The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire

@inproceedings{Schlamp2015TheAS,
  title={The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire},
  author={Johann Schlamp and Josef Gustafsson and Matthias W{\"a}hlisch and Thomas C. Schmidt and Georg Carle},
  booktitle={TMA},
  year={2015}
}
The vulnerability of the Internet has been demonstrated by prominent IP prefix hijacking events. Major outages such as the China Telecom incident in 2010 stimulate speculations about malicious intentions behind such anomalies. Surprisingly, almost all discussions in the current literature assume that hijacking incidents are enabled by the lack of security mechanisms in the inter-domain routing protocol BGP. In this paper, we discuss an attacker model that accounts for the hijacking of network… 
Hijacking DNS Subdomains via Subzone Registration: A Case for Signed Zones
TLDR
This work investigates how the widespread absence of signatures in DNS (Domain Name System) delegations has led to insecure deployments of authoritative DNS servers which allow for hijacking of subdomains without the domain owner's consent, and suggests remedies for the problem.
Improving IP Prefix Hijacking Detection by Tracing Hijack Fingerprints and Verifying Them through RIR Databases
TLDR
An improved IP prefix hijack detection method is improved by identifying false positives showing up due to the organisations that may use multiple ASNs (Autonomous System Numbers) to advertise their routes, specifically reducing the false positives.
HEAP: Reliable Assessment of BGP Hijacking Attacks
TLDR
A novel formalization of Internet routing is devised, and this model is applied to routing anomalies in order to establish a comprehensive attacker model and proves the effectiveness of this approach, and shows that day-to-day routing anomalies are harmless for the most part.
The Wolf of Name Street: Hijacking Domains Through Their Nameservers
TLDR
This paper studies the exploitation of configuration issues and hardware errors to seize control over nameservers' requests to hijack domains, finding that over 12,000 domains are susceptible to near-immediate compromise and 1.28M domains are at risk of a denial-of-service attack by relying on an outdated nameserver.
IP prefix hijack detection using BGP connectivity monitoring
  • Hussain Alshamrani, B. Ghita
  • Computer Science
    2016 IEEE 17th International Conference on High Performance Switching and Routing (HPSR)
  • 2016
TLDR
A novel method based on tracking the connectivity of suspicious ASes, which are received from a program tracing IP prefix hijacking signature is suggested, which is able to detect the hijacks with 81% accuracy.
Domain-Z: 28 Registrations Later Measuring the Exploitation of Residual Trust in Domains
TLDR
This study sheds light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years and develops Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes.
Tunneling for Transparency: A Large-Scale Analysis of End-to-End Violations in the Internet
TLDR
This paper develops measurement techniques that allow Luminati to be used to detect end-to-end violations of DNS, HTTP, and HTTPS, and, in many cases, enable us to identify the culprit.
Don't throw me away: Threats Caused by the Abandoned Internet Resources Used by Android Apps
TLDR
Analysis of 1.1 M Android apps published in the official marketplace uncovered 3,628 of abandoned Internet resources associated with 7,331 available mobile apps, subject to hijack by outsiders.
Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers
TLDR
An empirical analysis of two kinds of postexpiration domain ownership changes highlights a significant demand for expired domains, and hint at highly competitive re-registrations.
From Deletion to Re-Registration in Zero Seconds: Domain Registrar Behaviour During the Drop
TLDR
It is shown that .com domains are deleted in a predictable order, and a model is proposed to infer the earliest possible time a domain could have been re-registered, and used to characterise at a precision of seconds how fast certain types of domain names are re- registered.
...
...

References

SHOWING 1-10 OF 28 REFERENCES
Towards detecting BGP route hijacking using the RPKI
TLDR
An early look at BGP update data is taken and many interesting dynamics are found, not all can be easily explained as hijacking, but a significant number are likely operational testing or misconfigurations.
iSPY: Detecting IP Prefix Hijacking on My Own
TLDR
iSPY, a real-time hijacking detection system that can differentiate between IP prefix hijacking and network failures based on the observation that hijacking is likely to result in topologically more diverse polluted networks and unreachability, is presented.
A forensic case study on as hijacking: the attacker's perspective
TLDR
The findings show that there is a need for preventive measures that would allow to anticipate AS hijacking and the design of an early warning system is outlined.
Detecting prefix hijackings in the internet with argus
TLDR
Argus, an agile system that can accurately detect prefix hijackings and deduce the underlying cause of route anomalies in a very fast way is proposed, based on correlating the control and data plane information closely and pervasively.
Malicious BGP hijacks: Appearances can be deceiving
TLDR
This case study presents a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks and concludes that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions.
IP Prefix Hijacking Detection Using Idle Scan
TLDR
To detect IP prefix hijacking event, this paper is monitoring routing update messages that show wrong announcement of IP prefix origin, which is caused by wrong routing information.
Detecting bogus BGP route information: Going beyond prefix hijacking
  • Jian Qiu, Lixin Gao, S. Ranjan, A. Nucci
  • Computer Science
    2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007
  • 2007
TLDR
This work proposes a real-time detection system for ISPs to provide protection against bogus routes that leverages a directed AS-link topology model to detect path spoofing routes that violate import/export routing policies.
A study of prefix hijacking and interception in the internet
TLDR
The authors' hijacking estimates are in line with the impact of past hijacking incidents and show that ASes higher up in the routing hierarchy can hijack a significant amount of traffic to any prefix, including popular prefixes.
On the risk of misbehaving RPKI authorities
TLDR
It is shown how design decisions that elegantly address the vulnerabilities in the original threat model have unexpected side effects in this flipped threat model, and implications on the design of security architectures that are appropriate for the untrusted and error-prone Internet are suggested.
SpamTracer: How stealthy are spammers?
TLDR
It is concluded that the fly-by spammers phenomenon does not seem to currently be a significant threat and a set of specifically tailored heuristics for detecting possible BGP hijacking are proposed.
...
...