
Public DNS in Taiwan the Latest Victim of BGP Hijack - pjf
https://blog.apnic.net/2019/05/30/public-dns-in-taiwan-the-latest-victim-of-bgp-hijack/
======
okket
Operators, where are your MANRS?

[https://www.manrs.org/](https://www.manrs.org/)

------
dominicl
Interesting that this is going to Brazil again. So someone should check if
there have been letsencrypt certificate created using DNS verification during
those 3 minutes, like in 2016 [https://www.thesslstore.com/blog/ssl-
certificates-used-in-ma...](https://www.thesslstore.com/blog/ssl-certificates-
used-in-major-bank-hack/)

~~~
ggg2
also interesting for the timing. lots of political pressure from US and others
on Taiwan "independence" on internal policies happening these last weeks.

e.g.
[http://m.focustaiwan.tw/news/aipl/201905280016.aspx](http://m.focustaiwan.tw/news/aipl/201905280016.aspx)

~~~
komali2
Independence from whom? Taiwan writes its own laws, the only influence other
countries have on that process is via pressure. Nobody else can legislate for
them.

------
ggg2
interesting how little info we have from companies that can do that.

[https://ipinfo.io/AS268869](https://ipinfo.io/AS268869)

One would think there would be a little more trust and transparency. But I
guess you only need to buy 1k ips and you are in the same league

------
rediguanayum
I have heard that rpki helps prevent this type of BGP misdirection i.e. signed
BGP routes. However does anyone know about its deployment?

~~~
maltalex
[https://rpki-monitor.antd.nist.gov/](https://rpki-monitor.antd.nist.gov/)

------
hxegon
Does dns over https do anything to mitigate this?

~~~
okket
No. Routing attacks divert traffic on the IP address level to another
destination. It does not matter if you protect the DNS so it resolves to the
correct IP address.

~~~
theWheez
If I understand this correctly, does this mean that this is not a weakness in
Quad101, but the internet infrastructure itself?

~~~
okket
Yes. On the routing level. The attacker literally announces 'This IP address
network is mine now' via BGP and gets the traffic. Most such incidents are not
real attacks though, but misconfigurations. And there are the MANRS
recommendations, which can prevent a lot of problems, including the one
described in the article.

