Internet infrastructure may be fairly resilient thanks to its distributed nature, but the web we've built on top of it appears to be rather fragile.
In a paper distributed last week through the ArXiv preprint server, researchers for Carnegie Mellon University find that third-party services such as domain name service (DNS) providers, content delivery networks (CDNs) and certificate authorities (CAs) represent an attractive target for attackers looking to maximize the impact of their hacking.
Citing how the 2016 DDoS attack that downed managed DNS provider Dyn affected dependent sites like Amazon, Netflix and Twitter, the researchers – Aqsa Kashaf, Carolina Zarate, Hanruo Wang, Yuvraj Agarwal and Vyas Sekar – say the majority of top websites have a similar Achilles' Heel.
"Our analysis paints a somewhat bleak situation on the state of modern web ecosystem," they observe, noting that most web services have little or no redundancy when using third-party infrastructure services and that a handful of these services represent potential single points of failure.
The findings call into question the comprehensiveness of enterprise disaster planning scenarios. Most large business have some degree of system redundancy set up to deal with data center outages. But how many have implemented third-party service redundancy?
Harvard University researchers raised this point, specifically in the context of DNS, earlier this year.
The DNS was designed for diversity, but site admins aren't buyingREAD MORE
The CMU boffins note that about 73 per cent of the top 100,000 websites – by Alexa stats – are vulnerable to diminished availability as a result of potential attacks on DNS, CDN and CA services.
What's more, they observe that the amount of third-party services providing these critical functions is so limited that if the ten most popular providers of content delivery, domain name service and SSL certificate validation (OCSP servers) experienced an outage, between a quarter and almost a half of the top 100,000 websites would be affected.
In addition, indirect or transient dependencies expand the possible points of failure: Critical third-party services can depend on other services and when one service is out it can have a downstream effect.
For example, the researchers explain, the Dyn outage affected websites that relied on the Fastly CDN, because Fastly depended on Dyn.
The researchers contend these indirect dependencies can increase the set of vulnerable web services by a factor of ten.
Based on their findings, the researchers advise not only should organizations do the obvious thing and add some service redundancy but they should also analyze third-party service dependencies as avenues of vulnerability. ®