In this episode of Ahead of the Breach, Donika Mirdita, Security Researcher at Fraunhofer Institute for Secure Information Technology, details the technical discovery and exploitation of RPKI manifest file vulnerabilities in BGP routing infrastructure. Through precise manipulation of relay party processing patterns and repository query timing, her "Stellaris downgrade attack" exploits manifest files with 2-48 hour lifecycles to achieve undetected RPKI security downgrades. 

Using a sophisticated test environment with Krill publication points and FRR routing software, Donika validated that 47% of publication points are vulnerable to targeted rate limiting attacks that can stall processing for 6-8 hours, effectively enabling BGP prefix hijacking without triggering monitoring alerts.

Topics discussed:

• Technical analysis of how predictable relay party query patterns (default 10-minute intervals) enable precisely timed attacks against RPKI infrastructure.
• Methodology for constructing publication point subtrees with 50-100 nodes to achieve extended processing delays without triggering timeout mechanisms.
• Implementation details of targeted rate limiting using spoofed packets to prevent repository updates during critical processing windows.
• Development of isolated BGP/RPKI test environments using self-signed certificates and custom trust anchors to validate attacks without Internet connectivity.
• Impact analysis across different relay party implementations and their varying susceptibility to processing stalls.
• Architectural improvements for RPKI systems, including manifest lifecycle management and decoupled router data generation.
• Analysis of why seemingly aggressive manifest expiration times (2-48 hours) create an exploitable security tradeoff between data freshness and processing resilience.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website