Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed
Between 11am until 1pm UTC today, DNS traffic — the phone book of the internet, routing you to your favourite websites — was hijacked by an unknown actor.
The attackers used BGP — a key protocol used for routing internet traffic around the world — to reroute traffic to Amazon’s Route 53 service, the largest commercial cloud provider who count major websites such as Twitter.com as customers.
They re-routed DNS traffic using a man in the middle attack using a server at Equinix in Chicago.
From there, they served traffic for over two hours.
This would allow them to intercept traffic globally across the internet to Amazon Route 53 customers.
The first target
So far the only known website to have traffic redirected was to MyEtherWallet.com, a cryptocurrency website. This traffic was redirected to a server hosted in Russia, which served the website using a fake certificate — they also stole the cryptocoins of customers. The attacks only gained a relatively small amount of currency from MyEtherWallet.com — however their wallets in total already contained over £20m of currency. Whoever the attackers were are not poor.
The only target?
Mounting an attack of this scale requires access to BGP routers are major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access. Additionally, the attackers failed to obtain an SSL certificate while man-in-the-middle attacking the traffic — a very easy process — which alerted people to the issue at scale.
What this highlights
The security vulnerabilities in BGP and DNS are well known, and have been attacked before. This is the largest scale attack I have seen which combines both, and it underscores the fragility of internet security.
It also highlights how almost nobody noticed until the attack stopped. There is a blind spot.
InfoSec, from the trenches of reality. Email firstname.lastname@example.org | Twitter: @gossithedog on Twitter.