Detection and Forensics of Domains Hijacking

The naming service provided by Domain Name System (DNS) is essential for locating resources on the Internet, for distributing security mechanisms in an authenticated manner, and for facilitating future applications. Unfortunately, despite the critical function that the naming service of the DNS infrastructure fulfills, it is extremely vulnerable to domain hijacking attacks. While most of the attacks go undetected, they are detrimental for the availability of the Internet services, and the security and privacy of clients and networks. We designed and developed a system, we call LUDIC (LookUp DIstributed Cache), for detection of domain hijacking attacks. Our system also enables forensic analysis and provides victims with signed evidences allowing them to prove breaches to third parties, such as a court of law or a resolution authority. LUDIC uses distributed vantage points to validate DNS records, and does not require establishing a chain of trust to a centralised trust anchor, hence sidestepping the adoption challenges inherent in DNSSEC. Our system does not introduce any changes to the existing infrastructure and can be easily integrated into an Intrusion Detection System (IDS) or a firewall, while providing an immediate benefit to adopters.