domain-protect: prevent subdomain takeover
domain-protect
- scan Amazon Route53 across an AWS Organization for domain records vulnerable to takeover
- scan Cloudflare for vulnerable DNS records
- take over vulnerable subdomains yourself before attackers and bug bounty researchers
- automatically create known issues in Bugcrowd or HackerOne
- vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP
Architecture
Domain Protect Architecture
Domain Protect implements a completely serverless architecture:
How Domain Protect scans all AWS accounts in Organization:
Automated takeover
the optional feature turned on by default in production
- take over vulnerable subdomains yourself before attackers and bug bounty researchers
- automated takeover with resources created in the security account
Slack messages
- notification of takeover success or failure:
- a daily report of resources in the security account:
supported resource types
- Elastic Beanstalk environments
- S3 buckets
Domain Protect tests supporting automated takeover
- Alias records for CloudFront distributions with missing S3 origin
- CNAME records for CloudFront distributions with missing S3 origin
- Elastic Beanstalk Alias records vulnerable to takeover
- Elastic Beanstalk CNAMES vulnerable to takeover
- S3 Alias records vulnerable to takeover
- S3 CNAMES vulnerable to takeover
- Cloudflare CNAMES for S3 buckets and Elastic Beanstalk environments
Deleting takeover resources
To minimise costs these tasks should be done as quickly as possible:
- fix the vulnerability by correcting DNS
- in the case of S3, empty the S3 bucket manually via the console
- delete the CloudFormation stack manually via the console
enabling automated takeover
- automated takeover is automatically enabled for the
prdterraform workspace - takeover only runs in production environment to avoid conflicts
- production workspace identifier can be changed by overriding
production_workspacevariable
disabling automated takeover
- takeover can be turned off completely in all environments by setting variable
takeover = false
automated takeover components
Automated takeover components:
- takeover Lambda – takes over vulnerable domains by creating resources
- resources Lambda – reports on takeover resources in security account
takeover event flow
Example takeover event flow:
| RESOURCE TYPE | RESOURCE NAME | ACTIONS |
|---|---|---|
| EventBridge | domain-protect-accounts-prd | triggers accounts Lambda function once per hour |
| Lambda function | domain-protect-accounts-prd | lists AWS accounts in Organization |
| Step Function | domain-protect-scan-prd | triggers Lambda for every AWS account |
| Lambda function | domain-protect-scan-prd | scans Route53 in AWS account |
| detects vulnerable CNAME for missing S3 bucket | ||
| sends vulnerability details to SNS topic | ||
| reads and writes to DynamoDB | ||
| DynamoDB | DomainProtectVulnerableDomainsPrd | stores vulnerability information |
| SNS topic | domain-protect-prd | publishes vulnerability details in JSON format |
| Lambda function | domain-protect-slack-channel-prd | subscribes to SNS topic |
| sends Slack notification of vulnerable domain | ||
| Lambda function | domain-protect-takeover-prd | subscribes to SNS topic domain-protect-prd |
| deploys CloudFormation stack for S3 bucket | ||
| uploads content to S3 bucket | ||
| tests for successful takeover | ||
| sends takeover details to SNS topic | ||
| CloudFormation | domain-protect-vulnerable-example-com | creates takeover S3 bucket |
| CloudFormation tags for takeover metadata | ||
| S3 bucket | vulnerable.example.com | prevents hostile takeover |
| SNS topic | domain-protect-prd | publishes takeover details in JSON format |
| Lambda function | domain-protect-slack-channel-prd | subscribes to SNS topic |
| sends Slack notification of takeover | ||
| EventBridge | domain-protect-cname-s3-prd | triggers resources Lambda function once per day |
| Lambda function | domain-protect-resources-prd | scans CloudFormation stacks in security account |
| sends takeover resource details to SNS topic | ||
| SNS topic | domain-protect-prd | publishes resource details in JSON format |
| Lambda function | domain-protect-slack-channel-prd | subscribes to SNS topic |
| sends Slack notification of takeover resources |
Install & Use
Copyright 2021 OVO Energy
