[dns-operations] BGP Hijack of Amazon DNS
Jimmy Hess
mysidia at gmail.com
Fri Apr 27 12:06:29 UTC 2018
On Thu, Apr 26, 2018 at 1:30 PM, bert hubert <bert.hubert at powerdns.com> wrote:
>...
> Another important thing is that even a brief BGP hijack of DNS *persists*.
> A 5 minute takeover can poison people's caches for a day or more.
>
Yes; lack of DNSSEC implementation exacerbates risk by allowing the
affect of attack to linger beyond the initial BGP hijacking -- the bogus DNS
answers can give a 48 hour to 1 week or 1 month TTL, and some
nameservers may honor the extended TTL and cache certain replies for weeks.
The implementation of TLS + DNSSEC + TLSA certificate pinning should do
a very large amount to dissuade attacks of that nature intended to intercept
traffic -- eliminating the motive for BGP Hijacking, since the impact is
reduced closer to that of other temporarily-sustainable DoS attacks
such as spoofed UDP amplification floods, which have comparable
outcome and require fewer resources be sacrificed and
lower sophistication / likely much cheaper for bad-do'ers to
implement than BGP hijacking.
--
-JH
More information about the dns-operations
mailing list