Internet Performance Delivered right to your inbox

BGP Hijack of Amazon DNS to Steal Crypto Currency

Yesterday morning we posted a tweet (below) that Amazon’s authoritative DNS service had been impacted by a routing (BGP) hijack.  Little did we know this was part of an elaborate scheme to use the inherent security weaknesses of DNS and BGP to pilfer crypto currency, but that remarkable scenario appears to have taken place.

After posting the hijack tweet, I observed reports of a DNS hijack relating to the cryptocurrency website and thought the two things might be related:

Sure enough, it appears that eNet/XLHost (AS10297) suffered a breach enabling attackers to impersonate Amazon’s authoritative DNS service.  These attackers used AS10297 to announce five routes used by Amazon’s DNS:, Inc., Inc., Inc., Inc., Inc.

As depicted above, these BGP routes weren’t globally routed.  In fact, only a little more than 15% of our BGP sources had them in their tables.  However, the users of networks that accepted the hijacked routes (evidently including Google’s recursive DNS service) sent their DNS queries to an imposter DNS service embedded within AS10297.  If these users attempted to visit, the imposter DNS service wouldn’t direct them to Amazon Web Services (which normally hosts the site), but to a set of Russian IP addresses, according to CloudFlare. Note that users did need to click through cert failure alerts in their browsers, but that didn’t stop many users.

Within a couple of hours, MyEtherWallet had issued an announcement acknowledging that many of the users of their cryptocurrency service had been redirected to a fraudulent site (albeit incorrectly assigning blame to hijack of Google DNS instead of Amazon DNS):


This attack abused the trust-based nature of BGP to subvert Amazon’s DNS.  It then abused the trust-based nature of DNS to direct users to a malicious website in Russia primed and ready to take their crypto currency.

Despite proposed technical fixes to secure BGP and DNS, it would appear that we presently have no way to completely prevent this from happening again. However, an idea worth considering comes from Job Snijders of NTT who proposes that major DNS authoritative services offer RPKI for origin validation of their routes. This would enable ASes and IXP route servers to drop invalid routes like the ones used to impersonate Amazon’s DNS yesterday.

If attacks like these can be done with impunity and for profit, we can expect more to come.

Share Now

Doug Madory
Whois: Doug Madory

Doug Madory is a Director of Internet Analysis at Oracle Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a focus on submarine cables.

To current Dyn Customers and visitors considering our Dynamic DNS product: Oracle acquired Dyn and its subsidiaries in November 2016. After June 29th, 2020, visitors to will be redirected here where you can still access your current Dyn service and purchase or start a trial of Dynamic DNS. Support for your service will continue to be available at its current site here. Sincerely, Oracle Dyn