Defense Discovered for Defending Against BGP Hijacking & Off-Path DNS Attacks

Certificate Authorities are continually getting requests from threat actors who want certificates that they arent entitled to so that their criminal schemes may be furthered.

Certificate Authorities (CAs) are continually getting requests from threat actors who want certificates that they arent entitled to so that their criminal schemes may be furthered.
Researchers from Princeton
outlined last year
how one specific kind of attack on the CA using Border Gateway Protocol can be performed. They found that such an attack would fool the Lets Encrypt, Comodo, Symantec, GoDaddy and GlobalSign CAs.
When a CA is asked to sign a certificate, the CA must establish that the client requesting the certificate is the legitimate owner of the domain name in question. The domain control validation (DCV) process is how it makes that call.
The usual DCV process may include a specific DNS resource record, uploading a specific tagged document to the server linked to the domain, or by proving ownership of the domains administrative email account.
The previous research showed that by rerouting the DCV messages, threat actors could fool the CA into granting a certificate that never should have been issued.
Cloudflare thinks it has a solution. They
announced that
, Were excited to announce that Cloudflare provides CAs a free API to leverage our global network to perform DCV from multiple vantage points around the world. This API bolsters the DCV process against BGP hijacking and off-path DNS attacks.
They went on to say, Given that Cloudflare runs 175+ datacenters around the world, we are in a unique position to perform DCV from multiple vantage points. Each datacenter has a unique path to DNS nameservers or HTTP endpoints, which means that successful hijacking of a BGP route can only affect a subset of DCV requests, further hampering BGP hijacks. And since we use RPKI, we actually sign and verify BGP routes.
The multipath DCV checker consists of two services. First are DCV agents that are responsible for performing DCV out of a specific datacenter, and a DCV orchestrator that handles multipath DCV requests from CAs and dispatches them to a subset of DCV agents. Prateek Mittal, coauthor of the Bamboozling Certificate Authorities with BGP paper, wrote to Cloudflare that:
Our analysis shows that domain validation from multiple vantage points significantly mitigates the impact of localized BGP attacks. We recommend that all certificate authorities adopt this approach to enhance web security.
Probably the best recommendation that Cloudflare has for this approach is that they dog food (eat their own dog food) with it. They are using the DCV agents for their own internal activities. Cloudflare has set up an address for DCV queries from those who may want to use it, and those interested are urged to email [email protected].
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Defense Discovered for Defending Against BGP Hijacking & Off-Path DNS Attacks