Oh, What a Fragile Web We Weave: Third-party Service Dependencies In Modern Webservices and Implications
share
The recent October 2016 DDoS attack on Dyn served as a wakeup call to the security community as many popular and independent webservices (e.g., Twitter, Spotify) were impacted. This incident raises a larger question on the fragility of modern webservices due to their dependence on third-party services. In this paper, we characterize the dependencies of popular webservices on third party services and how these can lead to DoS, RoQ attacks, and reduction in security posture. In particular, we focus on three critical infrastructure services: DNS, CDNs, and certificate authorities (CAs). We analyze both direct relationships (e.g., Twitter uses Dyn) and indirect dependencies (e.g., Netflix uses Symantec as OCSP and Symantec, in turn, uses Verisign for DNS). Our key findings are: (1) 73.14 reduction in availabil- ity due to potential attacks on third-party DNS, CDN, CA services that they exclusively rely on; (2) the use of third-party services is concentrated, so that if the top-10 providers of CDN, DNS and OCSP services go down, they can potentially impact 25 services; (3) transitive depen- dencies significantly increase the set of webservices that exclusively depend on popular CDN and DNS service providers, in some cases by ten times (4) targeting even less popular webservices can potentially cause signifi- cant collateral damage, affecting upto 20 top- 100K webservices due to their shared dependencies. Based on our findings, we present a number of key implications and guidelines to guard against such Internet- scale incidents in the future.
READ FULL TEXT