![]() When the relying parties traverse those delegations, they get stalled and cannot retrieve the ROAs.Īfter the locally cached RPKI objects expire, the RPKI validation cannot be performed, resulting in status ‘unknown’ for prefixes with missing objects. To do that the adversary sets up an RPKI publication point, which delegates part of the resources to publication points of the children, which in turn, delegate to their children and so on, creating long delegation chains. The idea behind our attack is to develop a complex chain of delegations that cause the victim relying party to stall. In our research, we explored the threat of stalling the relying party implementations and its impact on RPKI validation. These are known attacks, whose outcomes range from Denial of Service to crashing the target victim system. To prevent these attacks, the systems should be patched to support best security practices. The attacks can exploit the rate limiting or the server selection mechanism in DNS servers or increase the retrieval time by returning slow responses like in a Slowloris attack or target the parsing by forging malformed RPKI objects. The multiple components involved offer a myriad of possibilities to attempt to attack the protocols and systems in different layers, from attacks against the DNS components, to HTTP specific attacks in the application layer, and all the way to attacks against fragmentation in the network layer. This process is repeated until all the publication points are traversed and all the objects are retrieved. The relying party establishes a TCP connection and retrieves the RPKI objects over rsync or RRDP (HTTPS based protocol) from the publication point. ![]() The process starts when the refresh interval is reached with a lookup query to find the publication point the stub DNS resolver sends the query to the recursive DNS resolver and so on, until the relying party receives the IP address of the publication point. To understand the attack surface introduced by misbehaving or malicious publication points, we briefly list some of the components and protocols involved during the retrieval of the RPKI objects (primarily ROAs) by the relying parties. In our recent research, we at the National Research Center for Applied Cybersecurity ATHENE, Fraunhofer SIT, Goethe-Universität Frankfurt, and Technische Universität Darmstadt considered the impact of malicious publication points on the resilience of RPKI. On the risk of misbehaving publication points When no ROA can be found for a prefix, the result of the RPKI validation is unknown. If the information in the BGP announcement does not match the ROA for that prefix, the result is invalid. If the information in the BGP announcement matches the ROA, the relying party validation results in a valid status. The BGP routers retrieve the validated ROAs from the relying parties to perform ROV to check the BGP announcements against the ROAs. The relying party processes the ROAs and caches the results. The ROAs are retrieved from the publication points using one of the relying party implementations. To filter bogus BGP announcements, ASes should enforce Route Origin Validation (ROV), which uses the information in ROAs to make routing decisions in BGP. These ROAs indicate which ASes are authorized to originate a given prefix in BGP. To protect inter-domain routing against prefix hijacks, the IETF-standardized Resource Public Key Infrastructure (RPKI): The ASes can sign the prefixes assigned to them, creating Route Origin Authorizations (ROAs) and store them in repositories at RPKI publication points. IP prefix hijacks allow adversaries to intercept, manipulate or blackhole communication. ![]() Such hijacks are even more often caused by benign misconfigurations and errors. Since any AS can announce any prefix, malicious ASes can exploit this to claim prefixes they do not own, and as a result, hijack the traffic destined to those victim prefixes. Based on this information, BGP calculates the best routes to Internet destinations, over which data packets are delivered. Routers in each AS send BGP announcements to exchange information about their reachability. The Internet consists of networks called Autonomous Systems (ASes), which are connected via the Border Gateway Protocol ( BGP).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |