[dns-operations] BGP Hijack of Amazon DNS

[Paul Wouters]

On Wed, 25 Apr 2018, Eduardo Duarte wrote:

> I have seen discussions about the problem that happen last Tuesday in several blogs and lists but none in this list.
> Some examples of the discussion are the 2 following (no special affiliation with none, just the last 2 post that I
> read)
> https://blogs.oracle.com/internetintelligence/bgp-hijack-of-amazon-dns-to-steal-crypto-currency
> https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/
> 
> So what does the persons on the list think? Is this the event that DNSSEC (and RPKI) need to start to be more
> mainstream?

While I'm the first to say dnssec would have helped, in this case that
is only true because of the nature of the attack.

I am still confused why this attack took over the DNS IP ranges via BGP
instead of just targetting the webserver IP range itself. If the
webserver IP range was hijacked, no DNS lying was required to get people
to end up on the rogue webserver. Perhaps the attackers thought they
could prolong their attack with DNS TTL's more then keep the hijacked
web IP address range under their BGP control?

Additionally, it would not have needed to change DNS to get an ACME
based certificate issued so DNSSEC would not have helped in that case.

That said, if TLSA records were used, and those were DNSSEC signed, then
the attacker would gain nothing even with such a rogue certificate. They
would have needed the DNSSEC private keys to sign new the TLSA records.

In short, DNSSEC protection for A/AAAA records is not very useful since
other attacks can take the IP. But pinning certificates with DNSSEC
using TLSA and draft-ietf-tls-dnssec-chain-extension would indeed have
made any BGP hijacking a failure to get users to connect to the site[*]

Paul
[*] unless this is enforced with soft-fail and users bypass the Red Alert.