The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire

Schlamp, Johann; Gustafsson, Josef; Wählisch, Matthias; Schmidt, Thomas C.; Carle, Georg

doi:10.1007/978-3-319-17172-2_13

Cited by 10 publications

(3 citation statements)

References 24 publications

(27 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We note that attackers already routinely buy expired domains to hijack the residual trust attached with these domains [35,39,67]. Attackers have in the past targeted residual trust to defunct banking domains [44] and imported JavaScript libraries [47] to serve malware or steal user data, to take over email addresses associated with the domain [56], to control authoritative nameservers [39], or simply to serve ads [36]. Here, we abuse residual trust to poison distributed datasets.…”

Section: Attack Scenariosmentioning

confidence: 99%

Poisoning Web-Scale Training Datasets is Practical

Carlini¹,

Jagielski²,

Choquette-Choo³

et al. 2023

Preprint

View full text Add to dashboard Cite

Deep learning models are often trained on distributed, webscale datasets crawled from the internet. In this paper, we introduce two new dataset poisoning attacks that intentionally introduce malicious examples to a model's performance. Our attacks are immediately practical and could, today, poison 10 popular datasets. Our first attack, split-view poisoning, exploits the mutable nature of internet content to ensure a dataset annotator's initial view of the dataset differs from the view downloaded by subsequent clients. By exploiting specific invalid trust assumptions, we show how we could have poisoned 0.01% of the LAION-400M or COYO-700M datasets for just $60 USD. Our second attack, frontrunning poisoning, targets web-scale datasets that periodically snapshot crowd-sourced content-such as Wikipedia-where an attacker only needs a time-limited window to inject malicious examples. In light of both attacks, we notify the maintainers of each affected dataset and recommended several low-overhead defenses.

show abstract

Section: Attack Scenariosmentioning

confidence: 99%

Poisoning Web-Scale Training Datasets is Practical

Carlini¹,

Jagielski²,

Choquette-Choo³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Previous work hinted at the possibility of using emails of re-registered domains for spam [29,34] and authentication [38]. However, they focused on taking over other domains, similar as Schlamp et al [59], whereas our work focuses on authentication with third-party services.…”

Section: Use-after-freemail Through Expired Domain Namesmentioning

confidence: 99%

Use-After-FreeMail

Gruss

Schwarz

Wübbeling

et al. 2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Use-after-free is a type of vulnerability commonly present in software written in memory-unsafe languages like C or C++, where a program frees a memory buffer too early. By placing counterfeit structures at the freed memory location, an attacker can leak information or gain execution control upon subsequent access.In this paper, we show that the concept of use-after-free can be generalized to any environment and situation where resources can be silently exchanged. As an instance of our generalization we demonstrate Use-After-FreeMail attacks. Use-After-FreeMail attacks gather email addresses from publicly available database leaks. The fully automated quantitative analysis brought to light that 33.5% of all free-mail addresses we tested are not valid anymore. In two user studies with 100 and 31 participants we found that 11-19% of users are affected by our attack. In qualitative case studies we investigated what information can be gained in Use-After-FreeMail attacks, e.g., payment information, and how far currently used accounts can be compromised (identity theft). Finally, drawing the connection between mitigations against traditional use-afterfree scenarios and the Use-After-FreeMail scenario, we provide a concise list of recommendations to free-mail providers and users as a protection against use-after-free attacks.

show abstract

“…Moreover, tailored attacks can be derived to impersonate a victim from an administrative point of view by stealthily hijacking abandoned Internet resources. We have studied such hidden takeover attacks in great detail in previous work [2], [13]. An even more sophisticated attack based on AS path manipulation aims at stealthily intercepting a victim's traffic while maintaining the victim's connectivity.…”

Section: B Classification Of Attacksmentioning

confidence: 99%

HEAP: Reliable Assessment of BGP Hijacking Attacks

Schlamp

Holz

Jacquemart

et al. 2016

IEEE J. Select. Areas Commun.

Self Cite

View full text Add to dashboard Cite

The detection of BGP prefix hijacking attacks has been the focus of research for more than a decade. However, stateof-the-art techniques fall short of detecting more elaborate types of attack. To study such attacks, we devise a novel formalization of Internet routing, and apply this model to routing anomalies in order to establish a comprehensive attacker model. We use this model to precisely classify attacks and to evaluate their impact and detectability. We analyze the eligibility of attack tactics that suit an attacker's goals and demonstrate that related work mostly focuses on less impactful kinds of attacks.We further propose, implement and test the Hijacking Event Analysis Program (HEAP), a new approach to investigate hijacking alarms. Our approach is designed to seamlessly integrate with previous work in order to reduce the high rates of false alarms inherent to these techniques. We leverage several unique data sources that can reliably disprove malicious intent. First, we make use of an Internet Routing Registry to derive business or organisational relationships between the parties involved in an event. Second, we use a topology-based reasoning algorithm to rule out events caused by legitimate operational practice. Finally, we use Internet-wide network scans to identify SSL/TLS-enabled hosts, which helps to identify non-malicious events by comparing public keys prior to and during an event. In our evaluation, we prove the effectiveness of our approach, and show that day-today routing anomalies are harmless for the most part. More importantly, we use HEAP to assess the validity of publicly reported alarms. We invite researchers to interface with HEAP in order to cross-check and narrow down their hijacking alerts.

show abstract

The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire

Cited by 10 publications

References 24 publications

Poisoning Web-Scale Training Datasets is Practical

Poisoning Web-Scale Training Datasets is Practical

Use-After-FreeMail

HEAP: Reliable Assessment of BGP Hijacking Attacks

Contact Info

Product

Resources

About