DareShark: Detecting and Measuring Security Risks of Hosting-Based Dangling Domains


Public hosting services provide convenience for domain owners to build web applications with better scalability and security. However, if a domain name points to released service endpoints (e.g., nameservers allocated by a provider), adversaries can take over the domain by applying the same endpoints. Such a threat is called hosting-based domain takeover. There have been numerous domain takeover incidents in recent years that have had significant effects; even well-known websites like the subdomains of microsoft.com have been impacted. However, there is currently no effective detection system in place to identify these vulnerable domains on a large scale. In this paper, we present a novel framework, HostingChecker, for detecting domain takeovers. In comparison to previous works, HostingChecker expands the detection scope and improves the detection efficiency by: (i) systematically identifying vulnerable hosting services using a semi-automated method; and (ii) detecting vulnerable domains by passively reconstructing domain resolution chains. We evaluate the effectiveness of HostingChecker and eventually detect 10,351 subdomains from Tranco Top-1M apex domains vulnerable to domain takeover, which are over 8× more than previous findings. Specifically, HostingChecker enables us to detect the subdomains of Tranco sites on a daily basis. Furthermore, we conduct an in-depth security analysis on the affected vendors, like Amazon and Alibaba, and gain a suite of new insights, including flawed implementation of domain validation. We have responsibly reported issues to the security response centers of affected vendors, and some of them have adopted our mitigation.

In Proceedings of the 2023 ACM Special Interest Group on Measurement and Evaluation. Orlando, Florida, June 19-23, 2023. (Acceptance rate: ??%, Acceptance rate in summer: 17/93=18.3%), Acceptance rate in fall: 26/119=21.9%), Acceptance rate in winter: ??%).
* Presented in OARC 40


In this paper, we present a novel framework, HostingChecker (DareShark), for detecting domain takeovers.


Xiang Li
Xiang Li
Ph.D. Candidate in Cyberspace Security (Tsinghua University)

Xiang Li is a 4th-year Ph.D. candidate at the Institute of Network Science and Cyberspace, Tsinghua University, advised by Professors Qi Li and Haixin Duan. He belongs to the Network and Information Security Lab (NISL). He is a visiting scholar at UC Irvine as a project specialist, working with Professor Zhou Li. He is also working as a security research intern at Qi-An-Xin Technology Company. Additionally, he is the author of the fast IPv6 network device scanner XMap, open-sourced on GitHub. His research interests include network security, protocol security, IPv6 security, DNS security, Internet measurement, and network & protocol fuzzing. As the first author, he has published many research papers at top security conferences like USENIX Security, NDSS, and DSN. As the co-author, he also published multiple papers in top conferences like USENIX Security and SIGMETRICS. He also gets his presentations accepted by top industry security conferences like Black Hat. He likes to attend talks and workshops like IDS, OARC, and VehicleSec to share his research. He has obtained over 140 CVE/CNVD vulnerability numbers for a variety of influential IPv6 and DNS vulnerabilities, which have impacted over 20 home router vendors and all DNS implementations and resolver vendors. He received acknowledgements and more than $10,600 rewards from those vendors, like Google, Microsoft, Cloudflare, and Akamai, and is working for the improvement of DNS protocols (related work has been referenced in RFC).