Anatomy of a BGP Hijack on Amazon’s Route 53 DNS Service

Posted by on April 24th, 2018
April 24th, 2018

How does one steal cryptocoins? By hacking DNS and BGP—the two cornerstone protocols governing the Internet.

With any cryptographic system, one way to compromise it is to be a man in the middle (MITM) when a transaction is taking place. Both ends of the transaction believe they’re talking to a legitimate party at the other end, but in reality, a malicious actor sits in the middle and alters the information being passed through to their advantage. In case of cryptocurrency, it could be the public key of the transfer recipient. So instead of your coins going to the intended party, they get diverted to another wallet, and once that transaction is confirmed in the blockchain, it is irreversible. There are no safeguards or central authorities that can override this. That’s the reality of cryptocurrencies, but that’s a topic for another day.

So how can a malicious actor become a man in the middle? By hijacking a couple of the cornerstone protocols governing the Internet: DNS and BGP. This is exactly what unfolded on the morning of April 24th, around 5:00 am PST. The ultimate target, in this case, is believed to be a popular crypto wallet app—MyEtherWallet—as reported by security researcher Kevin Beaumont. The collateral damage victims of this attack were customers of Amazon’s Route 53 DNS Service like Instagram (as seen in Figure 1 below) and CNN.

DNS errors on HTTP Server Test for Instagram
Figure 1: DNS errors impact availability to Instagram.

The goal of hijacking a DNS service is to alter the domain binding, so that the resolver returns a spoofed IP address, which is the address of a man in the middle server. There are two possible ways of doing this—at a global level by taking control of an authoritative server (or set of servers) for that domain and altering the binding, or at a more regional level by poisoning DNS cache entries (see a previous ThousandEyes blog post about DNS Hijacks for more details). However, in this case, the attacker did neither. Instead, they attacked another weak point in the fabric of the Internet—BGP.

The control plane of the Internet relies on implicit trust. While explicit methods of trust like Route Origin Authorizations (ROAs) have been around for a while, they have failed to catch on universally. What this means is that it’s relatively easy to trick the Internet by taking control of an ISP. The attackers, in this case, found their target in a small ISP in Columbus, OH—eNet, also known as XLHost. This ISP is connected to the Equinix fabric, peering at two densely connected exchanges points in Ashburn, VA and Chicago, IL. This gave them access to a large number of ISPs, two of which propagated their spoofed prefixes across the Internet. While Amazon continued to announce, a more specific prefix——was now available across parts of the Internet. In the world of IP routing, the longer prefix wins, hence traffic meant for Amazon’s DNS servers started flowing into the XLHost network.

BGP Route Visualization with new prefixes announced by eNet
Figure 2: announced from eNet to Hurricane Electric and TDS Telecom.

Sitting in the XLHost data center was a fake DNS server that selectively answered queries for All other requests were silently discarded. Figure 3 shows a ThousandEyes Path Visualization illustrating how some Cloud Agents are unable to reach the actual Amazon Route 53 DNS servers. However, several other Cloud Agents were able to reach and resolve domains from Route 53 just fine.

Network Path Visualization with packet loss and reachability issues
Figure 3: Path Visualization shows reachability issues.

Amazon Route 53 was able to detect and resolve this issue within a couple hours and restore their DNS Service well before any major cascading impacts occurred. However, some users of MyEtherWallet were not so lucky. Reports indicate that over $150,000 in Ethereum was stolen as part of this attack.

BGP Hijacks are difficult to prevent without universal acceptance of techniques like ROAs. However, they can be detected and resolved quickly using monitoring services like ThousandEyes. One of our past blog posts reviews some best practices for combating BGP leaks and hijacks. If you offer a digital service online, you can’t just rely on your provider to maintain the integrity of your service. You need to monitor your service targets from a large enough set of vantage points, like ThousandEyes Cloud Agents, to detect when someone is attempting to hijack your service. Additionally, you need to monitor your DNS provider to ensure that the authoritative servers are reachable and responding with the correct bindings in all geographies. Here are some tips on instrumenting DNS alerts to detect DNS hijack attempts.

Start monitoring your BGP prefixes and DNS infrastructure today with a 15 day free trial of ThousandEyes, or request a demo.