Journal of Innovation in Information Technology

An Analysis of Hijacking the DNS System and Effective Detection and Protection Techniques

P. T. Anitha1, Taariku Birhanu2

1Associate Professor, Department of Computer Science & Information Technology, Wollega University, Nekemte, Ethiopia. 2Assistant Professor, Department of Computer Science & Information Technology, Wollega University, Nekemte, Ethiopia. Email: [email protected], [email protected]

Abstract - Domain hijacking is a type sensitive or secret data by allowing attackers to steal their of DNS attack. In this attack DNS queries are not information. solved correctly in order to redirect the users to mali- cious sites unexpectedly. This attack can be per- DNS Hijacking formed by installing different kinds of malwares on user computers and intercept or hack the communi- cation on the network. This hijacking can be used for which means attackers display unwanted Attacker Legitimate ads and generating revenues or which means displaying fake versions of sites and stealing of informations and credentials. DNS hijacking are used by many Internet Service providers by taking the DNS Servers users requests, collect the statistics and returning the ads when user access an unknown domains. This DNS hijacking also used in the government sectors for censorship and redirecting the users to govern- Users Malicious Websites ment authorized sites. Fig. 1. DNS Hijacking is used in two different ways Keywords: DNS hijacking, Internet service provid- Pharming and phishing respectively. ers, covert channels, channels, OSI models. Pharming attack redirects all the traffic to a 1. INTRODUCTION malicious by changing or manipulating the users computer A cyber threat is more popular threat nowadays. In ear- and changing the host file or exploiting the DNS server. lier days we came across about widespread DNS hijacking For example if we want to access a website [2], it is auto- which targets Middle East, North Africa, Europe and few matically redirected to a malicious websites which consist in US. This was followed by information about DNS hi- of unwanted pop-ups and advertisements. The primary jacking attacks targeted home routers and phishing web- objective of this pharming attack is to generate the reve- sites like Netflix, PayPal, Gmail, Uber and many more. So nue. this paper analysis how we can protect our informations from DNS leak and what makes DNS so susceptible from Phishing attack can also be used for phishing. In this these type of attacks by analyzing the hijacking before it attack users are targeted and attackers are attempt to tricki- damage the source. ly extracting sensitive informations like their payment credentials. A common example is sending email as bait, 2. HIJACKING THE DNS SYSTEM website which appears may be a legitimate payment web- Mostly DNS [1] requests are unencrypted. Because of site, from there, attacker steal the informations about the this the requests are intercepted by malicious attackers. payment. The phishing domains can be easily detected by DNS hijacking also called as DNS redirection. In this passive server. Internet service providers DNS attack, attackers all our DNS queries are incorrectly also perform this type of DNS hijacking [3]. In this type of resolved and it is redirected network traffic to a malicious attack people may feel less secure and low privacy at risk. website. A fake server set up has made and a fake IP ad- When you try to access a website the ISP take over all dress also created to use the unauthorized malicious web- your queries and it will collect data so they can display or site. By this the users of this malicious websites input their serve multiple unwanted advertisements. In ISP attack,

Vol.4(2), July-Dec 2020@ISSN: 2581-723X 1 Journal of Innovation in Information Technology when we access a nonexistent domain, it is redirected to a 4. HOW TO PROTECT AGAINST DNS HIJACK- website which contains full of malicious advertisement ING which will put you at a high security risk. In late 2018, The following are few steps to protect ourselves from most famous DNS hijacking campaigns took place and DNS hijacking [5] in a better ways. this was reported and uncovered by CISCO. By hijacking  Avoid by clicking suspicious websites and links their DNS servers, the private and public sector employees  Verify the URL and make sure that it is belonging informations were stolen in the Middle East and north Af- to a legitimate websites. rica. A passive DNS application Interface was used to pin-  Avoid public Wi-Fi networks because they are point the changes happened in the DNS records of do- not encrypted. So anyone in the network can ac- mains used in the campaign. cess your DNS traffic.

3. HOW TO DETECT DNS HIJACKING 4.1. Deploying DNSSEC A common way to detect a DNS hijacking includes a Security Extensions (DNSSEC) webpage loading very slowly and a frequent pop-up adver- protects from DNS hijacking. This is one of the best tech- tisement on the websites. These pop-ups tells that the nology that will ensure a high level DNS security. computer has infected with malware. There are several DNSSEC authenticate the origin of the day and fixes the online tools are available to detect or determine the at- problem of unencrypted data. By this the DNS resolver tacks. knows that the data is received from the legitimate and authorized websites and it is not tampered with the mali- 3.1. Using the ping command cious attacks. Deploying DNSSEC is very difficult be- By using the pinging a non-existing domain, the DNS cause many registrars don’t have the required technology hijacked domains [4] can be easily identified. This is the enabled in their domain name infrastructure. Changing a easiest and more effective way to identify DNS Hijacking more Secure DNS server is the best way to avoid the DNS from your terminal. hijacking. There are plenty of choices from 3.2. Router Checker CloudflareDNS and OpenDNS to select the DNS servers. Routers can be infected by a malware by giving access Router protection also very much required from suscepti- rights to attackers to access to the router administration ble DNS hijacking attacks. Keeping the router firmware up page. By this the DNS setting can be changed and it is to date will also ensure the safety from vulnerabilities. redirected to access a malicious servers. By this the ac- Internet service providers (ISPs) also use DNS hijack- cessing routes are automatically redirected to the attackers ing. There are four DNS hijacking types are there. They websites. By checking the DNS settings before sending are listed below. queries may prevent the router from an infected malicious attacks. Router Checker is a tool developed from F-Secure Local DNS Hijack: by installing Trojan malware on a verifies whether the router is connected to a DNS resolver user’s computer attackers can change the local settings of and it also checks whether a legitimate and authorized the DNS and redirect the user to malicious websites. DNS server is in use. This Router Checker tool is very easy to use. When you click on the Router Checker button Router DNS hijack: attackers access the default pass- automatically this will lead to a new page, from there if we words or firmware vulnerabilities and take over a router, press Check your Router option, a response will be dis- and overwrite the DNS settings. This changes will affect played. From this response, we can identify the status of all the users connected to that router. the routers being hijacked by the attackers or not. Man in the middle DNS attack: communication between 3.3. Who is MyDNS.com the user and the DNS can be attacked by the attackers by This is a great tool which helps to expose the actual intercepting all the communication happening between server making DNS requests from the terminal on your them. attackers intercept the communication between. behalf. If we forget to recognize the DNS displayed then Router DNS hijack: many routers have default pass- we can sure that the domain is affected by the DNS hijack- words or firmware vulnerabilities. Attackers can take over ing attacks. a router and overwrite DNS settings, affecting all users connected to that router. And a different destination IP Vol.4(2), July-Dec 2020@ISSN:2581-723X 2

Journal of Innovation in Information Technology address is provided which will redirect to malicious web- memory database building, and the use of corresponding sites. relationship between domain name and IP address, can make up with the deficiency that methods above have. Rogue DNS Server: Attackers hack the DNS server, Providing a deep overview of the area, identifying exist- and change the records to redirect all the requests to a ing challenges, and sharing our insights obtained doing malicious websites. the research in this field, we hope this survey will facili- tate future research and development of methods and applications to fight against attacks leveraging malicious domains.

REFERENCES [ 1 ] Braun, Benjamin(s): Savage, Stefan “Investigating DNS Hijacking Through High Frequency Meas- urements”, UC San Diego Electronic Theses and Dissertations, 2016.

[ 2 ] Sooel Son and Vitaly Shmatikov, “The hitchhiker’s guide to DNS cache poi-soning” in Security and Privacy in Communication Networks, pages 466– 483.Springer, 2010.

[ 3 ] Manos Antonakakis, David Dagon, Xiapu Luo, Roberto Perdisci, Wenke Lee & Justin Bellmor. “A Fig. 2. DNS vs. Redirection centralized monitoring infrastructure for improving DNS security”. Lecture Notes in Computer Sci- DNS Spoofing attack is an attack in which all the ence, 6307: 18-37, 2010. communications are redirected to a malicious websites, from google.com to a malicious websites [ 4 ] Yury Zhauniarovich, Qatar Computing Research google.attacker.com. Attackers can compromise a DNS Institute, HBKU, Issa Khalil,Ting Yu, Marc Dacier, server. France ACM Comput. Survey. “A Survey on Mali- cious Domains Detection through DNS Data Anal- Cache Poisoning is an attack in which without rely- ysis”, 1, 1, Article 1, 35 pages, May 2018. ing on DNS hijacking the DNS spoofing is happening. Attackers poison the cache by inserting a forged DNS [ 5 ] B. Yan, “Detection and prevention of entry which may contain all alternative IP destination for attack,”Computer Engineering, vol. 32, no. 21, pp. the same domain. 130–132, 2016.. A DNS wrapper is designed to monitor the traffic go- ing from DNS server in and out. If there is any deviation of the traffic the DNS wrappers verifies the correspond- ing database. If the monitored traffic disagrees then it is flagged as a possible attack. At present, most of dictation methods for domain name hijacking are based on the behaviors before DNS hijacking happens, such as DDOS attack and DNS cache infection. If domain name hijack- ing event takes place, all these methods cannot detect dynamically.

5. CONCLUSION This article trying to detect DNS hijacking event through domain name cache technology, dynamic

Vol.4(2), July-Dec 2020@ISSN: 2581-723X 3