BGP Hijack of Amazon DNS to Steal Crypto Currency

April 25, 2018 Doug Madory

Yesterday morning we posted a tweet (below) that Amazon’s authoritative DNS service had been impacted by a routing (BGP) hijack.  Little did we know this was part of an elaborate scheme to use the inherent security weaknesses of DNS and BGP to pilfer crypto currency, but that remarkable scenario appears to have taken place.

BGP hijack this morning affected Amazon DNS. eNet (AS10297) of Columbus, OH announced the following more-specifics of Amazon routes from 11:05 to 13:03 UTC today:
205.251.192.0/24
205.251.193.0/24
205.251.195.0/24
205.251.197.0/24
205.251.199.0/24

— InternetIntelligence (@InternetIntel) April 24, 2018

After posting the hijack tweet, I observed reports of a DNS hijack relating to the cryptocurrency website myetherwallet.com and thought the two things might be related:

Maybe related to this: https://t.co/6dOrmEuRAz

— Doug Madory (@DougMadory) April 24, 2018

Sure enough, it appears that eNet/XLHost (AS10297) suffered a breach enabling attackers to impersonate Amazon’s authoritative DNS service.  These attackers used AS10297 to announce five routes used by Amazon’s DNS:


205.251.192.0/24 Amazon.com, Inc.
205.251.193.0/24 Amazon.com, Inc.
205.251.195.0/24 Amazon.com, Inc.
205.251.197.0/24 Amazon.com, Inc.
205.251.199.0/24 Amazon.com, Inc.

As depicted above, these BGP routes weren’t globally routed.  In fact, only a little more than 15% of our BGP sources had them in their tables.  However, the users of networks that accepted the hijacked routes (evidently including Google’s recursive DNS service) sent their DNS queries to an imposter DNS service embedded within AS10297.  If these users attempted to visit myetherwallet.com, the imposter DNS service wouldn’t direct them to Amazon Web Services (which normally hosts the site), but to a set of Russian IP addresses, according to CloudFlare. Note that users did need to click through cert failure alerts in their browsers, but that didn’t stop many users.

Within a couple of hours, MyEtherWallet had issued an announcement acknowledging that many of the users of their cryptocurrency service had been redirected to a fraudulent site (albeit incorrectly assigning blame to hijack of Google DNS instead of Amazon DNS):

Correction: the BGP hijack this morning was against AWS DNS not Google DNS. https://t.co/gp3VLbImpX

— InternetIntelligence (@InternetIntel) April 24, 2018

Conclusion

This attack abused the trust-based nature of BGP to subvert Amazon’s DNS.  It then abused the trust-based nature of DNS to direct users to a malicious website in Russia primed and ready to take their crypto currency.

Despite proposed technical fixes to secure BGP and DNS, it would appear that we presently have no way to completely prevent this from happening again. However, an idea worth considering comes from Job Snijders of NTT who proposes that major DNS authoritative services offer RPKI for origin validation of their routes. This would enable ASes and IXP route servers to drop invalid routes like the ones used to impersonate Amazon’s DNS yesterday.

If attacks like these can be done with impunity and for profit, we can expect more to come.


Read more...

About the Author

Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a special interest on submarine cables.

Follow on Twitter More Content by Doug Madory
Previous Article
SeaMeWe-3 Experiences Another Cable Break
SeaMeWe-3 Experiences Another Cable Break

On Thursday, May 10 at approximately 02:00 UTC, the SeaMeWe-3 (SMW-3) subsea cable suffered yet another cab...

Next Article
ACE Submarine Cable Cut Impacts Ten Countries
ACE Submarine Cable Cut Impacts Ten Countries

The ACE (African Coast to Europe) submarine cable runs along the west coast of Africa between France and So...