Profile picture
Bill Woodcock @woodyatpch
, 7 tweets, 2 min read Read on Twitter
This morning's successful DNS attack against Amazon and MyEtherWallet highlighted a few of the specific vulnerabilities that @Quad9DNS and @PCHglobal protect against, so we just drew this diagram to explain some of the weak links in the chain, and how we address them.
The one thing that would have done the most to protect users from today's attack would have been DNSSEC validation. That wouldn't have prevented the attack, but it would have warned users that they were being man-in-the-middled, and ideally would have blocked the connection.
Quad9 uses DNSSEC validation, so if the MyEtherWallet domain were DNSSEC signed, we would have blocked the connection.
The BGP routing hijack against Amazon's IP addresses, which redirected recursive resolvers from Amazon's authoritative servers to the attacker's bogus servers depends upon the connection between recursive and authoritative servers being vulnerable.
Quad9 is the only recursive resolver which runs on the same platform as the world's largest authoritative server network, so all queries to domains for which PCH or anyone else on our platform is authoritative for, were completely protected against this form of attack.
That's not every domain, of course, and in particular, MyEtherWallet was using Amazon, which isn't on PCH's platform.
It's not possible to protect everyone from everything, but the combination of protections Quad9 and PCH offer would have fully protected both Quad9 users, and a company like MyEtherWallet, if they implemented best-practices like DNSSEC, or were on our authoritative platform.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Bill Woodcock
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!