While existing security advances can defend against some attacks, they do not help secure domain control verification against network-level adversaries like autonomous systems that can manipulate the Border Gateway Protocol. Such adversaries can launch BGP hijack and interception attacks to steal traffic or obtain bogus certificates by spoofing the domain verification process. The paper analyzes BGP attacks on domain verification, develops a taxonomy, demonstrates a highly effective AS path poisoning attack, launches all BGP attacks against its own domain to decrypt HTTPS traffic within seconds for experimental purposes only, and then proposes countermeasures against these attacks.
While existing security advances can defend against some attacks, they do not help secure domain control verification against network-level adversaries like autonomous systems that can manipulate the Border Gateway Protocol. Such adversaries can launch BGP hijack and interception attacks to steal traffic or obtain bogus certificates by spoofing the domain verification process. The paper analyzes BGP attacks on domain verification, develops a taxonomy, demonstrates a highly effective AS path poisoning attack, launches all BGP attacks against its own domain to decrypt HTTPS traffic within seconds for experimental purposes only, and then proposes countermeasures against these attacks.
While existing security advances can defend against some attacks, they do not help secure domain control verification against network-level adversaries like autonomous systems that can manipulate the Border Gateway Protocol. Such adversaries can launch BGP hijack and interception attacks to steal traffic or obtain bogus certificates by spoofing the domain verification process. The paper analyzes BGP attacks on domain verification, develops a taxonomy, demonstrates a highly effective AS path poisoning attack, launches all BGP attacks against its own domain to decrypt HTTPS traffic within seconds for experimental purposes only, and then proposes countermeasures against these attacks.
While these advances can defend against some attacks,
none of them help to secure domain control verification
against network-level adversaries, i.e., Autonomous Sys- tem (AS), that can manipulate the Border Gateway Pro- tocol (BGP). Such adversaries can launch active BGP hi- jack and interception attacks to steal traffic away from victims or CAs, and spoof the domain control verifica- tion process to obtain bogus certificates. In this paper, we first analyze and compare BGP at- tacks on the domain verification process to develop a tax- onomy and present a highly effective use of the “AS-path poisoning” attack originally performed in [39]. Next, we launch all the BGP attacks against our own domain and decrypt seemingly “secure” HTTPS traffic within sec- onds. To avoid harming real users, these attacks were done in an ethical manner on domains that resolve into our own IP prefix and were registered solely for the pur- pose of the experiments. We then quantify the vulner- ability of domain verification to these attacks. Finally, we propose countermeasures against these attacks. Our main contributions are as follows: