The mechanism, called RPKI, is designed to prevent cybercriminals or government attackers from diverting traffic on the internet. Researchers have shown that they can bypass the security mechanism without the affected network operators being able to detect this. The team has now presented its findings to the international expert public.
Internet attacks are based on prefix hijacks. They exploit a fundamental design problem of the internet – determining which IP address belongs to which network is not secured. Almost 40% of all IP address blocks have an RPKI certificate, and about 27% of networks verify these certificates.
Prefix hijacking is the foundation of Internet attacks. They take advantage of a fundamental internet design flaw: determining which IP address belongs to which network is not secure. RPKI certificates are present in nearly 40% of all IP address blocks, and approximately 27% of networks verify these certificates.
RPKI also has a design flaw, as discovered by the ATHENE team led by Prof. Dr. Haya Shulman: if a network cannot find a certificate for an IP address block, it assumes that none exists. To allow traffic to flow on the internet, this network will simply ignore RPKI for such IP address blocks, implying that routing decisions will continue to be based solely on unsecured information. The ATHENE team demonstrated experimentally that an attacker can create this situation and thus disable RPKI without anyone noticing. The affected network, in particular, whose certificates are ignored, will not be aware of it. The ATHENE team has named the attack Stalloris because it requires the attacker to control an RPKI publication point.
State attackers and organized cybercriminals are unaffected by this.
According to the ATHENE team’s investigations, all popular products used by networks to validate RPKI certificates were vulnerable in this way at the start of 2021. The attack was reported to the team’s manufacturers.
The team has now published its findings at two of the top IT security conferences, Usenix Security 2022 and Blackhat U.S. 2022. Researchers from ATHENE contributors Goethe University Frankfurt am Main, Fraunhofer SIT, and the Darmstadt University of Technology collaborated on the work.