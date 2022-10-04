Darmstadt (ots) - The National research center for Cybersecurity ATHENE hasfound a way to break one of the basic mechanisms used to secure Internettraffic. The mechanism, called RPKI, is actually designed to preventcybercriminals or government attackers from diverting traffic on the Internet.Such redirections are surprisingly common on the Internet, e.g., for espionageor through misconfigurations. The ATHENE scientist team of Prof. Dr. HayaShulman showed that attackers can completely bypass the security mechanismwithout the affected network operators being able to detect this. According toanalyses by the ATHENE team, popular implementations of RPKI worldwide werevulnerable by early 2021. The team informed the manufacturers, and now presentedthe findings to the international expert public.Misdirecting bits of internet traffic causes a stir, as happened in March thisyear when Twitter traffic was partially diverted to Russia. Entire companies orcountries can be cut off from the Internet or Internet traffic can beintercepted or overheard. From a technical point of view, such attacks areusually based on prefix hijacks. They exploit a fundamental design problem ofthe Internet: The determination of which IP address belongs to which network isnot secured. To prevent any network on the Internet from claiming IP addressblocks they do not legitimately own, the IETF, the organization responsible forthe Internet, standardized the Resource Public Key Infrastructure, RPKI. RPKIuses digitally signed certificates to confirm that a specific IP address blockactually belongs to the specified network. In the meantime, according tomeasurements by the ATHENE team, almost 40% of all IP address blocks have anRPKI certificate, and about 27% of all networks verify these certificates.As the ATHENE team led by Prof. Dr. Haya Shulman discovered, RPKI also has adesign flaw: If a network cannot find a certificate for an IP address block, itassumes that none exists. To allow traffic to flow on the Internet anyway, thisnetwork will simply ignore RPKI for such IP address blocks, i.e., routingdecisions will be based purely on unsecured information, as before. The ATHENEteam was able to show experimentally that an attacker can create exactly thissituation and thus disable RPKI without anyone noticing. In particular, theaffected network, whose certificates are ignored, will not notice it either. Theattack called "Stalloris" by the ATHENE team requires that the attacker controlsa so-called RPKI publication point. This is not a problem for state attackersand organized cybercriminals.According to the investigations of the ATHENE team, at the beginning of 2021 allpopular products used by networks to check RPKI certificates were vulnerable inthis way. The team informed manufacturers about the attack..Now the team has published its findings at two of the top conferences in ITsecurity, the scientific conference Usenix Security 2022 and the industryconference Blackhat USA 2022. The work was a collaboration between researchersfrom ATHENE contributors Goethe University Frankfurt am Main, Fraunhofer SIT andDarmstadt University of Technology. A brief description can be found on theAPNIC blog: https://ots.de/4fELHzContact:Oliver Küch mailto:oliver.kuech@sit.fraunhofer.deAdditional content: http://presseportal.de/pm/79510/5336311OTS: Fraunhofer-Institut für Sichere Informationstechnologie SIT