Early this Sunday morning, Google’s public DNS server’s traffic was hijacked and redirected. The public DNS server 126.96.36.199 was hijacked for about 22 minutes affecting users in Venezuela and Brazil. During that time, all traffic utilizing that DNS server was redirected to the Latin America division of British Telecommunications service.
The hack was performed by exploiting a Border Gateway Protocol vulnerability. This protocol is used to exchange data between large service providers, and allowed the traffic to be directed through a router of the attacker’s choice. It also required that an important router at a major South American ISP be under the control of an attacker.
The redirect does not appear to have any specific goal. Perhaps this was just a test for a future attack, or simply a mistake made by a service provider. By redirecting all traffic, attackers can send users to sites which are designed for phishing. Thankfully this was not the case here.
The attack was reported by network security company BGPmon who mentioned that this is not the first time that Google’s public DNS server traffic has been hijacked. Last year a similar event occurred where the traffic was redirected to Romania.