There was an intriguingly named vulnerability revealed this week: Ghost Domains. A paper describing it can be found here. A team of researchers in China discovered a way to allow a domain to remain reachable in the DNS even after it has been revoked from a TLD. It looks like they expended a lot of energy testing their new idea and discovered there are several caching DNS software releases that are vulnerable.
Basically their little trick exercises the algorithms that decide what data gets cached in responses from authoritative DNS servers. They discovered a way to persuade some caching servers to accept delegation data that would allow someone to revive a domain in the caching server by replacing an about-to-expire entry with a new entry that has a fresh TTL. By sending standard queries for the target domain an attacker can manipulate the caching server to ensure their domain remains alive.
There are a couple of bits of good news. First, Nominum Vantio servers are NOT susceptible to this vulnerability. Vantio source code has been carefully reviewed and testing has confirmed Nominum’s algorithms for determining what DNS data is stored in the cache will NOT store the DNS data that enables this vulnerability. To capture the technical point: Vantio never uses authority section data from a zone to update the zone’s delegation entry. Or, said another way, Vantio only accepts delegation data from a parent zone.
The other good news is it certainly does not compare with earlier vulnerabilities, like Kaminsky’s in 2008. It is not cache poisoning, the attacker can only impact domains they control (by controlling authoritative servers for that domain). It also does not improve the effectiveness of an exploit, but could be used to extend its lifetime. Perhaps the phishers will rejoice since they are commonly targets of take downs.
It’s also important to note that since it operates at the caching layer the effectiveness of the vulnerability is bounded by an attackers ability to manipulate widely distributed caching servers. Scale is determined by touching more caching servers so a lone phisher without access to something like a properly trained botnet.
It will be interesting to see whether or not this gets used in the wild. Perhaps a dejected botmaster will use it to breath new life into a botnet that has been taken down. Imagine a self-sustaining botnet, that takes advantage of ghost domains to survive attempts to kill it. Wouldn’t that be a vampire bot?