There are a lot of people who don’t think of DNS as a target for a possible hack, so a lot of DNS entries aren’t really protected well. There are even more people who don’t even know what DNS is. But last week a major DNS hijack took place, and it was unnoticed for several hours.
What is DNS
When you browse the internet you use domain names to visit your favorite websites. However, the internet doesn’t know what domain goes to what server. The domain names are just human-readable addresses so we can use them every day and remember them. However, the internet works with IP addresses. This means that every domain name needs to be translated to a unique IP number. An example of this is Google.com; Everybody knows Google.com, but if you paste: 18.104.22.168 in your browser you also end up at Google.com. The DNS makes sure that Google.com points to 22.214.171.124.
So DNS servers match domain names to their associated IP addresses. When you type a domain name into your browser, your computer contacts your current DNS server and asks what IP address is associated with the domain name. Your computer then connects to the IP address and retrieves the right web page for you.
So what happened during the hack?
During the attack, the hijackers used the BGP protocol to reroute the traffic to Amazon’s Route 53 service. They rerouted the DNS using a man in the middle attack from a server hosted in Equinix in Chicago. From that moment on they were able to intercept all traffic going to the Amazon cloud service. While they could theoretically reroute a lot of websites the attack was only targetting a cryptocurrency website named MyEtherWallet.com. All the traffic to this website got rerouted to a server in Russia.
During this attack people who visited the website got on the Russian server and didn’t know they didn’t arrive on the real website. The Russian server was using a Fake SSL certificate making sure none of the people would notice the difference. During the hijack, the attackers stole the bitcoin transactions that were made during the time window of the hack, however, this was only a small amount of bitcoins. When we take a look a the wallet used to transfer the stolen money to we notice that it already had more then 20.000.000 euro’s in it. This means the attackers aren’t poor, and it’s strange they did such small attack since they had the funds to do something way bigger.
The attack is very strange. It’s not strange on what they did or how they did it, but the scale of the attack is strange. An attack as they did requires a lot of time, resources, and money. For this attacked they needed access to BGP routers from a lot of ISP and they needed enough CPU power to handle the major amount of DNS request that would come in. So when you have that level of control for two hours, why only attack a small website like MyEthernetWallet.com. Many big websites and organizations like banks use Amazon, the attack could have been much bigger, but they kept the DNS to all websites as it should be, and only targetted one site. Its unlikely they got any profit out of this attack.
Equinix provided the following public statement about the attack:
The server used in this incident was not an Equinix server but rather customer equipment deployed at one of our Chicago IBX data centers. Equinix is in the primary business of providing space, power and a secure interconnected environment for our more than 9800 customers inside 200 data centers around the world. We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment. Our role is to provide the best environment possible for our customers to transform their business. Through our blog and other customer resources, we offer best practices and advice for our customers on a variety of topics related to their digital infrastructure deployment including security.
Amazon provided the following public statement:
This issue was caused by a problem with a third-party Internet provider. The issue has been resolved and the service is operating normally.
What to do now?
The security issues with the BGP protocol or with DNS are widely known for years. We saw attacks like this in the past also. This attack clearly shows how vulnerable the basis of the internet has become. However, DNS and BGP keep being left out with a lot of security measures. And this attack clearly shows that its time to change this.