"focusing on nameserver changes" が重要だという当然の結論

TABLE I: Hijacking Categories

Category # Attacks Description

Activism and Mischief 24 All of these are defacements, usually of popular websites. Of these 24, one third were defacements
of regional versions of Google. One of these domains was defaced twice on separate occasions 5
years apart.

Malware and Spam Distribution
4 In 3 cases, domains were used to distribute exploit kits or other malware. In 1, domains were used
to send spam.

Financial Gain 4 These attacks included 3 targeting domains related to cryptocurrency, and 1 targeting a bank.

Espionage Information Stealing
2 One case targeted a security firm, and the ultimate motivation may have been financ


In this work we extensively studied the characteristics of
DNS hijacking attacks and explored the detection of such
attacks from the position of a party defending a local network
from attacks originating outside the network, including off-
path spoofing, MITM, and domain hijacking attacks. 

We analyze previous studies or reports of known attacks. 

Based on measurements related to these, we derived a set of features
that might be used to identify unusual changes in a domain’s
DNS that require further inspection or blocking. 

We tested our approach on a large passive DNS dataset containing several
million records collected for a period of over 10 years. 

The results of validation and testing have a low FPR, consistently less than 1%. 

Examining feature importance highlights the importance of 
focusing on nameserver changes, suggesting a promising area for future work.

CategoryDns CategoryWatch CategoryTemplate

Moin2Qmail: DNS/hijacking/Houser (last edited 2021-11-23 02:08:50 by ToshinoriMaeno)