Detecting and Measuring Security Implications of Entangled Domain Verification in CDN

• URL: http://arxiv.org/abs/2409.01887v1
• Date: Tue, 3 Sep 2024 13:27:33 GMT
• Title: Detecting and Measuring Security Implications of Entangled Domain Verification in CDN
• Authors: Ziyu Lin, Zhiwei Lin, Run Guo, Jianjun Chen, Mingming Zhang, Ximeng Liu, Tianhao Yang, Zhuoran Cao, Robert H. Deng,
• Abstract summary: Absence of Domain Verification (DVA) is a significant security flaw in Content Delivery Networks (CDNs) We present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs.
• Score: 30.611196380526213
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.

Related papers

• The Ripple Effect of Vulnerabilities in Maven Central: Prevalence, Propagation, and Mitigation Challenges [8.955037553566774]
  We analyze the prevalence and impact of vulnerabilities within the Maven Central ecosystem using Common Vulnerabilities and Exposures data. In our subsample of around 4 million releases, we found that while only about 1% of releases have direct vulnerabilities. We also observed that the time taken to patch vulnerabilities, including those of high or critical severity, often spans several years.
  arXiv  Detail & Related papers  (2025-04-05T13:45:27Z)
• On the Verification of Control Flow Attestation Evidence [9.30850875158975]
  We argue that run-time attestation and auditing are only truly useful if Vrf can effectively analyze received evidence. As a case study for practical uses of run-time evidence by Vrf, we propose SABRE: a Security Analysis and Binary Repair Engine.
  arXiv  Detail & Related papers  (2024-11-16T18:24:11Z)
• Unveiling the Bandwidth Nightmare: CDN Compression Format Conversion Attacks [20.374230089231766]
  We present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts.
  arXiv  Detail & Related papers  (2024-09-01T13:03:47Z)
• Do CAA, CT, and DANE Interlink in Certificate Deployments? A Web PKI Measurement Study [1.2233362977312945]
  Misuse or misissuance of certificates threaten the Web PKI security model. We study the DNS/DNSSEC records CAA and TLSA as well as CT logs from the perspective of the certificates in use.
  arXiv  Detail & Related papers  (2024-07-02T14:20:31Z)
• Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates [1.135267457536642]
  DNS dynamic updates represent an inherently vulnerable mechanism. Non-secure DNS updates leave domains susceptible to a novel form of attack termed zone poisoning. We undertook a comprehensive campaign involving the notification of Computer Security Incident Response Teams.
  arXiv  Detail & Related papers  (2024-05-30T09:23:53Z)
• Cross-Domain Few-Shot Object Detection via Enhanced Open-Set Object Detector [72.05791402494727]
  This paper studies the challenging cross-domain few-shot object detection (CD-FSOD) It aims to develop an accurate object detector for novel domains with minimal labeled examples.
  arXiv  Detail & Related papers  (2024-02-05T15:25:32Z)
• Measuring CDNs susceptible to Domain Fronting [2.609441136025819]
  Domain fronting is a network communication technique that involves leveraging content delivery networks (CDNs) to disguise the final destination of network packets. This technique can be used for both benign and malicious purposes, such as circumventing censorship or hiding malware-related communications from network security systems. We propose a systematic approach to discover CDNs that are still prone to domain fronting.
  arXiv  Detail & Related papers  (2023-10-27T02:04:19Z)
• Enumerating Safe Regions in Deep Neural Networks with Provable Probabilistic Guarantees [86.1362094580439]
  We introduce the AllDNN-Verification problem: given a safety property and a DNN, enumerate the set of all the regions of the property input domain which are safe. Due to the #P-hardness of the problem, we propose an efficient approximation method called epsilon-ProVe. Our approach exploits a controllable underestimation of the output reachable sets obtained via statistical prediction of tolerance limits.
  arXiv  Detail & Related papers  (2023-08-18T22:30:35Z)
• DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified Robustness [58.23214712926585]
  We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection. Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables. We are the first to offer certified robustness in the realm of static detection of malware executables.
  arXiv  Detail & Related papers  (2023-03-20T17:25:22Z)
• Safe Self-Refinement for Transformer-based Domain Adaptation [73.8480218879]
  Unsupervised Domain Adaptation (UDA) aims to leverage a label-rich source domain to solve tasks on a related unlabeled target domain. It is a challenging problem especially when a large domain gap lies between the source and target domains. We propose a novel solution named SSRT (Safe Self-Refinement for Transformer-based domain adaptation), which brings improvement from two aspects.
  arXiv  Detail & Related papers  (2022-04-16T00:15:46Z)
• Voting for the right answer: Adversarial defense for speaker verification [79.10523688806852]
  ASV is under the radar of adversarial attacks, which are similar to their original counterparts from human's perception. We propose the idea of "voting for the right answer" to prevent risky decisions of ASV in blind spot areas. Experimental results show that our proposed method improves the robustness against both the limited-knowledge attackers.
  arXiv  Detail & Related papers  (2021-06-15T04:05:28Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.