[dns-operations] BGP Hijack of Amazon DNS

Jared Mauch jared at puck.nether.net
Fri Apr 27 16:59:47 UTC 2018

> On Apr 27, 2018, at 11:51 AM, Paul Ebersman <list-dns-operations at dragon.net> wrote:
> ebersman> A rather crucial point... If I'm going to cache poison, I'm
> ebersman> going to set really really large TTLs on the bad records.
> tale> Yes and no.
> tale> If I'm doing a well-informed spear phishing attack, I'm going to
> tale> put a really short TTL on address records, so any evidence will
> tale> quickly expire from the cache and likely be much harder or even
> tale> impossible to find elsewhere.
> Fair enough. Depends on the goal of the attack. Though it sounds like
> this wasn't all that well informed, as it required users to be oblivious
> to warnings. Which isn't *always* a given. ;)
> But there are certain attacks where having fake auth servers and cache
> poisoning makes it much more effective and DNSSEC is a good defense
> against cache poisoning.
> Point still is defense in depth isn't a waste of time.


I’m surprised they didn’t just use ACME to get a real certificate.

- Jared

More information about the dns-operations mailing list