Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed

Between 11am until 1pm UTC today, DNS traffic — the phone book of the internet, routing you to your favourite websites — was hijacked by an unknown actor.

Image for post
Image for post

The attackers used BGP — a key protocol used for routing internet traffic around the world — to reroute traffic to Amazon’s Route 53 service, the largest commercial cloud provider who count major websites such as Twitter.com as customers.

They re-routed DNS traffic using a man in the middle attack using a server at Equinix in Chicago.

From there, they served traffic for over two hours.

Image for post
Image for post

This would allow them to intercept traffic globally across the internet to Amazon Route 53 customers.

The first target

So far the only known website to have traffic redirected was to MyEtherWallet.com, a cryptocurrency website. This traffic was redirected to a server hosted in Russia, which served the website using a fake certificate — they also stole the cryptocoins of customers. The attacks only gained a relatively small amount of currency from MyEtherWallet.com — however their wallets in total already contained over £20m of currency. Whoever the attackers were are not poor.

Image for post
Image for post
Source: Oracle Threat Intelligence

The only target?

Mounting an attack of this scale requires access to BGP routers are major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access. Additionally, the attackers failed to obtain an SSL certificate while man-in-the-middle attacking the traffic — a very easy process — which alerted people to the issue at scale.

What this highlights

The security vulnerabilities in BGP and DNS are well known, and have been attacked before. This is the largest scale attack I have seen which combines both, and it underscores the fragility of internet security.

It also highlights how almost nobody noticed until the attack stopped. There is a blind spot.


By Kevin Beaumont

InfoSec, from the trenches of reality. Email kevin.beaumont@gmail.com | Twitter: @gossithedog on Twitter.

Source: https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f

Written by


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store