Contents
TABLE I: Hijacking Categories Category # Attacks Description Activism and Mischief 24 All of these are defacements, usually of popular websites. Of these 24, one third were defacements of regional versions of Google. One of these domains was defaced twice on separate occasions 5 years apart. Malware and Spam Distribution 4 In 3 cases, domains were used to distribute exploit kits or other malware. In 1, domains were used to send spam. Financial Gain 4 These attacks included 3 targeting domains related to cryptocurrency, and 1 targeting a bank. Espionage Information Stealing 2 One case targeted a security firm, and the ultimate motivation may have been financ
IV. DNS HIJACKING DETECTION VII. CONCLUSIONS In this work we extensively studied the characteristics of DNS hijacking attacks and explored the detection of such attacks from the position of a party defending a local network from attacks originating outside the network, including off- path spoofing, MITM, and domain hijacking attacks. We analyze previous studies or reports of known attacks. Based on measurements related to these, we derived a set of features that might be used to identify unusual changes in a domain’s DNS that require further inspection or blocking. We tested our approach on a large passive DNS dataset containing several million records collected for a period of over 10 years. The results of validation and testing have a low FPR, consistently less than 1%. Examining feature importance highlights the importance of focusing on nameserver changes, suggesting a promising area for future work.