research-article

Open access

Retroactive identification of targeted DNS infrastructure hijacking

Authors:

Gautam Akiwate,

Raffaele Sommese,

Mattijs Jonker,

Zakir Durumeric,

Geoffrey M. Voelker,

Stefan SavageAuthors Info & Claims

IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

Pages 14 - 32

https://doi.org/10.1145/3517745.3561425

Published: 25 October 2022 Publication History

Abstract

In 2019, the US Department of Homeland Security issued an emergency warning about DNS infrastructure tampering. This alert, in response to a series of attacks against foreign government websites, highlighted how a sophisticated attacker could leverage access to key DNS infrastructure to then hijack traffic and harvest valid login credentials for target organizations. However, even armed with this knowledge, identifying the existence of such incidents has been almost entirely via post hoc forensic reports (i.e., after a breach was found via some other method). Indeed, such attacks are particularly challenging to detect because they can be very short lived, bypass the protections of TLS and DNSSEC, and are imperceptible to users. Identifying them retroactively is even more complicated by the lack of fine-grained Internet-scale forensic data. This paper is a first attempt to make progress at this latter goal. Combining a range of longitudinal data from Internet-wide scans, passive DNS records, and Certificate Transparency logs, we have constructed a methodology for identifying potential victims of sophisticated DNS infrastructure hijacking and have used it to identify a range of victims (primarily government agencies), both those named in prior reporting, and others previously unknown.

Supplementary Material

M4V File (96.m4v)

Presentation video

Download
61.01 MB

References

[1]

Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J. Alex Halderman, Jacob Hoffman-Andrews, James Kasten, Eric Rescorla, Seth Schoen, and Brad Warren. 2019. Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS '19). Association for Computing Machinery, New York, NY, USA, 2473--2487.

Digital Library

[2]

Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney, and Paul Rascagneres. 2019. DNS Hijacking Abuses Trust In Core Internet Service. https://blog.talosintelligence.com/2019/04/seaturtle.html.

[3]

Gautam Akiwate, Mattijs Jonker, Raffaele Sommese, Ian Foster, Geoffrey M. Voelker, Stefan Savage, and KC Claffy. 2020. Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 281--294.

Digital Library

[4]

Gautam Akiwate, Stefan Savage, Geoffrey M. Voelker, and K C Claffy. 2021. Risky BIZness: Risks Derived from Registrar Name Management. In Proceedings of the 21st ACM Internet Measurement Conference (Virtual Event) (IMC '21). Association for Computing Machinery, New York, NY, USA, 673--686.

Digital Library

[5]

Eihal Alowaisheq, Siyuan Tang, Zhihao Wang, Fatemah Alharbi, Xiaojing Liao, and XiaoFeng Wang. 2020. Zombie Awakening: Stealthy Hijacking of Active Domains through DNS Hosting Referral. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, USA) (CCS '20). Association for Computing Machinery, New York, NY, USA, 1307--1322.

Digital Library

[6]

Comodo Certification Authority. 2022. Comodo SSL Single DV Certificate. https://ssl.comodo.com/comodo-ssl-dv-trial.

[7]

Richard Barnes, Jacob Hoffman-Andrews, Daniel McCarney, and James Kasten. 2019. Automatic Certificate Management Environment (ACME). RFC 8555. https://www.rfc-editor.org/info/rfc8555.

Digital Library

[8]

Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth, and Ron Lieber. 2017. Equifax Says Cyberattack May Have Affected 143 Million in the U.S. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html.

[9]

Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. 2018. Bamboozling Certificate Authorities with BGP. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 833--849. https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee

[10]

Benjamin Braun. 2016. Investigating DNS Hijacking Through High Frequency Measurements. Technical Report. UC San Diego. https://escholarship.org/uc/item/8tm5c7r7.

[11]

CAIDA. 2020. Routeviews Prefix to AS mappings Dataset for IPv4 and IPv6. http://www.caida.org/data/routing/routeviews-prefix2as.xml.

[12]

CAIDA. 2021. Inferred AS to Organization Mapping Dataset. https://www.caida.org/data/as_organizations.xml.

[13]

CAIDA and Ian Foster. 2021. CAIDA-DNS Zone Database (DZDB). https://dzdb.caida.org.

[14]

Censys. 2021. Censys Bulk Data Access. https://censys.io/data.

[15]

Alberto Cerpa and Jeremy Elson. 2003. Internet Content Adaptation Protocol (ICAP). RFC 3507. https://rfc-editor.org/rfc/rfc3507.txt.

Digital Library

[16]

Cloudflare. 2018. BGP leaks and cryptocurrencies. https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/.

[17]

Let's Encrypt Community. 2017. Why no CRL URL in the certificate? https://community.letsencrypt.org/t/why-no-crl-url-in-the-certificate/25686.

[18]

David Dagon. 2008. DNS Poisoning: Developments, Attacks and Research Directions. USENIX Security 2008, DNS Panel Talk. https://www.usenix.org/legacy/events/sec08/tech/slides/dagon_slides.pdf.

[19]

Matt Dahl. 2019. Widespread DNS Hijacking Activity Targets Multiple Sectors. https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/.

[20]

Department of Homeland Security. 2019. Emergency Directive 19-01: Mitigate DNS Infrastructure Tampering. https://cyber.dhs.gov/ed/19-01/.

[21]

Digicert. 2021. Domain Control Validation (DCV) Methods. https://docs.digicert.com/manage-certificates/dv-certificate-enrollment/domain-control-validation-dcv-methods/#dns-txt-validation

[22]

Digicert. 2022. What's The Difference Between DV, OV & EV SSL Certificates? https://www.digicert.com/difference-between-dv-ov-and-ev-ssl-certificates.

[23]

DomainTools. 2022. Iris Investigation Platform - Passive DNS. https://www.domaintools.com/products/iris.

[24]

Zakir Durumeric. 2021. Censys Search 2.0. https://support.censys.io/hc/en-us/articles/360060941211-Censys-Search-2-0-Official-Announcement.

[25]

Digital Element. 2021. NetAcuity IP Geolocation Data. https://www.digitalelement.com/geolocation/.

[26]

Let's Encrypt. 2021. Challenge Types - DNS-01 Challenge. https://letsencrypt.org/docs/challenge-types/.

[27]

Entrust. 2019. What is a SAN (Subject Alternative Name) and how is it used? https://www.entrust.com/blog/2019/03/what-is-a-san-and-how-is-it-used/.

[28]

Gandi. 2022. How to Turn On Transfer Lock for a Domain. https://docs.gandi.net/en/domain_names/transfer_out/transfer_lock.html.

[29]

Google. 2017. Broadening HSTS to secure more of the Web. https://security.googleblog.com/2017/09/broadening-hsts-to-secure-more-of-web.html.

[30]

Google. 2017. Next steps toward more connection security. https://blog.chromium.org/2017/04/next-steps-toward-more-connection.html.

[31]

Google. 2021. A safer default for navigation: HTTPS. https://blog.chromium.org/2021/03/a-safer-default-for-navigation-https.html.

[32]

The Guardian. 2017. WikiLeaks hacked as OurMine group answers "hack us" challenge. https://www.theguardian.com/technology/2017/aug/31/wikileaks-hacked-ourmine-group-julian-assange-dns-attack.

[33]

Muks Hirani, Sarah Jones, and Ben Read. 2019. Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. https://www.mandiant.com/resources/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.

[34]

Rebekah Houser, Shuai Hao, Zhou Li, Daiping Liu, Chase Cotton, and Haining Wang. 2021. A Comprehensive Measurement-based Investigation of DNS Hijacking. In 40th International Symposium on Reliable Distributed Systems (SRDS) (Virtual Event). IEEE, Chicago, IL, USA, 210--221.

[35]

Brian Krebs. 2019. A Deep Dive on the Recent Widespread DNS Hijacking Attacks. https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks.

[36]

Brian Krebs. 2020. Does your domain have a Registry Lock? https://krebsonsecurity.com/2020/01/does-your-domain-have-a-registry-lock/.

[37]

Ivan Kwiatkowski and Pierre Delcher. 2021. DarkHalo after SolarWinds: the Tomiris connection. https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/.

[38]

Ben Laurie, Adam Langley, Emilia Kasper, Eran Messeri, and Rob Stradling. 2021. Certificate Transparency Version 2.0. RFC 9162.

Digital Library

[39]

Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 1113--1128. https://www.usenix.org/conference/usenixsecurity18/presentation/liu-baojun

[40]

Daiping Liu, Shuai Hao, and Haining Wang. 2016. All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, Vienna, Austria, 1414--1425.

Digital Library

[41]

Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, and Haixin Duan. 2020. DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, USA) (CCS '20). Association for Computing Machinery, New York, NY, USA, 1337--1350.

Digital Library

[42]

Robert McMillan and Dustin Volz. 2021. Suspected Russian Hack Extends Far Beyond SolarWinds Software, Investigators Say. https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601.

[43]

Warren Mercer and Paul Rascagneres. 2018. DNSpionage Campaign Targets Middle East. https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html.

[44]

Paul Mockapetris. 1987. Domain Names - Implementation and Specification. RFC 1035. https://rfc-editor.org/rfc/rfc1035.txt.

[45]

Elizabeth Montalbano. 2022. Thousands of Malicious npm Packages Threaten Web Apps. https://threatpost.com/malicious-npm-packages-web-apps/178137/.

[46]

Audrey Randall, Enze Liu, Ramakrishna Padmanabhan, Gautam Akiwate, Geoffrey M. Voelker, Stefan Savage, and Aaron Schulman. 2021. Home is Where the Hijacking is: Understanding DNS Interception by Residential Routers. In Proceedings of the 21st ACM Internet Measurement Conference (Virtual Event) (IMC '21). Association for Computing Machinery, New York, NY, USA, 390--397.

Digital Library

[47]

Eric Rescorla. 2000. HTTP Over TLS. RFC 2818. https://rfc-editor.org/rfc/rfc2818.txt.

Digital Library

[48]

Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https://www.rfc-editor.org/info/rfc8446.

Digital Library

[49]

Rick Lamb. 2022. DNSSEC Deployment Report. http://rick.eng.br/dnssecstat/.

[50]

Scott Rose, Matt Larson, Dan Massey, Rob Austein, and Roy Arends. 2005. DNS Security Introduction and Requirements. RFC 4033. https://www.rfc-editor.org/info/rfc4033.

Digital Library

[51]

Sectigo. 2022. crt.sh - Certificate Search. https://crt.sh/.

[52]

Andreas Sfakianakis. 2020. On Sea Turtle campaign targeting Greek governmental organisations. https://www.linkedin.com/pulse/sea-turtle-campaign-targeting-greek-governmental-andreas-sfakianakis/.

[53]

Aftab Siddiqui. 2022. KlaySwap - Another BGP Hijack Targeting Crypto Wallets. https://www.manrs.org/2022/02/klayswap-another-bgp-hijack-targeting-crypto-wallets/.

[54]

Internet Society. 2018. What Happened? The Amazon Route 53 BGP Hijack to Take Over Ethereum Cryptocurrency Wallets. https://www.internetsociety.org/es/blog/2018/04/amazons-route-53-bgp-hijack/.

[55]

Sooel Son and Vitaly Shmatikov. 2010. The Hitchhiker's Guide to DNS Cache Poisoning. In Security and Privacy in Communication Networks. Springer Berlin Heidelberg, Berlin, Heidelberg, 466--483.

[56]

Cisco Talos. 2019. Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques. https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html.

[57]

The Washington Post. 2013. The New York Times Web site was taken down by DNS hijacking. Here's what that means. https://www.washingtonpost.com/news/the-switch/wp/2013/08/27/the-new-york-times-web-site-was-taken-down-by-dns-hijacking-heres-what-that-means/.

[58]

United States of America v Zhang et al. 2017. Case No 13CR3132-H, Indictment (superseding). https://www.justice.gov/opa/press-release/file/1106491/download.

[59]

Verisign. 2022. Registry Lock Service. https://www.verisign.com/en_US/channel-resources/domain-registry-products/registry-lock/index.xhtml.

[60]

Verizon. 2021. Data Breach Investigations Report 2021. https://enterprise.verizon.com/resources/reports/2021-data-breach-investigations-report.pdf.

[61]

VirusTotal. 2021. VirusTotal update_mfa.exe Details. https://www.virustotal.com/gui/file/8900cf88a91fa4fbe871385c8747c7097537f1b5f4a003418d84c01dc383dd75/.

[62]

Dustin Volz. 2019. DNC Says Russia Tried to Hack Into its Computer Network Days After 2018 Midterms. https://www.wsj.com/articles/dnc-says-russia-tried-to-hack-into-its-computer-network-days-after-2018-midterms-11547831410.

[63]

Lan Wei and John Heidemann. 2020. Whac-A-Mole: Six Years of DNS Spoofing. Technical Report. University of Southern California. https://arxiv.org/pdf/2011.12978.pdf.

[64]

Florian Weimer. 2005. Passive DNS Replication. https://www.first.org/conference/2005/papers/florian-weimer-paper-1.pdf.

Cited By

Izhikevich LTran MIzhikevich KAkiwate GDurumeric Z(2024)Democratizing LEO Satellite Network MeasurementProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390398:1(1-26)Online publication date: 21-Feb-2024
https://dl.acm.org/doi/10.1145/3639039
Izhikevich KVoelker GSavage SIzhikevich L(2024)Using Honeybuckets to Characterize Cloud Storage Scanning in the Wild2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00014(95-113)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00014
Li CCheng YZhang ZZhang Z(2024)Censorship data-driven DNS resolution anomaly detection: An ensemble algorithm model with multivariate feature fusionComputer Networks10.1016/j.comnet.2024.110669252(110669)Online publication date: Oct-2024
https://doi.org/10.1016/j.comnet.2024.110669
Show More Cited By

Index Terms

Retroactive identification of targeted DNS infrastructure hijacking
1. Networks
  1. Network architectures
    1. Network design principles
      1. Naming and addressing
2. Security and privacy
  1. Network security
    1. Security protocols
    2. Web protocol security

Recommendations

Investigating the impact of DDoS attacks on DNS infrastructure
IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

Denial of Service (DDoS) attacks both abuse and target core Internet infrastructures and services, including the Domain Name System (DNS). To characterize recent DDoS attacks against authoritative DNS infrastructure, we join two existing data sets - DoS ...
Identifying DNS Infrastructure Hijacks Using Large Scale Measurements
Control-Flow Hijacking: Are We Making Progress?
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today's systems. Over the last 10+ years the security community developed several defenses [4]. Data Execution Prevention (DEP) protects against code ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

October 2022

796 pages

ISBN:9781450392594

DOI:10.1145/3517745

General Chairs:
Chadi Barakat
Inria, Université Côte d'Azur
,
Cristel Pelsser
University of Strasbourg
,
Program Chairs:
Theophilus A. Benson
Brown University
,
David Choffnes
Northeastern University

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2022

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

IMC '22

Sponsor:

IMC '22: ACM Internet Measurement Conference

October 25 - 27, 2022

Nice, France

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
1,194
Total Downloads

Downloads (Last 12 months)400
Downloads (Last 6 weeks)35

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Izhikevich LTran MIzhikevich KAkiwate GDurumeric Z(2024)Democratizing LEO Satellite Network MeasurementProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390398:1(1-26)Online publication date: 21-Feb-2024
https://dl.acm.org/doi/10.1145/3639039
Izhikevich KVoelker GSavage SIzhikevich L(2024)Using Honeybuckets to Characterize Cloud Storage Scanning in the Wild2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00014(95-113)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00014
Li CCheng YZhang ZZhang Z(2024)Censorship data-driven DNS resolution anomaly detection: An ensemble algorithm model with multivariate feature fusionComputer Networks10.1016/j.comnet.2024.110669252(110669)Online publication date: Oct-2024
https://doi.org/10.1016/j.comnet.2024.110669
Du BIzhikevich KRao SAkiwate GTestart CSnoeren Aclaffy kMontpetit MLeivadeas AUhlig SJaved M(2023)IRRegularities in the Internet Routing RegistryProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624843(104-110)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624843
Zhang FZhang YLiu BAlowaisheq EYing LLi XZhang ZLiu YDuan HZhang MMontpetit MLeivadeas AUhlig SJaved M(2023)Wolf in Sheep's Clothing: Evaluating Security Risks of the Undelegated Record on DNS Hosting ServicesProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624839(188-197)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624839

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten