Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting and Measuring Security Implications of Entangled Domain Verification in CDN

Ziyu Lin, Zhiwei Lin, Run Guo, Jianjun Chen, Mingming Zhang, Ximeng Liu, Tianhao Yang, Zhuoran Cao, Robert H. Deng

TL;DR

This paper investigates the security implications of Absence of Domain Verification (DVA) in Content Delivery Networks (CDNs) and introduces DVAHunter, an automated system for detecting DVA vulnerabilities at Internet scale. By analyzing 89 million subdomains across 45 CDNs, the authors reveal widespread DVA vulnerabilities, with 43 CDNs affected and thousands of subdomains exposed to domain abuse via fronting, borrowing, or takeover. The work also uncovers two new takeover mechanisms and demonstrates how Multi-CDN deployments can undermine verification by leveraging the weakest link among collaborators. The authors provide mitigation guidance, disclose findings to vendors, and release DVAHunter as an open-source tool to empower ongoing detection and remediation efforts.

Abstract

Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.

Detecting and Measuring Security Implications of Entangled Domain Verification in CDN

TL;DR

This paper investigates the security implications of Absence of Domain Verification (DVA) in Content Delivery Networks (CDNs) and introduces DVAHunter, an automated system for detecting DVA vulnerabilities at Internet scale. By analyzing 89 million subdomains across 45 CDNs, the authors reveal widespread DVA vulnerabilities, with 43 CDNs affected and thousands of subdomains exposed to domain abuse via fronting, borrowing, or takeover. The work also uncovers two new takeover mechanisms and demonstrates how Multi-CDN deployments can undermine verification by leveraging the weakest link among collaborators. The authors provide mitigation guidance, disclose findings to vendors, and release DVAHunter as an open-source tool to empower ongoing detection and remediation efforts.

Abstract

Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.
Paper Structure (28 sections, 10 figures, 9 tables)

This paper contains 28 sections, 10 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Background and Attack Surface Analysis
  3. Content Delivery Networks
  4. Domain Verification
  5. Attack Surfaces for DVA
  6. Comparison with Related Work
  7. Design and Implementation
  8. Motivation
  9. System Overview
  10. Subdomain Crawler
  11. CDN Checker
  12. Domain Fronting Tester
  13. Domain Borrowing Finder
  14. Domain Takeover Detector
  15. MEASUREMENT AND FINDINGS
  16. ...and 13 more sections

Figures (10)

  • Figure 1: Domain verification in CDNs.
  • Figure 2: Domain fronting in the CDN.
  • Figure 3: Domain borrowing in the CDN.
  • Figure 4: Domain takeover in the CDN.
  • Figure 5: DVAHunter workflow.
  • ...and 5 more figures