Understanding HTTP Hijacking and DNS Hijacking: Causes, Impacts, and Countermeasures

What are HTTP hijacking and DNS hijacking?

HTTP hijacking monitors specific data in the communication channel between a user and the target service and, when certain conditions are met, injects crafted network packets so that the client interprets erroneous data, often displaying promotional ads or unwanted web pages.

DNS hijacking (also called domain hijacking) intercepts DNS resolution requests within a compromised network, analyzes the requested domain, and either returns a fake IP address or drops the request, causing users to reach counterfeit sites or experience no response.

Example 1

An advertisement appears at the top of the Youku client page, but it was not added by Youku.

Example 2

Traditional web browsing often triggers pop‑up ads; the same intrusive behavior has migrated to mobile internet, showing offensive content or malicious ad overlays.

Example 3

A page from a car‑home website was replaced with a different page after a hijacking incident.

Causes

1. Advertising injection code

Malicious vendors embed “rogue ads” into applications to promote their products.

2. Small operators saving traffic costs via caching

Some ISPs use aggressive caching techniques to create an illusion of fast network speed while reducing bandwidth usage.

3. Malicious attacks

Competitors or attackers inject illegal ads, cache data illegally, or perform other hijacking actions that harm the application.

How does hijacking happen?

Hijacking typically starts with a client request to a DNS server, which can be intercepted by compromised network equipment or malicious insiders. The request may be altered, or large operators may inject promotional data directly into the response, forcing users to see unwanted content or recharge data.

Consequences

1. Application data cannot be updated

2. Illegal redirection prevents proper page display

3. Pop‑up ads degrade visual experience

4. Embedded illegal content harms app reputation

Anti‑hijacking practice

1. Data legitimacy verification

Legitimacy checks determine whether data is complete and timely. A checksum or verification string is generated from the content; mismatches indicate tampering.

2. Data timeliness verification

Timeliness is ensured by embedding generation timestamps and having the client validate them. A whitelist/blacklist mechanism evaluates page content and redirect URLs for validity.

Solutions

1. Domain hijacking mitigation

If DNS hijacking is detected, the traditional DNS resolution path is replaced with HttpDNS, which queries a trusted server over HTTP to obtain the correct IP address set.

HttpDNS principle

Instead of using the standard DNS protocol, the client sends an HTTP request to an HttpDNS server, which returns the genuine IP(s). The client can then test the returned IPs for speed and reliability, ensuring the fastest and correct server is used.

2. Operator cache handling

Cache mechanisms can be adjusted by adding cache‑control parameters to request URLs, allowing the client to bypass or invalidate malicious caches.

3. Illegal redirection

Implement client‑side whitelist/blacklist policies to block unauthorized redirects.

4. Illegal content insertion

Detect and filter embedded illegal content through content‑security scanning.

More methods

1. Network optimization

2. Hijack logging system

The system collects hijack events from the client, compresses logs to save bandwidth, and uploads them when a stable network (e.g., Wi‑Fi) is available.

Real‑time data detection

The chart shows the number of hijack incidents per interface request over a day, comparing today (blue) with yesterday (orange). Spikes may indicate ISP‑driven DNS manipulation or mass ad injection, which can be identified through log analysis.

Success rate comparison

The bar chart contrasts total hijack occurrences (white) with successful mitigations after applying anti‑hijack strategies (green). Continuous tuning of these strategies reduces the white area, indicating fewer unresolved hijacks.

Disclaimer: The content is sourced from public internet channels; the author remains neutral and provides it for reference and discussion only. Copyright belongs to the original author or institution. If any infringement occurs, please contact for removal.