registrar or DNS provider.

Not a New Issue

The Sitting Ducks issue is not entirely new. Similar vulnerabilities were discussed in 2016 by Matthew Bryant in “The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability,” and later in 2019, when Brian Krebs reported on the exploitation of a similar weakness at GoDaddy. Despite these warnings, the issue persisted and resurfaced with renewed exploitation in 2024.

Recommendations for Mitigation

To safeguard against Sitting Ducks attacks, the researchers recommend domain owners should:

• Verify if their authoritative DNS provider is independent of their domain registrar.
• Ensure their domains and subdomains do not have name server delegation to expired or invalid accounts.
• Inquire with DNS providers about specific mitigations against this attack.

The recommend DNS service providers should:

• Assign a random name server host requiring registrar changes for domain name claims to verify ownership.
• Ensure newly assigned name server hosts do not match previous assignments to avoid verification issues.
• Prevent account holders from modifying name server hosts after assignment to complicate hijacking attempts.

The non-profit Shadowserver Foundation has established a monitoring service to help domain owners detect such vulnerabilities, promising daily reports to signed-up users. As the DNS landscape continues to evolve, addressing these vulnerabilities is crucial for maintaining the integrity and security of online domains.