Exploring the Blind Spot of IXP Route Server

Internet Exchange Points (IXPs) are critical components of today’s Internet, as they handle a substantial share of global traffic and enable efficient interconnection among networks. At the heart of their operation are Route Servers (RS), which simplify public peering by allowing Autonomous Systems (ASes) to establish a single BGP session with the RS. However, a key challenge of BGP is its trust-based route sharing, which introduces vulnerabilities that can be exploited to hijack or disrupt traffic. To mitigate such risks, IXPs implement filtering policies on RS primarily based on two mechanisms: Internet Routing Registries (IRRs) and the Resource Public Key Infrastructure (RPKI). Current RS filtering practices, however, reveal a blind spot: IRR-based filtering depends heavily on AS-SET objects, which are often outdated. Unlike RPKI, IRR validation does not bind a prefix to its legitimate owner AS, leaving room for hijacks or misconfigurations to be accepted and propagated. In this work, we analyze this vulnerability, showing how an attacker can exploit IRR-based filtering to perform prefix hijacking through IXPs. We analyzed the configuration of several IXPs in the EURO-IX community and found that most of them are affected by this vulnerability. To address it, we propose solutions that IXPs can adopt, alongside recommendations for both network operators and IXP operators to improve filtering practices. Finally, we validate our findings through an analysis of real-world data from the route server RIBs of two major European IXPs, demonstrating the practical impact of the problem.