Yunhao Liu (Tsinghua University & Zhongguancun Laboratory), Jessie Hui Wang (Tsinghua University & Zhongguancun Laboratory), Yuedong Xu (Fudan University), Zongpeng Li (Tsinghua University), Yangyang Wang (Tsinghua University & Zhongguancun Laboratory), Jilong Wang (Tsinghua University & Zhongguancun Laboratory)

The effectiveness of the RPKI in preventing BGP prefix hijacking relies not only on the presence of valid ROAs but also on the successful retrieval of ROAs from publication points (PPs) by relying parties (RPs). Guaranteeing the integrity of data and uninterrupted connectivity during this retrieval process necessitates the proper implementation of security measures in the underlying infrastructure, textit{i.e.}, the DNS and routing infrastructures.

In this paper, we collect information on the specific DNS and routing infrastructures used during the information retrieval process and analyze the infrastructure threats to the reachability of RPKI PPs. Regarding the DNS infrastructure, we report that 31 PPs (48.4%) are susceptible to DNS spoofing attacks and pinpoint the reasons for the appearance of DNSSEC-unprotected zones, such as CNAME redirections to unprotected zones and NS delegations to third-party insecure DNS servers. Regarding the routing infrastructure for communicating with nameservers, our analysis shows that a significant 55 PPs (85.9%) have at least one ROA-unprotected nameserver on their resolution paths, and highlights that the absence of ROA registration for gTLD nameservers accounts for vulnerabilities in 44 of these 55 PPs. Regarding the routing infrastructure for RP-PP communications, we report that 5 PPs fail to register ROAs for the IP addresses of their PP servers. Simulations of routing hijack attacks show that, in the case of the most vulnerable PP, up to 65% to 83% of ASes may experience a loss of connectivity to the PP.

Furthermore, we investigate the deterministic and probabilistic dependencies among publication points and uncover a critical issue: some RIR-operated PPs rely on less secure lower-level PPs, which can significantly amplify the impact of vulnerabilities within insecure PPs, potentially leading to cascading failures.

View More Papers

A Unified Defense Framework Against Membership Inference in Federated...

Liwei Zhang (Beijing University of Posts and Telecommunications), Linghui Li (Beijing University of Posts and Telecommunications), Xiaotian Si (Beijing University of Posts and Telecommunications), Ziduo Guo (Beijing University of Posts and Telecommunications), Xingwu Wang (Beijing University of Posts and Telecommunications), Kaiguo Yuan (Beijing University of Posts and Telecommunications), Bingyu Li (School of Cyber Science and…

Read More

Enabling Research Extensions in Matter via Custom Clusters

Ravindra Mangar (Dartmouth College, Hanover), Jared Chandler (Dartmouth College, Hanover), Timothy J. Pierson (Dartmouth College, Hanover), David Kotz (Dartmouth College, Hanover)

Read More

HELIOS: Hierarchical Graph Abstraction for Structure-Aware LLM Decompilation

Yonatan Gizachew Achamyeleh (University of California, Irvine), Harsh Thomare (University of California, Irvine), Mohammad Abdullah Al Faruque (University of California, Irvine)

Read More