Design and Implementation of Domain Hijacking Detection System

: As the basement of Internet application, DNS plays a very critical role in the network running. On Jan. 21st


INTRODUCTION
DNS system is a distributed information database of hosts, adopting the client/server mode.When looking through webpages with client, we always input a domain name corresponding to a server IP, instead of a server IP to access directly.For example, we input www.google.com,and then DNS system will transfer the domain name to IP address of its own server for client to access.When a program requires for the transformation from host domain name to IP address, this application program will be one of accounts in this DNS system.It is required to create a connection between this application program and domain name server, and the host name will be transmitted to domain name server, which is supposed to return the IP address of host to the program after searching.DNS system is one of the core Internet services, so it is significant that the security of the whole Internet all depends on it is safe or not [1] .

THE EXISTING METHODS TO COUNTER DNS HIJACKING
DNS hijacking is also named as domain name hijacking, meaning obtaining the control right of a domain name resolution through a certain way and modifying the resolution result leading to access a changed IP instead of the original one , with a consequence of failed access or fault website [2] .There are many methods of DNS hijacking: forging a registrant of domain name to obtain the control right of resolution; or taking use of some methods, such as DDOS attack, ARP cheat, DNS cache poisoning and so on, and changing the domain name cache of server to hijack the domain name.
As for the method to counter domain name hijacking, it can be divided into domain name detection with objectives and domain name hijacking countering without objectives.Domain name detection with objectives means that the important domain names should be defined in advance, with corresponding relationships between domain name and IP address putting in cache.If the important domain name accesses, comparison will be triggered in the cache to find out if there is domain name hijacking or not [3] .
The existing methods to counter domain name hijacking can be divided into two parts: precaution before hijacking and detection after hijacking.In current phase, we have not discovered any appropriate detection methods for domain name hijacking without objectives [4] .

Precaution before hijacking
Hackers can obtain the control right of resolution through some methods, such as DDOS attack, ARP cheat, DNS cache poisoning and so on.Precaution before hijacking is to prevent the occurrence of events above via detecting DNS request and response message to find out the attack, to achieve the aim of preventing DNS server from being hijacked [5] .
Taking DNS cache poisoning as an example, DNS transmits query and response data package via UDP protocol, adopting simple trust mechanism which only confirms the IP address, port and random query ID of the original query package, without any analysis for the legitimacy of the data package.If the package will be regarded as a right one and continue the process of resolution, and all the response data packages that reach later will be deleted.Therefore, attackers can forge domain name server and send fake response package to cache DNS server in order to forestall the response and poison DNS server.If the fake response package that attackers send reaches the cache DNS server before the right response package that authority name server sends, and matches the IP address, port and random query ID of the original query package as well, it can poison DNS cache successfully, completing the attack of DNS cache poisoning.
During the process of DNS query, we can prevent cache poisoning and protect DNS server from domain name hijacking through some technical methods to detect the request and response message.
To some extent, these methods can prevent domain name hijacking, but they cannot work after domain name hijacking happens, as a result, these ways are limited to prevention [6] .

Detection after hijacking
The detection of domain name hijacking that we have now is mainly specific to protect domain name, meaning that "important domain names" are fixed in advance, and then detect hijacking for these important ones.
After DNS hijacking occurs, the resolution of certain domain name will be controlled by attacker so that domain name was resolved to an unknown IP server.Among the methods to counter domain name hijacking, there is a method to confirm if DNS hijacking happens or not through detect IP address that DNS server receives [7] .
Simplified detection processes are as follows: 1) Preparation stage: After months of detection, a limited white list of recursive server of "importance" is built with rr record and IP address.
2) Measure stage: This system executes a series of queries and records matched responses, and all the original flow of DNS should be put away for next analysis stage.
3) Analysis stage: The system runs query and analysis through a series of algorithms, and then analyzes the legitimacy of DNS original flow that saved in 2) and outputs the final results.
To a great extent, this method can detect domain name hijacking event after it happens to protect the important domain name, however, if domain name is not clear, this method will be useless.

THE REALIZATION OF DETECTION FOR
DOMAIN NAME HIJACKING WITHOUT OB-JECTIVES.
Since the existing methods that we have now cannot solve the problem of domain name hijacking without objectives, this essay comes up with an idea that we can take advantage of the basic data of DNS to build a data cache for domain name authentication.With this cache, domain name can be detected if DSN hijacking happens in DNS cache server.Specific steps are as follows: (1) Create an authentication data of domain name.At first, an authenticated DNS basic data is required, in which the corresponding relationship between domain name and IP has been authenticated without any hijacking.As DNS authentication data, it is for use in next step.
(2) On the basic of the data from step (1), create a corresponding relationship between domain name and IP for local domain name as the authentication data cache.To realize the detection of domain name hijacking without objectives, the domain name in this cache data should cover some domain name common in use and maybe in use as far as possible.If any new domain names visit, corresponding solution should be prepared.
(3) On the basic of the data from step (2), create a dynamic update mechanism due to the variability of domain name access.Data cache in step ( 2) is updated dynamically to remove the domain name that is useless temporarily, leading to an elimination mechanism of data cache.
(4) When a domain name accesses, check the data cache in step (2) to see if it is in the cache data.If not, this domain name will be put in pending memory zone and continue to run the authentication process.If it is in the cache, we have to check if the corresponding relationship between domain name and IP is changed.If it is changed, we will regard this situation as domain name hijacking, and detection system will also discover and send out alert instantly, waiting user to deal with it.

Create an authentication data cache of domain name
First, for the accuracy of DNS basic data, we should authenticate all the DNS basic data, and the process is shown in 3.1.1.
For instantaneity of detection result, the corresponding relationship between domain name and IP address should be stored in memory (to assure the accuracy of the corresponding relationship between domain name and IP address).However, at the end of 2012, the amount of domain name in global has surpassed 250 million, which continues to increase.Therefore, putting all the domain names in memory is resource-consuming and unnecessary.We analyze the DNS basic data in DNS cache server and find that domain name accessed is limited despite the number of domain name is very big, in addition, these minority of domain name occupies the most access flow.The analysis of domain name access is shown as Table 1.
From Table 1, we can know that the amount of do-

Web of Conferences MATEC
01058-p.2 main names is considerable, which even reaches million, however, we cannot contact so many domain names in daily life, and the number of domain names that DNS server receives is not so considerable, which is just about 1%.Hence we only need to create a basic domain name database and keep a replacement mechanism for the domain names with low probability to replace inactive domain names, instead of storing all domain names.

Authentication process of DNS basic data
In order to store DNS basic data in memory, we should confirm the validity of corresponding relationship between domain name and IP address in this DNS basic data.
On the basic of DNS data that receives from DNS cache server, we test and verify its validity of corresponding relationship between basic data domain name and IP to prepare for the creation of system.
To make sure of the validity of corresponding relationship between domain name and IP, we take 7 days as a confirmation period.Calculate the daily access of a certain IP server by an independent IP in basic data during a confirmation period (from 0 o'clock to 24 o'clock, the same IP accessing the same server only counts once), which is recorded as daily independent IP; Calculate the daily page view within a confirmation period of a certain IP server, which is recorded as PV.
Track and monitor the basic data in confirmation period and calculate the corresponding value of the IP server within confirmation period respectively.
Suppose F as the confirmation threshold, P as one day of the confirmation period, IP1, PV1 and IP2, PV2 as the daily independent IP value and PV value, and then calculate these two values respectively: If the situation is F1 > F and F2 > F, the access flow of this IP server will be regarded as normal within one confirmation period, so that the corresponding relationship between this IP server and domain name is correct during this confirmation period.Analyze DNS basic data within one confirmation period.If the corresponding relationship between this IP server and domain name is correct within one confirmation period through calculation, it is supposed that the corresponding relationship between this IP and domain name is correct, too.If it is not correct through calculation, the corresponding relationship should be removed.All correct corresponding relationship between IP and domain name is called DNS authentication data, and then it will get into next step of memory creation.
Authority authentication by the way of active detection model in the authenticated DNS basic data (DNS authentication data): send detection request to authority server of this domain name, obtain information from response and verify the correctness of the authenticated DNS data.

Initialization method of memory building
Carry out the creation of memory after DNS data is confirmed, which takes use of DNS authentication data in 3.1.1.Creation of memory is the basis of this system, and system query is based on memory data.The memory structure of this system adopts the data structure of map.In order to make the best of memory and improve the speed of query as much as possible, the map is divided into first level cache and second level cache.When initialized, data comes to the first level cache where elimination algorithm proceeds frequently, and the data in first level cache that is not obsoleted through some time is supposed to enter the second level cache.
To begin with, we should initialize all kinds of values and parameters of the map.During this stage, user can set parameters manually, and also can choose built-in parameters in the system.
(1) Put DNS authentication data in 3.1.1 to the first level cache successively; (2) In the cache, take use of the elimination algorithm in 3.1.2,which triggers frequently in the first level cache.When the capacity of the first level cache is too low, the domain name that is not obsoleted after ICETA 2015 In this experiment, the hardware environment is Intel(R) Xeon(R), 2.4GHz CPU and a server with 24G of memory.The system version is CentOS release 6.5.The experiment includes memory building stage, and domain name hijacking simulation by modifying domain name file.All the parameters are system default, analyzing the experiment log documentation and comparing the results.
(1) Memory building of the system.Analyze the log to the result of Table 2.
(2) Simulation query of domain name hijacking.Analyze the log to the result of Table 3.
From Table 3, we can find out that under the circumstances where DNS access is rare (less than 1w), the system can detect domain name hijacking with 100% accuracy by seconds.For considerable DNS access data (count by millions), it can detect domain name hijacking with 99.99% accuracy within ten seconds via a single server.Thus it is sure that system can detect domain name hijacking efficiently after it hap-pens.
In this experiment, we also find that all the results from the statistic could change at any time due to the dynamics of elimination algorithm.In addition, the results might be different because of different parameters.Taking experiment 2 as an example, if the parameters we set still trigger elimination algorithm even if the space of memory is enough, after many experiments under the same condition, the false positive of experiment 2 is not zero, but several times.

CONCLUSION
At present, most of dictation methods for domain name hijacking are based on the behaviors before DNS hijacking happens, such as DDOS attack and DNS cache infection.If domain name hijacking event takes place, all these methods cannot detect dynamically.What this article introduced, trying to detect DNS hijacking event through domain name cache technology, dynamic memory database building, and the use of corresponding relationship between domain name and IP address, can make up with the deficiency that methods above have.This system is supposed to improve the elimination algorithm to make sure the minimality of the false positive.
As the basement of Internet application, DNS plays a very critical role in the network running.On Jan. 21st, 2014, the occurrence of a serious DNS hijacking in Internet has aroused the attentions to the DNS security incident again.This paper comes up with a new method to detect DSN hijacking through the construction of a high-speed cache in terms of the corresponding relation between domain name and server IP.With this method, we build a cache with the domain name and the IP.With this cache, domain name can be detected if DSN hijacking happens in DNS cache server and this system can detect domain name hijacking efficiently after it happens.

Table 1 .
Analysis of domain name

Table 2 .
Memory building of the system

Table 3 .
Simulation experiment of domain name hijacking