skip to main content
10.1145/3133956.3134084acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

Client-side Name Collision Vulnerability in the New gTLD Era: A Systematic Study

Published: 30 October 2017 Publication History

Abstract

The recent unprecedented delegation of new generic top-level domains (gTLDs) has exacerbated an existing, but fallow, problem called name collisions. One concrete exploit of such problem was discovered recently, which targets internal namespaces and enables Man in the Middle (MitM) attacks against end-user devices from anywhere on the Internet. Analysis of the underlying problem shows that it is not specific to any single service protocol, but little attention has been paid to understand the vulnerability status and the defense solution space at the service level. In this paper, we perform the first systematic study of the robustness of internal network services under name collision attacks.
We first perform a measure study and uncover a wide spectrum of services affected by the name collision problem. We then collect their client implementations and systematically analyze their vulnerability status under name collision attacks using dynamic analysis. Out of the 48 identified exposed services, we find that nearly all (45) of them expose vulnerabilities in popular clients. To demonstrate the severity, we construct exploits and find a set of new name collision attacks with severe security implications including MitM attacks, internal or personal document leakage, malicious code injection, and credential theft. We analyze the causes, and find that the name collision problem broadly breaks common security assumptions made in today's service client software. Leveraging the insights from our analysis, we propose multiple service software level solutions, which enables the victim services to actively defend against name collision attacks.

Supplemental Material

MP4 File

References

[1]
A DNS RR for specifying the location of services (DNS SRV). https://tools.ietf.org/html/rfc2782.
[2]
Adding DNS-SD Service Discovery Records. http://www.dns-sd.org/serverstaticsetup.html.
[3]
AFP File Server Security. https://developer.apple.com/library/content/documentation/Networking/Conceptual/AFP/AFPSecurity/AFPSecurity.html.
[4]
An Overview of XMPP. https://xmpp.org/about/technology-overview.html.
[5]
Annual Day In The Life of the Internet (DITL) collection. https://www.dns-oarc.net/oarc/data/ditl.
[6]
Apple Filing Protocol Concepts. https://developer.apple.com/library/content/documentation/Networking/Conceptual/AFP/Concepts/Concepts.html.
[7]
ASCII Table and Description. http://www.asciitable.com/.
[8]
Asterisk custom communications for VoIP. http://www.asterisk.org/.
[9]
Autodiscover for Exchange. https://msdn.microsoft.com/en-us/library/office/jj900169(v=exchg.150).aspx.
[10]
Automount NFS in OS X. https://yourmacguy.wordpress.com/2012/06/29/osx-automount/.
[11]
Baïkal: Cal and CardDAV server based on sabre/dav. http://sabre.io/baikal/.
[12]
BitTorrent Protocol. http://www.morehawes.co.uk/the-bittorrent-protocol.
[13]
Bonjour API Architecture. https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/NetServices/Articles/programming.html.
[14]
Bonjour: Apple's implementation of zero-configuration networking protocols. https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/NetServices/Introduction.html.
[15]
Bonjour service types used in Mac OS X. https://developer.apple.com/library/content/qa/qa1312/_index.html.
[16]
Building an Enterprise Root Certification Authority in Small and Medium Businesses. https://msdn.microsoft.com/en-us/library/cc875810.aspx.
[17]
Calendaring Extensions to WebDAV (CalDAV). https://tools.ietf.org/html/rfc4791.
[18]
CardDAV: vCard Extensions to Web Distributed Authoring and Versioning (WebDAV). https://tools.ietf.org/html/rfc6352.
[19]
Chromes startup random DNS queries tracked in, and polluting users Google Web History. https://bugs.chromium.org/p/chromium/issues/detail?id=47262.
[20]
Comcast's IPv6 Information Center. http://www.comcast6.net/.
[21]
Comparison between NTLM and Kerberos. https://highfromtea.wordpress.com/tag/ntlmssp/.
[22]
Configure Email Accounts with Outlook. https://support.marcaria.com/hc/en-us/articles/215526083-Configure-Email-Accounts-with-Outlook.
[23]
Configure web-site for access with and without the 'www' domain name prefix. http://support.simpledns.com/kb/a87/configure-web-site-for-access-with-and-without-the-www-domain-name-prefix.aspx.
[24]
Configuring Pivotal Cloud Foundry SSL Termination for vSphere Deployments. https://docs.pivotal.io/pivotalcf/1--7/opsguide/ssl-term.html.
[25]
Configuring the Commerce Server Network. https://msdn.microsoft.com/en-us/library/aa545742(v=cs.70).aspx.
[26]
DNS-Based Authentication of Named Entities (DANE). https://tools.ietf.org/html/rfc6698.
[27]
DNS-Based Service Discovery. https://tools.ietf.org/html/rfc6763.
[28]
DNS Long-Lived Queries. https://tools.ietf.org/html/draft-sekar-dns-llq-01.
[29]
Download RubyGems. https://rubygems.org/pages/download.
[30]
Dynamic Updates in the Domain Name System (DNS UPDATE). https://tools.ietf.org/html/rfc2136.
[31]
Edge Server environmental requirements in Skype for Business Server 2015. https://technet.microsoft.com/en-us/library/mt346415.aspx.
[32]
ejabberd: robust, massively scalable and extensible XMPP server. https://www.ejabberd.im/.
[33]
File Transfer Protocol (FTP). https://tools.ietf.org/html/rfc959.
[34]
FTP Security Extensions. https://tools.ietf.org/html/rfc2228.
[35]
Google open resolver IP addresses. https://developers.google.com/speed/public-dns/docs/using.
[36]
Hacking Time Machine. https://dreness.com/blog/archives/48.
[37]
HTTP Authentication: Basic and Digest Access Authentication. https://tools.ietf.org/html/rfc2617.
[38]
HTTP Extensions for Distributed Authoring (WEBDAV). https://tools.ietf.org/html/rfc2518.
[39]
HTTP Over TLS. https://tools.ietf.org/html/rfc2818.
[40]
Hypertext Transfer Protocol -- HTTP/1.1. https://tools.ietf.org/html/rfc2616.
[41]
IANA Service Name and Transport Protocol Port Number Registry. http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml.
[42]
IBM Knowledge Center: LDAP and SSL configuration example. http://www.ibm.com/support/knowledgecenter/SSPFMY_1.3.3/com.ibm.scala.doc/config/iwa_config_ldap_exmpl_c.html.
[43]
ICANN: Mitigating the Risk of DNS Namespace Collisions Phase One. https://www.icann.org/news/announcement-2--2014-06--10-en.
[44]
ICANN Study: Name Collision in the DNS. https://www.icann.org/en/system/files/files/name-collision-02aug13-en.pdf.
[45]
Internet Printing Protocol/1.1: Encoding and Transport. https://tools.ietf.org/html/rfc2910.
[46]
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). https://tools.ietf.org/html/rfc5214.
[47]
Kerberos: The Network Authentication Protocol. http://web.mit.edu/kerberos/.
[48]
kpasswd - MIT Kerberos Documentation. https://web.mit.edu/kerberos/krb5--1.13/doc/user/user_commands/kpasswd.html.
[49]
Let's Encrypt Certificate Authority. https://letsencrypt.org/.
[50]
Lightweight Directory Access Protocol (LDAP): The Protocol. https://tools.ietf.org/html/rfc4511.
[51]
Linux ISATAP Setup. http://www.litech.org/isatap/.
[52]
macOS Xgrid. http://www.apple.com/server/macosx/technology/xgrid.html.
[53]
Microsoft Key Management Services (KMS). http://help.unc.edu/help/microsoft-key-management-services-kms/.
[54]
Microsoft TechNet: SRV Resource Records. https://technet.microsoft.com/en-us/library/cc961719.aspx.
[55]
Name Server API? https://developer.dnsimple.com/v1/nameservers/.
[56]
Network Time Protocol Version 4: Protocol and Algorithms Specification. https://tools.ietf.org/html/rfc5905.
[57]
OpenAFS. http://www.openafs.org/.
[58]
Openssl: How to generate a CSR with interactively requested alternative theme names? https://www.enmimaquinafunciona.com/pregunta/13352/openssl-como-generar-un-csr-con-nombres-de-alternativa-tema-solicitados-interactivamente-sans.
[59]
Page Description Language. http://printwiki.org/Page_Description_Language.
[60]
Picture Transfer Protocol (PTP). http://www.imaging.org/ist/resources/standards/ptp-standards.cfm.
[61]
Post Office Protocol - Version 3. https://tools.ietf.org/html/rfc1939.
[62]
Required DNS Records for Automatic Client Sign-In. https://technet.microsoft.com/en-us/library/bb663700(v=office.12).aspx.
[63]
REST Resource Naming Guide. http://restfulapi.net/resource-naming/.
[64]
RFC 5214: Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). https://tools.ietf.org/html/rfc5214.
[65]
RFC 5424. https://tools.ietf.org/html/rfc5424.
[66]
Security Mechanism Agreement for the Session Initiation Protocol (SIP). https://tools.ietf.org/html/rfc3329.
[67]
Server Message Block Overview. https://technet.microsoft.com/en-us/library/hh831795(v=ws.11).aspx.
[68]
Session Traversal Utilities for NAT (STUN). http://www.voip-info.org/wiki/view/STUN.
[69]
SFTP - The Modern FTP. https://www.ssh.com/ssh/sftp/.
[70]
Simple Mail Transfer Protocol. https://tools.ietf.org/html/rfc2821.
[71]
SIP: Session Initiation Protocol. https://tools.ietf.org/html/rfc3261.
[72]
SSLsplit - Transparent SSL/TLS Interception. https://www.roe.ch/SSLsplit.
[73]
Static Analysis vs Dynamic Analysis in Software Testing. http://www.testingexcellence.com/static-analysis-vs-dynamic-analysis-software-testing.
[74]
Static Content Subdomain. https://halfelf.org/2015/static-content-subdomain.
[75]
The Case Against DNSSEC. http://www.circleid.com/posts/070814_case_against_dnssec/.
[76]
The DNS Operations, Analysis, and Research Center (DNS-OARC). https://www.dns-oarc.net/.
[77]
The Remote Framebuffer Protocol. https://tools.ietf.org/html/rfc6143.
[78]
Tutorial: Run Your Own Gem Server. http://guides.rubygems.org/run-your-own-gem-server/.
[79]
US-CERT Technical Alert (TA16--144A): WPAD Name Collision Vulnerability. https://www.us-cert.gov/ncas/alerts/TA16--144A.
[80]
Using Digest Authentication as a SASL Mechanism. https://tools.ietf.org/html/rfc2831.
[81]
Web Authentication Proxy Configuration Example. http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/116052-config-webauth-proxy-00.html.
[82]
Zero Configuration Networking (Zeroconf). http://www.zeroconf.org.
[83]
The New gTLD Program. https://newgtlds.icann.org/en/about/program, 2013.
[84]
New delegated TLD strings. http://newgtlds.icann.org/en/program-status/delegated-strings, 2017.
[85]
X. Bai, L. Xing, N. Zhang, X. Wang, X. Liao, T. Li, and S.-M. Hu. Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf. In IEEE S&P, 2016.
[86]
S. Castro, D. Wessels, M. Fomenkov, and K. Claffy. A Day at the Root of the Internet. volume 38, pages 41--46. ACM, 2008.
[87]
Q. A. Chen, E. Osterweil, M. Thomas, and Z. M. Mao. MitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era. In IEEE S&P, 2016.
[88]
S. Cheshire and M. Krochmal. Multicast DNS. rfc6762, 2013.
[89]
H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, J. Jiang, K. Li, and V. Paxson. Hold-on: Protecting Against On-path DNS Poisoning. In Workshop on Securing and Trusting Internet Names, 2012.
[90]
S. Fahl, M. Harbach, T. Muders, and M. Smith. Why Eve and Mallory love Android: An analysis of SSl (in) security on Android. In ACM CCS, 2012.
[91]
P. Gauthier, J. Cohen, M. Dunsmuir, and C. Perkins. The Web Proxy Auto-Discovery Protocol. Internet draft, IETF, 1999.
[92]
M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-browser Software. In ACM CCS, 2012.
[93]
S. Goldberg, M. Naor, D. Papadopoulos, L. Reyzin, S. Vasant, and A. Ziv. NSEC5: Provably Preventing DNSSEC Zone Enumeration. In ISOC NDSS, 2015.
[94]
T. Halvorson, M. F. Der, I. Foster, S. Savage, L. K. Saul, and G. M. Voelker. From .academy to .zone: An Analysis of the New TLD Land Rush. In ACM IMC, 2015.
[95]
B. S. Kaliski Jr. and A. Mankin. US Patent Application 20150256424: Name Collision Risk Manager. http://www.freepatentsonline.com/y2015/0256424.html.
[96]
A. R. Kang, S. H. Jeong, S. Y. Ko, K. Ren, and A. Mohaisen. Transparency in the New gTLD Era: Evaluating the DNS Centralized Zone Data Service. In IEEE HotWeb, 2016.
[97]
B. Könings, C. Bachmaier, F. Schaub, and M. Weber. Device Names in the Wild: Investigating Privacy Risks of Zero Configuration Networking. In IEEE International Conference on Mobile Data Management, 2013.
[98]
C. Lever, R. Walls, Y. Nadji, D. Dagon, P. McDaniel, and M. Antonakakis. Domain-Z: 28 Registrations Later. In IEEE S&P, 2016.
[99]
Mockapetris, Paul. Domain Names - Implementation and Specification. rfc1035, 2004.
[100]
A. Mohaisen and K. Ren. Leakage of. onion at the DNS Root: Measurements, Causes, and Countermeasures. 2017.
[101]
E. Osterweil, D. McPherson, and L. Zhang. The Shape and Size of Threats: Defining a Networked System's Attack Surface. In ICNP, 2014.
[102]
E. Osterweil, M. Thomas, A. Simpson, and D. McPherson. New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Technical report, 2013. http://techreports.verisignlabs.com/docs/tr-1130008--1.pdf.
[103]
S. Son and V. Shmatikov. The Hitchhiker's Guide to DNS Cache Poisoning. In Security and Privacy in Communication Networks. Springer, 2010.endthebibliography

Cited By

View all
  • (2024)RIPEn at Home - Surveying Internal Domain Names Using RIPE Atlas2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559012(1-4)Online publication date: 21-May-2024
  • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
  • (2023)W-Bad: Interception, Inspection, and Interference with Web Proxy Auto-Discovery (WPAD)2023 7th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA58422.2023.10199083(1-10)Online publication date: 26-Jun-2023
  • Show More Cited By

Index Terms

  1. Client-side Name Collision Vulnerability in the New gTLD Era: A Systematic Study

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
        October 2017
        2682 pages
        ISBN:9781450349468
        DOI:10.1145/3133956
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 30 October 2017

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. dns-based service discovery
        2. name collision
        3. new gtld
        4. server authentication
        5. software vulnerability

        Qualifiers

        • Research-article

        Funding Sources

        Conference

        CCS '17
        Sponsor:

        Acceptance Rates

        CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;
        Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

        Upcoming Conference

        CCS '25

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)141
        • Downloads (Last 6 weeks)16
        Reflects downloads up to 13 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)RIPEn at Home - Surveying Internal Domain Names Using RIPE Atlas2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559012(1-4)Online publication date: 21-May-2024
        • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
        • (2023)W-Bad: Interception, Inspection, and Interference with Web Proxy Auto-Discovery (WPAD)2023 7th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA58422.2023.10199083(1-10)Online publication date: 26-Jun-2023
        • (2023)WPAD: Waiting Patiently for an Announced DisasterACM Computing Surveys10.1145/356536155:10(1-29)Online publication date: 2-Feb-2023
        • (2022)A deep dive into DNS behavior and query failuresComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2022.109131214:COnline publication date: 4-Sep-2022
        • (2022)Exploring the Characteristics and Security Risks of Emerging Emoji Domain NamesComputer Security – ESORICS 202210.1007/978-3-031-17143-7_10(186-206)Online publication date: 26-Sep-2022
        • (2019)Attainable Hacks on Keystore Files in Ethereum Wallets—A Systematic AnalysisFuture Network Systems and Security10.1007/978-3-030-34353-8_7(99-117)Online publication date: 28-Oct-2019
        • (2019)Clustering and the Weekend Effect: Recommendations for the Use of Top Domain Lists in Security ResearchPassive and Active Measurement10.1007/978-3-030-15986-3_11(161-177)Online publication date: 27-Mar-2019

        View Options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Login options

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media