Heimdal
article featured image

Contents:

More than 35,000 registered domains have been hijacked by threat actors in so-called Sitting Ducks attacks that allow claiming a domain without having access to the owner’s account at the DNS provider or registrar.

Cybercriminals utilize inadequate ownership verification at DNS providers and configuration flaws at the registrant level in Sitting Ducks attacks.

Researchers found that over a million domains can be compromised daily using the Sitting Ducks assaults.

Details About Sitting Ducks

First documented in 2016, Sitting Ducks continues to be an easier way to hijack domains than other better-known methods.

In order to make the attack feasible, the subsequent prerequisites must be met:

  • The registered domain utilizes authoritative DNS services or assigns them to a supplier other than the registrar.
  • The record’s authoritative name server is unable to respond to inquiries due to a lack of domain information (lame delegation).
  • The DNS provider must permit domain claims without requiring access to the owner’s account or doing adequate ownership verification.

Attack variations include redelegating to a different DNS provider and partially lame delegation, in which some name servers are established appropriately. On the other hand, the domain may be taken over if conditions such as lame delegation and exploitable provider match.

The threat actor can apply Sitting Ducks techniques when a domain uses authoritative DNS services from a source other than the registrant, like web hosting.

After opening an account with the DNS service provider, an attacker can easily claim the target domain if the authoritative DNS or web hosting service expires.

The legitimate owner cannot alter the DNS records, therefore the threat actor can now put up a malicious website under the domain and set up DNS settings to resolve IP address record queries to the phony address.

Protecting Yourself Against Sitting Ducks

Particularly for older domains, domain owners should routinely check their DNS configurations for inactive delegations and update the delegation records at the registrar or authoritative name server with appropriate, active DNS services.

It is recommended that registrars notify owners and conduct proactive inspections for weak delegations. They must guarantee the establishment of a DNS service before distributing name server delegations.

In the end, authorities and standards organizations need to create long-term plans to deal with DNS vulnerabilities and pressure DNS providers operating under their purview to do more to lessen Sitting Ducks assaults.

If you liked this piece, you can find more on the blog. Follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE