[dns-operations] BGP Hijack of Amazon DNS

Jimmy Hess mysidia at gmail.com
Fri Apr 27 12:06:29 UTC 2018

On Thu, Apr 26, 2018 at 1:30 PM, bert hubert <bert.hubert at powerdns.com> wrote:
> Another important thing is that even a brief BGP hijack of DNS *persists*.
> A 5 minute takeover can poison people's caches for a day or more.

Yes;  lack of DNSSEC implementation exacerbates risk by allowing the
affect of attack to linger beyond the initial BGP hijacking -- the bogus DNS
answers can give a  48 hour to 1 week or  1 month TTL,  and some
nameservers may honor the extended TTL and cache certain replies for weeks.

The implementation of TLS + DNSSEC + TLSA certificate pinning should do
a very large amount to dissuade attacks of that nature intended to intercept
traffic --  eliminating the motive for BGP Hijacking,  since the impact is
reduced closer to that of other temporarily-sustainable DoS attacks
such as spoofed UDP amplification floods, which have comparable
outcome and require fewer resources be sacrificed and
lower sophistication /  likely much cheaper for bad-do'ers to
implement than BGP hijacking.


More information about the dns-operations mailing list