Automatically Detecting DNS Hijacking in Passive DNS

Nov. 5, 2024, 10:03 a.m.

Description

This article describes a machine learning-based pipeline for detecting DNS hijacking using passive DNS data. The system processes an average of 167 million new DNS records daily, extracting 74 features from over 169 terabytes of data. Between March and September 2024, it identified 6,729 hijacking incidents out of 29 billion processed records. Notable examples include the hijacking of a Hungarian political party's domain, the defacement of a utility company and ISP, and the use of university and research center domains for illicit gambling. The pipeline can now detect DNS hijacking in customer traffic within 10 minutes, providing crucial protection against this pervasive threat.

External References

https://unit42.paloaltonetworks.com/detect-dns-hijacking-passive-dns/
https://otx.alienvault.com/pulse/6729af15e31c9eab16197899
Tags
cybersecurity
machine learning
2024-11-05
dns hijacking
passive dns
network security
threat detection
domain compromise

Date

  • Created: Nov. 5, 2024, 5:37 a.m.
  • Published: Nov. 5, 2024, 5:37 a.m.
  • Modified: Nov. 5, 2024, 10:03 a.m.

Indicators

  • 37.9.175.0/24
  • d23491dd351f43f0efad5cee2be80c4049349a7695c0e7de1de632c791356183
  • c43e506c9b964dddf6fd784bf0cc78b4a2396f47257361dc22e1070e249eae16
  • bda2503fc02b11258399cfabd0778a997654b5bd7d30e5e3f5bef54a74b914e1
  • b351e3f475681ab2e8db5b2bbd2beaf26e5b4fd082ca08eba6fffbc76370113c
  • 8891e7562eb4db253a8582376083ca99b19457680f9d36a5ba4108790740785e
  • 7bcfcc90d0bd6c85b5b1cc9f287e161020571a0418afb50f2dd67685e9d3a4fc
  • 716778bab5fb2c439a51362be5941a50d587714d58a6faa39eefa96aa79c1561
  • 564b21c293bc9d0885dc7a87dbf488a497c98d2103d91f5bbcfdb476eb8b6f4c
  • 4dce8b3beba71b8b44b6576ff2497ed68c6fafebd046822f0d60f8758238e900
  • 01082cd4733e5f3e2c3f642fa6c0afb5a9489d39ff26a35549263fc0e02ebad3
  • 103.84.194.81
  • http://slackforbusiness.net/main.php
  • http://slackforbusiness.net/api.php
  • ns6.uts.ac.id
  • ns5.uts.ac.id
  • ns4.uts.ac.id
  • ns3.webonic.hu
  • ns3.uts.ac.id
  • ns3.gyumolcstarhely.hu
  • ns2.webonic.hu
  • ns2.uts.ac.id
  • ns2.gyumolcstarhely.hu
  • ns2.csit-host.com
  • ns1.webonic.hu
  • ns1.uts.ac.id
  • ns1.gyumolcstarhely.hu
  • ns1.csit-host.com
  • mail.uts.ac.id
  • dkujpest.hu
  • ccdc.org.do
  • c-sharp.in
  • slackcomtop.aab-e-pak.com
  • wooofi.com
  • slackforbusiness.net
  • nextnovatech.com
  • macpaw.us
Download all indicators here!

Attack Patterns

Additional Informations

  • Energy
  • Education
  • Telecommunications
  • Government
  • Hungary
  • United States of America