Automatically Detecting DNS Hijacking in Passive DNS
Essential information
- Published
- 05/11/2024 05:37
- Modified
- 05/11/2024 10:03
- Tags
- 2024-11-05 cybersecurity dns hijacking domain compromise machine learning network-security passive dns threat detection
- Related entities
- 37 observables, 9 techniques (mitre), 6 others
Description
This article describes a machine learning-based pipeline for detecting DNS hijacking using passive DNS data. The system processes an average of 167 million new DNS records daily, extracting 74 features from over 169 terabytes of data. Between March and September 2024, it identified 6,729 hijacking incidents out of 29 billion processed records. Notable examples include the hijacking of a Hungarian political party's domain, the defacement of a utility company and ISP, and the use of university and research center domains for illicit gambling. The pipeline can now detect DNS hijacking in customer traffic within 10 minutes, providing crucial protection against this pervasive threat.