Exploring the Blind Spot of IXPs Route Servers

Internet exchange points rely on route servers to aggregate BGP updates from hundreds of members, applying RPKI checks first and then IRR‑derived prefix whitelists. While this two‑layer model blocks obvious bogus prefixes, the reliance on AS‑SET expansion means the filter only verifies that a prefix appears in a list, not that the announcing AS is authorized. Consequently, when a prefix is present in the whitelist but originates from an unrelated AS, the route server treats it as legitimate, opening a subtle hijack vector.

The authors examined real‑world route‑server data from AMS‑IX and NAMEX, identifying 1,426 announcements that slipped through the blind spot. These cases represented 0.3% of total updates but involved 1,343 unique prefixes and 513 origin ASes, many of which were part of customer‑provider relationships. Large, poorly maintained AS‑SETs—some listing over 100,000 ASNs—exacerbate the problem by inflating whitelist size and increasing the chance of unrelated prefixes being accepted. The study also found that 65.6% of valid routes were inadvertently filtered because the required prefix was missing from the AS‑SET‑derived list, highlighting collateral damage to legitimate traffic.

Mitigation requires a shift from pure prefix whitelisting to origin‑validation. Operators should ensure comprehensive ROA coverage for all prefixes, prune stale entries from AS‑SET objects, and augment route‑server logic to cross‑check the origin AS against IRR route objects. For IXPs, adopting a standardized filtering framework that enforces prefix‑to‑origin binding can close the blind spot and restore confidence in inter‑exchange routing. As the Internet’s backbone continues to scale, such refinements are essential to safeguard routing integrity across global networks.