Stalloris: RPKI Downgrade Attack

The recent hijack of Twitter prefix by RTCOMM demonstrated the central role of RPKI for Internet routing security. The RPKI filtering (ROV) by major networks limited the propagation of the hijacked prefix.We demonstrate the first downgrade attacks against RPKI, which allows remote adversaries to disable RPKI validation, hence exposing to prefix hijacks. In our attacks a malicious RPKI publication point stalls the relying party implementations, disabling the RPKI validation on those networks.We show that all the current RPKI relying party implementations are vulnerable to attacks by a malicious publication point. This translates to 20.4% of the IPv4 address space.We provide recommendations for preventing our downgrade attacks. However, resolving the fundamental problem is not straightforward: if the relying parties prefer security over connectivity and insist on RPKI validation when ROAs cannot be retrieved, the victim AS may become disconnected from many more networks than just the one that the adversary wishes to hijack. Our work shows that the publication points are a critical infrastructure for Internet connectivity and security. Our main recommendation is therefore that the publication points should be hosted on robust platforms guaranteeing a high degree of connectivity.