Abstract
This work analyzes the properties of 712 prefixes that appeared in Spamhaus’ “Don’t Route Or Peer” (DROP) list over a nearly three-year period from June 2019 to March 2022. The 712 known abused prefixes are used as a lens to assess the current threat landscape and evaluate several of the leading rout- ing defense mechanisms. A thorough characterization of these 712 prefixes is performed and it is found that a larger fraction of the hijacked prefixes were from Regional Internet Registries (RIRs) with restrictive policies regarding Resource Public Key Infrastructure (RPKI) eligibility. It is also found that attackers were predominately targeting address space that was unrouted and not RPKI-signed. The work reveals that attackers were subverting multiple defenses against malicious use of address space, including creating fraudu- lent Internet Routing Registry records for prefixes shortly before using them. Other attackers disguised their activities by announcing routes with origin Autonomous Systems (ASes) consistent with historic route announcements, and in one case, with the Autonomous System Number (ASN) in a RPKI Route Origin Authorization. Finally, the work quantifies the substantial and actively-exploited surface in unrouted space, which warrants reconsideration of RPKI eligibility and policies by both operators and RIRs.
Publisher
The University of Waikato
Rights
All items in Research Commons are provided for private study and research purposes and are protected by copyright with all rights reserved unless otherwise indicated.
