Hijacking stale DNS entry to point to your own website


Context and system configuration:

  • AWS EC2 instance with a public IP address
  • AWS Route53-managed DNS with a somesubdomain.somedomain.io pointing to the above IP address
  • Above AWS EC2 instance was not running all the time, it was stopped most of the time with only occasional periods of running
  • Every time the EC2 instance was started, DNS entries were updated to point at its new IP address – EC2 instances are not retaining their public IP addresses when they are not running, they are getting new public IP address on startup
  • DNS entries were left as-is when the instance was stopped
  • The reason behind this bit unusual setup is cost saving, while being able to use static domain names for connecting to the instance when running

Attack:

  • One day I noticed there was a website under the somesubdomain.somedomain.io mentioned above, despite my EC2 instance being down
  • This website had my domain name in its banner/logo, so this couldn’t have been a coincidence

Analysis:

  • I did not carry out as much analysis as I could at that time. In fact I just wanted to solve the problem. Now I just delete DNS entries when shutting down the instance.
  • I realised there is a problem with a DNS entry under my domain pointing at the past public IP address of my EC2 instance. When the instance was last shut down, the IP address got back to available pool and could be re-assigned to a completely different instance

Questions:

  • Does this attack have a common name?
  • What would be the primary benefits for the attacker?