Cyber Incident Victim: Taiwan Network Information Center
Date:
May 2019
Location:
Taiwan
Summary
A BGP hijack incident impacted a Taiwanese public DNS resolver operated by the Taiwan Network Information Center, redirecting its traffic through an unauthorized Brazilian network entity for approximately three and a half minutes. The hijacker illegitimately advertised the Quad101 DNS service's IP prefix (101.101.101.0/24) via AS268869, creating risks of traffic interception or disruption despite the short duration. While the intent—malicious or accidental—remained unconfirmed, the event highlighted systemic vulnerabilities in global routing infrastructure where unauthorized route announcements could propagate unchecked.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On 8 May 2019 at approximately 15:08 UTC, an autonomous system in Brazil (AS268869) initiated an unauthorized advertisement of the IP prefix 101.101.101.0/24 through Border Gateway Protocol (BGP). This prefix belonged exclusively to Taiwan Network Information Center's (TWNIC) Quad101 Public DNS service, a privacy-focused experimental DNS resolver operating at 101.101.101.101. The hijacked route remained active for approximately three and a half minutes, with the last illegitimate route announcement recorded at 15:12:15 UTC. TWNIC, as Taiwan's country-code top-level domain registry operator, maintained this infrastructure as part of one of the world's fastest DNS systems according to their claims. The incident represented a classic BGP hijack where an external entity broadcast routing information for networks it did not legitimately control. No technical details regarding detection mechanisms or TWNIC's internal response procedures were disclosed in available reporting. The event's brevity limited immediate observable damage, though the potential risks during such redirection periods remained significant.
The hijack exposed Quad101 DNS traffic to potential interception or manipulation by unauthorized parties during the rerouting window. While investigators had not determined whether the incident resulted from malicious intent or operational error, the episode highlighted systemic vulnerabilities in global routing infrastructure. No specific evidence emerged regarding actual data compromise, service disruption, or secondary attacks stemming from the incident. The broader response discussion centered on implementing Mutually Agreed Norms for Routing Security (MANRS) principles, which prescribe foundational safeguards like route filtering, anti-spoofing measures, and routing information validation. These community-developed norms aim to contain routing anomalies by preventing the propagation of illegitimate BGP announcements across interconnected networks. The absence of standardized routing security practices among autonomous systems globally enabled such incidents to recur despite existing technical countermeasures and industry awareness initiatives.