[dns-operations] BGP Hijack of Amazon DNS

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Apr 26 18:11:15 UTC 2018

> On Apr 26, 2018, at 11:45 AM, Paul Wouters <paul at cypherpunks.ca> wrote:
> While I'm the first to say dnssec would have helped, in this case that
> is only true because of the nature of the attack.
> I am still confused why this attack took over the DNS IP ranges via BGP
> instead of just targetting the webserver IP range itself. If the
> webserver IP range was hijacked, no DNS lying was required to get people
> to end up on the rogue webserver. Perhaps the attackers thought they
> could prolong their attack with DNS TTL's more then keep the hijacked
> web IP address range under their BGP control?

Perhaps the crypto-currency theft is a distraction, and the attack is
a dry run for more ambitious variants in the future.

> In short, DNSSEC protection for A/AAAA records is not very useful since
> other attacks can take the IP.

For just a single target, yes, integrity protection of the IP address
is not a strong defense, though poisoning lots of caches can certainly
amplify the breadth of the attack to reach end-users who are not directly
affected by the BGP route injection.

What's interesting to me here is that hijacking the routes to a DNS-hosting
provider for a large number of domains enables attacks that then compromise
many target domains, that would be more difficult to compromise collectively
via BGP alone.

While integrity protection of IP information does not close all the attack
vectors it is IMHO likely to nevertheless prove useful as one of many
defensive counter-measures.

[ My DANE survey database now has 6 million DNSSEC signed domains, up from
  5.2 million in March.  Some of that is more input domains to check, but
  there are also many domains that were recently signed. ]


More information about the dns-operations mailing list