Understanding HTTP & DNS Hijacking: Causes, Risks, and Practical Countermeasures

What is HTTP hijacking, what is DNS hijacking?

HTTP hijacking monitors specific data in the communication channel between a user and the target service, and when certain conditions are met, inserts crafted network packets that cause the client to display promotional ads or unwanted content.

DNS hijacking, also known as domain hijacking, intercepts DNS resolution requests within a compromised network, returning fake IP addresses or no response, leading users to incorrect or non‑existent sites.

Example 1

An advertisement appears at the top of the Youku client page, even though it was not added by Youku.

Example 2

Traditional web pop‑up ads have migrated to mobile, showing intrusive or malicious content.

Example 3

A page from a car‑related app is replaced with a different page after hijacking.

Causes

1. Ad injection

Vendors push rogue ads into various applications to promote their products.

2. Small operators use caching to fake fast network

Some operators employ cache techniques to save traffic costs, creating an illusion of a “fast” connection.

3. Malicious attacks

Competitors may launch attacks that inject illegal ads, cache data, or otherwise compromise apps.

How does hijacking happen?

Hijacking typically involves a client requesting a DNS server for an IP address. Three factors contribute: vulnerabilities in ISP data centers exploited by insiders or profit‑seeking entities, manipulation of request data, and ISP‑level promotions that intercept and alter traffic, often prompting users to recharge data.

Consequences

1. App data cannot update

2. Illegal redirects, page data not displayed

3. Pop‑up ads affect visual experience

4. Embedded illegal content harms app image

Anti‑hijacking practice

1. Data legitimacy verification

Legitimacy checks assess whether data is complete and timely. A checksum is generated for each piece of content; mismatches indicate tampering.

2. Data timeliness verification

Clients verify the generation timestamp of data against an agreed schedule, using whitelist/blacklist matching to ensure only authorized pages and redirects are allowed.

Solutions

1. Domain hijacking

For DNS hijacking, employ HttpDNS to replace traditional DNS resolution, retrieving IP addresses via HTTP. For HTTP‑layer tampering, modify the link and use a reverse‑proxy mechanism to obtain correct data.

HttpDNS principle

HttpDNS bypasses compromised DNS by querying a dedicated HTTP‑based DNS service, returning one or more legitimate IPs. The client can test these IPs, select the fastest, and periodically re‑measure to maintain optimal performance.

2. Operator cache

Address operator caching by adding cache‑control parameters to request URLs, allowing proper cache invalidation.

3. Illegal redirects

Implement client‑side whitelist/blacklist policies to block unauthorized redirects.

4. Illegal content insertion

Detect and block embedded illegal content through content validation and monitoring.

More methods

1. Network selection

2. Hijack logging system

Clients collect hijack events, compress logs, and send them to a central server for analysis, enabling rapid detection of abnormal spikes.

Real‑time data detection

The chart shows hourly hijack counts, comparing today with yesterday to reveal spikes caused by ISP promotions or attacks.

Success rate comparison

The graph compares total hijacks with successful mitigations, guiding continuous improvement of anti‑hijacking strategies.