Malaysian Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security

Over the week there were extremely disturbing reports out of Malaysia of escalations in the attempts by the Malaysian government to block popular media sites such as Onlyfans.com and 1fichier.com. The steps now being taken appear to have the Malaysian Internet service providers (ISPs) hijacking the routes to public DNS servers such as those operated by Google and masquerading as those DNS servers to provide answers back to their citizens.

Effectively, the Malaysian ISPs, operating to comply with a Malaysian government ban, are performing a “man-in-the-middle” (MiTM) attack against their citizens and giving them false information.

Netizens collectively made statements on the subject yesterday, explaining their “deep concern” for the situation describing how these recent moves “represent an attack not just on DNS infrastructure, but on the global Internet routing system itself.”

Background
A few days ago, ISPs in Malaysia started out attempting to implement the government’s ban by simply blocking those sites in DNS. When Malaysian citizens tried to go to those sites, their device would query DNS to get the correct IP address to connect to. The Malaysian ISPs who were providing the DNS servers used by the Malaysian citizens simply failed to give back the correct response.

Malaysian citizens found they could get around this block by simply changing their devices’ DNS settings to point to open public DNS resolvers such as those operated by Google.

Predictably, the Malaysian ISPs then attempted to block the addresses for Google Public DNS servers and other similar servers. The ISPs then started to engage in the typical kind of “whac-a-mole” game with their citizens where the citizens would find new ways to get around the censorship… and the ISPs would then try to shut down those.

BGP Hijacking
Starting this past Saturday, though, reports started coming in that the Malaysian ISPs were taking this to a whole new level by hijacking routing of the Border Gateway Protocol (BGP) and pretending to be Google’s Public DNS servers (and the servers of other similar services).

In other words, the devices operated by Malaysian citizens on Malaysian networks were connecting to what they thought were Google’s Public DNS servers (and other services) and were getting back answers from those services.

The answers the Malaysian citizens were receiving were just the wrong answers.

Instead of going to the proper websites they were being redirected to a warning page. Google confirmed this in a post on their Online Security Blog that included in part:

A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for, be it YouTube, Twitter, or any other.

But imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Malaysian ISPs have set up servers that masquerade as Google’s DNS service.
Writing over on the BGPMon blog, an anonymous user detailed the specifics of the BGP route hijack that took place. Essentially, the Malaysian ISPs started “advertising” a more specific route for Google’s Public DNS servers. The way BGP works, Google advertises a route for traffic to get to its servers on its network. As the BGPMon blog post indicates, that is normally a “8.8.8.0/24” route directing people to AS 15169. However, the Malaysian ISPs advertised a specific route for “8.8.8.8/32” that went to their own network.

In BGP, a router typically selects the most specific route as the one to use to connect to a given IP address. So all the routers on networks connected to Malaysian ISPs would use this very specific route instead of the one advertised by Google.

They apparently did this for all of Google’s Public DNS addresses as well as those of other open public DNS providers as well. Over on the lowyat forum, observations were noted including showing precisely when the hijacking occurred:

The Malaysian ISPs are pretending to be Google’s specific DNS servers to everyone who is connected to their network.

Delivering False DNS Information
The Malaysian ISPs went a step further, though, in that they set up their own DNS servers that answered as if they were Google’s Public DNS servers.

Telekom Malaysia went one step further, instead of null routing this IP address they brought up servers with the IP addresses of the hijacked DNS servers and are now pretending to be these DNS servers. These new fake servers are receiving traffic for 8.8.8.8 and other popular DNS providers and are answering DNS queries for the incoming DNS requests.
The RIPE NCC’s Atlas probe network was used to show that DNS answers in Malaysia are different from those in other areas. The lowyat forum also confirmed this, as did many posts on social media services and other online sites. A good number of tech media sites have weighed in on the matter as well.

This situation clearly points out the need for a wider diversity of Internet access methods. Malaysian users who are limited to only the specific Malaysian ISPs have no choice in receiving their default routes and connections. If more options were to be available in the region, the ability of those users to have access to the information on the Internet would not be restricted.

The Internet needs to be hardened against attacks such as these. Please help make the Internet stronger!