Retroactive identification of targeted DNS infrastructure hijacking

Gautam Akiwate, Raffaele Sommese, Mattijs Jonker, Zakir Durumeric, Kimberley Claffy, Geoffrey M. Voelker, Stefan Savage

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

27 Downloads (Pure)


In 2019, the US Department of Homeland Security issued an emergency warning about DNS infrastructure tampering. This alert, in response to a series of attacks against foreign government websites, highlighted how a sophisticated attacker could leverage access to key DNS infrastructure to then hijack traffic and harvest valid login credentials for target organizations. However, even armed with this knowledge, identifying the existence of such incidents has been almost entirely via post hoc forensic reports (i.e., after a breach was found via some other method). Indeed, such attacks are particularly challenging to detect because they can be very short lived, bypass the protections of TLS and DNSSEC, and are imperceptible to users. Identifying them retroactively is even more complicated by the lack of fine-grained Internet-scale forensic data. This paper is a first attempt to make progress at this latter goal. Combining a range of longitudinal data from Internet-wide scans, passive DNS records, and Certificate Transparency logs, we have constructed a methodology for identifying potential victims of sophisticated DNS infrastructure hijacking and have used it to identify a range of victims (primarily government agencies), both those named in prior reporting, and others previously unknown.
Original languageEnglish
Title of host publicationProceedings of the 22nd ACM Internet Measurement Conference
PublisherAssociation for Computing Machinery (ACM)
Number of pages19
ISBN (Electronic)9781450392594
Publication statusPublished - 25 Oct 2022
Event22nd ACM Internet Measurement Conference, IMC 2022 - Nice, France
Duration: 25 Oct 202227 Oct 2022
Conference number: 22


Conference22nd ACM Internet Measurement Conference, IMC 2022
Abbreviated titleIMC 2022
Internet address


Dive into the research topics of 'Retroactive identification of targeted DNS infrastructure hijacking'. Together they form a unique fingerprint.

Cite this