[dns-operations] BGP Hijack of Amazon DNS

Phillip Hallam-Baker phill at hallambaker.com
Sat Apr 28 15:00:22 UTC 2018


On Thu, Apr 26, 2018 at 11:45 AM, Paul Wouters <paul at cypherpunks.ca> wrote:

> On Wed, 25 Apr 2018, Eduardo Duarte wrote:
>
> I have seen discussions about the problem that happen last Tuesday in
>> several blogs and lists but none in this list.
>> Some examples of the discussion are the 2 following (no special
>> affiliation with none, just the last 2 post that I
>> read)
>> https://blogs.oracle.com/internetintelligence/bgp-hijack-of-
>> amazon-dns-to-steal-crypto-currency
>> https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/
>>
>> So what does the persons on the list think? Is this the event that DNSSEC
>> (and RPKI) need to start to be more
>> mainstream?
>>
>
> While I'm the first to say dnssec would have helped, in this case that
> is only true because of the nature of the attack.
>
> I am still confused why this attack took over the DNS IP ranges via BGP
> instead of just targetting the webserver IP range itself. If the
> webserver IP range was hijacked, no DNS lying was required to get people
> to end up on the rogue webserver. Perhaps the attackers thought they
> could prolong their attack with DNS TTL's more then keep the hijacked
> web IP address range under their BGP control?
>
>
​I have been thinking about that. The answer is probably that it is much
easier to replace the DNS server than the web sites it points to. The
attackers were trying to target their attack on the one site so as to limit
the fallout.

AWS may be doing anycast on their DNS which would mean it is in a different
address block and the appearance of an alternative route is less surprising
to operators. ​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180428/84e26a40/attachment.html>


More information about the dns-operations mailing list