The use of maxLength in the RPKI

This document recommends that operators avoid using the maxLength attribute when issuing Route Origin Authorizations (ROAs) in the Resource Public Key Infrastructure (RPKI). These recommendations complement those in [RFC7115].https://datatracker.ietf.org/doc/draft-yossigi-rpkimaxlen/First author draf

Evaluation of the Deployment Status of RPKI and Route Filtering

The Border Gateway Protocol (BGP) is an essential infrastructure element, often termed “the glue that keeps the Internet together”. Even in its current version 4 , BGP misses essential security mechanisms that would allow to validate routing information distributed through BGP in terms of its authenticity and integrity. While mechanisms like BGPsec have been proposed many years ago, so far they have not found widespread adoption and many experts believe they never will due to their inherent complexity. To ensure a minimal level of protection, most Internet service providers (ISPs) rely on heuristic filtering of routing information advertised from neighboring autonomous systems (AS). One approach is called Path Origin Validation where an ISP tries to verify whether the AS advertising a certain IP prefix is actually the legitimate owner of this prefix

The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire

The vulnerability of the Internet has been demonstrated by prominent IP prefix hijacking events. Major outages such as the China Telecom incident in 2010 stimulate speculations about malicious intentions behind such anomalies. Surprisingly, almost all discussions in the current literature assume that hijacking incidents are enabled by the lack of security mechanisms in the inter-domain routing protocol BGP. In this paper, we discuss an attacker model that accounts for the hijacking of network ownership information stored in Regional Internet Registry (RIR) databases. We show that such threats emerge from abandoned Internet resources (e.g., IP address blocks, AS numbers). When DNS names expire, attackers gain the opportunity to take resource ownership by re-registering domain names that are referenced by corresponding RIR database objects. We argue that this kind of attack is more attractive than conventional hijacking, since the attacker can act in full anonymity on behalf of a victim. Despite corresponding incidents have been observed in the past, current detection techniques are not qualified to deal with these attacks. We show that they are feasible with very little effort, and analyze the risk potential of abandoned Internet resources for the European service region: our findings reveal that currently 73 /24 IP prefixes and 7 ASes are vulnerable to be stealthily abused. We discuss countermeasures and outline research directions towards preventive solutions.Comment: Final version for TMA 201

Análise da Implantação do RPKI no Brasil

Sequestro de prefixos é um problema que enfrentamos atualmente na internet que pode levar a indisponibilidade de um ASN ou roubo de informações. Existem diversas ferramentas para se proteger desse tipo de ataque, sendo o RPKI o mais promissor, onde é criado certificados digitais para autorizar um ASN a anunciar determinado prefixo e o Brasil está adotando esta solução. Neste trabalho de conclusão analisamos o crescimento da implantação do RPKI neste primeiro ano de adoção no Brasil. Também correlacionamos informações que mostram que os treinamentos para utilização dessa ferramenta têm impulsionado significativamente para o crescimento da adoção do RPKI.Prefix hijacking is a problem we currently face on the internet that can lead to the DoS attack or steal information. There are several tools to protect against this type of attack, the RPKI being the most promising, where digital certificates are created to authorize an ASN to announce a certain prefix, and Brazil is adopting this solution. In this work we analyze the growth of the implementation of RPKI in this first year of adoption in Brazil. We also correlated information that shows that training to use this tool has significantly boosted the growth in the adoption of RPKI

Why internet protocols need incentives

Internet routers are a commons. While modest regulatory measures have generally been successful for Information Communication Technologies (ICT), this paper argues that the lack of regulation has hindered the technological evolution of the Internet in some areas. This issue is examined through five Internet problems, and the technological solutions adopted. The key contribution of this paper is the explanation of these issues and the identification of areas where misaligned incentives promote inadequate solutions or inaction. The paper reviews the available measures to encourage the adoption of globally beneficial Internet technologies

BGP Hijacking Classification

Recent reports show that BGP hijacking has increased substantially. BGP hijacking allows malicious ASes to obtain IP prefixes for spamming as well as intercepting or blackholing traffic. While systems to prevent hijacks are hard to deploy and require the cooperation of many other organizations, techniques to detect hijacks have been a popular area of study. In this paper, we classify detected hijack events in order to document BGP detectors output and understand the nature of reported events. We introduce four categories of BGP hijack: typos, prepending mistakes, origin changes, and forged AS paths. We leverage AS hegemony-a measure of dependency in AS relationship-to identify forged AS paths in a fast and efficient way. Besides, we utilize heuristic approaches to find common operators\u27 mistakes such as typos and AS prepending mistakes. The proposed approach classifies our collected ground truth into four categories with 95.71% accuracy. We characterize publicly reported alarms (e.g. BGPMon) with our trained classifier and find 4%, 1%, and 2% of typos, prepend mistakes, and BGP hijacking with a forged AS path, respectively

Securing Internet Applications from Routing Attacks

Attacks on Internet routing are typically viewed through the lens of availability and confidentiality, assuming an adversary that either discards traffic or performs eavesdropping. Yet, a strategic adversary can use routing attacks to compromise the security of critical Internet applications like Tor, certificate authorities, and the bitcoin network. In this paper, we survey such application-specific routing attacks and argue that both application-layer and network-layer defenses are essential and urgently needed. While application-layer defenses are easier to deploy in the short term, we hope that our work serves to provide much needed momentum for the deployment of network-layer defenses