Oh, What a Fragile Web We Weave: Third-party Service Dependencies In Modern Webservices and Implications

by   Aqsa Kashaf, et al.

The recent October 2016 DDoS attack on Dyn served as a wakeup call to the security community as many popular and independent webservices (e.g., Twitter, Spotify) were impacted. This incident raises a larger question on the fragility of modern webservices due to their dependence on third-party services. In this paper, we characterize the dependencies of popular webservices on third party services and how these can lead to DoS, RoQ attacks, and reduction in security posture. In particular, we focus on three critical infrastructure services: DNS, CDNs, and certificate authorities (CAs). We analyze both direct relationships (e.g., Twitter uses Dyn) and indirect dependencies (e.g., Netflix uses Symantec as OCSP and Symantec, in turn, uses Verisign for DNS). Our key findings are: (1) 73.14 reduction in availabil- ity due to potential attacks on third-party DNS, CDN, CA services that they exclusively rely on; (2) the use of third-party services is concentrated, so that if the top-10 providers of CDN, DNS and OCSP services go down, they can potentially impact 25 services; (3) transitive depen- dencies significantly increase the set of webservices that exclusively depend on popular CDN and DNS service providers, in some cases by ten times (4) targeting even less popular webservices can potentially cause signifi- cant collateral damage, affecting upto 20 top- 100K webservices due to their shared dependencies. Based on our findings, we present a number of key implications and guidelines to guard against such Internet- scale incidents in the future.



There are no comments yet.


page 8

page 9

page 11


Third-party Service Dependencies and Centralization Around the World

There is a growing concern about consolidation trends in Internet servic...

Beyond the Front Page: Measuring Third Party Dynamics in the Field

In the modern Web, service providers often rely heavily on third parties...

T3AB: Transparent and Trustworthy Third-party Authority using Blockchain

Increasingly, information systems rely on computational, storage, and ne...

DDoS Hide Seek: On the Effectiveness of a Booter Services Takedown

Booter services continue to provide popular DDoS-as-a-service platforms ...

Partisan Lean of States: Electoral College and Popular Vote

We compare federal election results for each state versus the USA each s...

The Web is Still Small After More Than a Decade

Understanding web co-location is essential for various reasons. For inst...

Understanding the Communist Party of China's Information Operations

The Communist Party of China is known to engage in Information Operation...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.