BGP Hijack of Amazon DNS to Steal Crypto Currency

Doug Madory
Director of Internet Analysis

Yesterday morning we posted a tweet (below) that Amazon’s authoritative DNS service had been impacted by a routing (BGP) hijack.  Little did we know this was part of an elaborate scheme to use the inherent security weaknesses of DNS and BGP to pilfer crypto currency, but that remarkable scenario appears to have taken place.

II Amazon hijack tweet

After posting the hijack tweet, I observed reports of a DNS hijack relating to the cryptocurrency website and thought the two things might be related:

Doug Madory reply tweet

Sure enough, it appears that eNet/XLHost (AS10297) suffered a breach enabling attackers to impersonate Amazon’s authoritative DNS service.  These attackers used AS10297 to announce five routes used by Amazon’s DNS:, Inc., Inc., Inc., Inc., Inc.

As depicted above, these BGP routes weren’t globally routed.  In fact, only a little more than 15% of our BGP sources had them in their tables.  However, the users of networks that accepted the hijacked routes (evidently including Google’s recursive DNS service) sent their DNS queries to an imposter DNS service embedded within AS10297.  If these users attempted to visit, the imposter DNS service wouldn’t direct them to Amazon Web Services (which normally hosts the site), but to a set of Russian IP addresses, according to CloudFlare. Note that users did need to click through cert failure alerts in their browsers, but that didn’t stop many users.

Within a couple of hours, MyEtherWallet had issued an announcement acknowledging that many of the users of their cryptocurrency service had been redirected to a fraudulent site (albeit incorrectly assigning blame to hijack of Google DNS instead of Amazon DNS):

II correction tweet


This attack abused the trust-based nature of BGP to subvert Amazon’s DNS.  It then abused the trust-based nature of DNS to direct users to a malicious website in Russia primed and ready to take their crypto currency.

Despite proposed technical fixes to secure BGP and DNS, it would appear that we presently have no way to completely prevent this from happening again. However, an idea worth considering comes from Job Snijders of NTT who proposes that major DNS authoritative services offer RPKI for origin validation of their routes. This would enable ASes and IXP route servers to drop invalid routes like the ones used to impersonate Amazon’s DNS yesterday.

If attacks like these can be done with impunity and for profit, we can expect more to come.




Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha