Session D5: Network Security CCS’17, October 30-November 3, 2017, Dallas, TX, USA Client-side Name Collision Vulnerability in the New gTLD Era: A Systematic Study Qi Alfred Chen, Matthew Thomas†, Eric Osterweil†, Yulong Cao, Jie You, Z. Morley Mao University of Michigan, †Verisign Labs
[email protected],{mthomas,eosterweil}@verisign.com,{yulongc,jieyou,zmao}@umich.edu ABSTRACT was recently annouced (US-CERT alert TA16-144A), which specif- The recent unprecedented delegation of new generic top-level do- ically targets the leaked WPAD (Web Proxy Auto-Discovery) ser- mains (gTLDs) has exacerbated an existing, but fallow, problem vice discovery queries [79, 87]. In this attack, the attacker simply called name collisions. One concrete exploit of such problem was needs to register a domain that already receives vulnerable internal discovered recently, which targets internal namespaces and en- WPAD query leaks. Since WPAD queries are designed for discover- ables Man in the Middle (MitM) attacks against end-user devices ing and automatically conguring web proxy services, exploiting from anywhere on the Internet. Analysis of the underlying prob- these leaks allows the attacker to set up Man in the Middle (MitM) lem shows that it is not specic to any single service protocol, but proxies on end-user devices from anywhere on the Internet. little attention has been paid to understand the vulnerability status The cornerstone of this attack exploits the leaked service dis- and the defense solution space at the service level. In this paper, covery queries from the internal network services using DNS- we perform the rst systematic study of the robustness of internal based service discovery.