Measurement study on abnormal changes in authoritative resource records of government and educational domains

SUN Junzhe; LU Chaoyi; LIU Baojun; DUAN Haixin; SUN Donghong

doi:10.11959/j.issn.1000-436x.2024252

您当前的位置：

首页 >

文章列表页 >

Measurement study on abnormal changes in authoritative resource records of government and educational domains

Cyber Security | 更新时间：2024-12-31

- Measurement study on abnormal changes in authoritative resource records of government and educational domains
- Journal on Communications Vol. 45, Issue Z2, Pages: 16-26(2024)
- 作者机构：
  
  清华大学网络科学与网络空间研究院，北京 100084
- 作者简介：
- 基金信息：
- DOI：10.11959/j.issn.1000-436x.2024252
  CLC： TN915.08
- Received：21 August 2024，
  
  Published：30 November 2024
- 稿件说明：
移动端阅览
孙俊哲,陆超逸,刘保君等.政府教育域名权威资源记录异常变更测量研究[J].通信学报,2024,45(Z2):16-26.

SUN Junzhe,LU Chaoyi,LIU Baojun,et al.Measurement study on abnormal changes in authoritative resource records of government and educational domains[J].Journal on Communications,2024,45(Z2):16-26.
孙俊哲,陆超逸,刘保君等.政府教育域名权威资源记录异常变更测量研究[J].通信学报,2024,45(Z2):16-26. DOI： 10.11959/j.issn.1000-436x.2024252.

SUN Junzhe,LU Chaoyi,LIU Baojun,et al.Measurement study on abnormal changes in authoritative resource records of government and educational domains[J].Journal on Communications,2024,45(Z2):16-26. DOI： 10.11959/j.issn.1000-436x.2024252.

摘要

权威侧域名劫持伴随资源记录异常变更。为实现权威侧域名劫持事件的及时预警，针对各国政府、教育等重要行业域名和高访问量的流行域名，构建权威侧资源记录监测系统，实现对全球750万个重要域名的主动抓取和长期监测。提出资源记录异常变更筛选算法并应用于监测数据，在一个月的分析周期内识别896个重要域名的资源记录存在异常变更。经人工验证，导致资源记录异常变更的原因包括域名管理者的不当配置、钓鱼攻击和非法内容展示等行为。

Abstract

Authoritative-side domain hijacking is characterized by abnormal changes in resource records. To enable timely warnings for authoritative-side domain hijacking incidents

a monitoring system for authoritative-side resource records was established

targeting significant domains in key sectors such as government and education

as well as high-traffic popular domains. The system actively captured and continuously monitored 7.5 million important domains globally. An algorithm was developed to filter abnormal changes in resource records

identifying abnormal changes in 896 significant domains within a one-month analysis period. Manual verification results indicate that the causes included misconfigurations by domain administrators

phishing attacks

and the display of illegal content.

关键词

Keywords

references

Forbes . Baidu hijacked by cyber army [EB/OL ] . 2010

DAGON D , PROVOS N , LEE C P , et al . Corrupted DNS resolution paths: the rise of a malicious resolution authority [C ] // Proceedings of the Network and Distributed System Security Symposium . Piscataway : IEEE Press , 2008 : 1 - 15 .

WEAVER N , KREIBICH C , PAXSON V . Redirecting DNS for ads and profit [C ] // Proceedings of IEEE Symposium on Foundations of Computational Intelligence . Piscataway : IEEE Press , 2011 : 1 - 6 .

CHUNG T , CHOFFNES D , MISLOVE A . Tunneling for transparency: a large-scale analysis of end-to-end violations in the Internet [C ] // Proceedings of the 2016 Internet Measurement Conference . New York : ACM Press , 2016 : 199 - 213 .

LIU B J , LU C Y , DUAN H X , et al . Who is answering my queries: understanding and characterizing interception of the DNS resolution path [C ] // Proceedings of the Applied Networking Research Workshop . New York : ACM Press , 2019 : 1113 - 1128 .

KÜHRER M , HUPPERICH T , BUSHART J , et al . Going wild: Large-scale classification of open DNS resolvers [C ] // Proceedings of the 2015 Internet Measurement Conference . New York : ACM Press , 2015 : 355 - 368 .

JONES B , FEAMSTER N , PAXSON V , et al . Detecting DNS root manipulation [M ] . Cham : Springer International Publishing , 2016

ARENDS R , AUSTEIN R , LARSON M , et al . RFC 4033: DNS security introduction and requirements [EB/OL ] . 2005 .

EASTLAKE D , ANDREWS M . Domain name system (DNS) cookies [J ] . RFC , 2016 , 7873 : 1 - 25 .

HU Z , ZHU L , HEIDEMANN J S , et al . Specification for DNS over transport layer security (TLS) [J ] . RFC , 2016 , 7858 : 1 - 19 .

KREBS B . A deep dive on the recent widespread DNS hijacking attacks [EB/OL ] . 2019 .

BENJAMIN B . Investigating DNS hijacking through high frequency measurements [D ] . California : University of California, San Diego , 2016 .

AKIWATE G , SOMMESE R , JONKER M , et al . Retroactive identification of targeted DNS infrastructure hijacking [C ] // Proceedings of the 22nd ACM Internet Measurement Conference . New York : ACM Press , 2022 : 14 - 32 .

HOUSER R , HAO S , LI Z , et al . A comprehensive measurement-based investigation of DNS hijacking [C ] // Proceedings of the 2021 40th International Symposium on Reliable Distributed Systems (SRDS) . Piscataway : IEEE Press , 2021 : 210 - 221 .

RIJSWIJK-DEIJ R V , JONKER M , SPEROTTO A , et al . A high-performance, scalable infrastructure for large-scale active DNS measurements [J ] . IEEE Journal on Selected Areas in Communications , 2016 , 34 ( 6 ): 1877 - 1888 .

KOUNTOURAS A , KINTIS P , LEVER C , et al . Enabling network security through active DNS datasets[M . Cham : Springer International Publishing , 2016 .

Rapid 7 Labs . Open Data [EB/OL ] . 2019 .

POCHAT V L , VAN GOETHEM T , TAJALIZADEHKHOOB S , et al . Tranco: a research-oriented top sites ranking hardened against manipulation [J ] . arXiv Preprint , arXiv: 1806.01156 , 2018 .

IZHIKEVICH L , AKIWATE G , BERGER B , et al . ZDNS: a fast DNS toolkit for Internet measurement [C ] // Proceedings of the 22nd ACM Internet Measurement Conference . New York : ACM Press , 2022 : 33 - 43 .

T 145 . Black mirror [EB/OL ] .( 2021 ) [ 2024-10-22 ] .

Github . 0xngmi [EB/OL ] . ( 2024 )[ 2024-10-22 ] .

ZIRNGIBL J , DEUSCH S , SATTLER P , et al . Domain parking: largely present, rarely considered! [C ] // Proceedings of Traffic Monitoring and Analysis . Berlin : Springer , 2022 : 1 - 9 .

BILL T . DNS hijacks target crypto platforms registered with Squarespace [EB/OL ] .( 2024 )[ 2024-10-22 ] .

Views

646

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Measurement study on the DNS centrality in China

Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic

Identification of DNS covert channel based on improved convolutional neural network

Detecting DNS-based covert channel on live traffic

Related Author

LIU Shiming

LI Ruixuan

LIU Baojun

DUAN Haixin

SUN Donghong

Chunyu HAN

Yongzheng ZHANG

Yu ZHANG

Related Institution

College of Computer Science, Nankai University

Institute of Information Engineering, Chinese Academy of Sciences

School of Cyber Security, University of Chinese Academy of Sciences

Institute of Cyberspace,China Center for Information Industry Development

National Computer Network Emergency Response Technical Team/Coordination Center of China

AI问答

⁰