FORT project

Welcome to FORT Monitor

FORT Monitor is a tool that presents data on the status of routing security in Latin America and the Caribbean and its impact on Internet end users. It is an easy-to-use tool designed to provide information that can be used by technical staff, decision makers, activists and other regional actors.

Here, you will be able to see some of the most relevant results and explore the data to understand them in greater detail.

This website is under construction, so, as we collect information, more complete reports will become available. The tool only covers the territories in LACNIC's service region.

Getting Started

If you have no prior technical knowledge, we recommend that you read the following information before exploring the data available on FORT Monitor.

The global routing system allows transmitting and routing packets (information) over the Internet. Every time a user conducts a transaction or communicates over the Internet, the information that is sent and received is routed to its destination using routing information that specifies how to reach each group of IP addresses. Routers exchange this “routing information” using a protocol called BGP.

The global routing system is one of the pillars of the Internet as we know it today. A failure in this system affects the ability of users and organizations to interconnect. Depending on its extent, a failure may affect a group of networks (limited scope) or it may have a regional or global impact.

If technologies are not deployed to protect it, the global routing system is vulnerable to attacks. When a route hijack occurs, the packets circulating within the Internet can be intercepted and redirected to spoofed destinations or they can be inspected to spy on their contents. To date, the most effective solution to this problem is Resource Public Key Infrastructure (RPKI), which uses public key infrastructure to certify the legitimate holder of a group of IP addresses (IPv4 or IPv6). In turn, using objects known as Route Origination Authorizations (ROAs) signed by the same public key certificate system, IP address holders can define which organizations (autonomous systems) are authorized to publish those address on the Internet. This allows validating routing information and distinguishing between valid and invalid or fake announcements.

Understanding the data presented in FORT Monitor requires knowledge of three key concepts.

Autonomous System. An autonomous system (AS) is a network or a group of networks managed as a unit. The Internet is made up of multiple, connected autonomous systems. Each AS is identified by an autonomous system number (ASN).

BGP. The Border Gate Protocol (BGP) is the protocol used by autonomous systems to communicate on the Internet. Each autonomous system announces to the others the group of IP networks (prefixes) to which it can provide connectivity. In turn, it learns from the other autonomous systems the group of prefixes it can reach. The BGP protocol is responsible for sharing this information among autonomous systems, and routers use this information to send traffic from one location to another.

RPKI. Resource Public Key Infrastructure (RPKI) is a specialized public key infrastructure that applies to Internet resources (IPv4, IPv6, ASN). It is a tool that allows Internet operators to verify that the routing information they receive and propagate originates in a reliable, authorized source. This is done through a validation process where the operator uses the corresponding cryptographic material to validate that the entity requesting the routing effectively has the right to perform that action (to make that announcement). The RPKI solution is still in the process of being deployed; in other words, its use is not yet universal.

FORT Monitor looks at the exchanges between autonomous systems (BGP messages) collected throughout the network and classifies them according to their RPKI validity status. To do this, it regularly connects with two RPKI validators (FORT and Routinator) from which it obtains the validation algorithm's results.

Below you will find useful information about the data sources employed by FORT Monitor and how different statistics are calculated.

The information exchanged between autonomous systems (AS) is analyzed by the application and accumulated daily. Any announcements that are observed are grouped by Prefix/Origin AS, which is the basic unit for FORT Monitor calculations. In other words, if one of these Prefix/Origin AS pairs is observed during the period under study, it is counted as one unit regardless of the number of times it was seen or the number of days on which it appeared. For example, the RPKI deployment analysis considers the different Prefix/Origin AS pairs and their corresponding RPKI validity status during a period of time. In the case of the evolution graph, the information is grouped by day, while in the percentage graph the information is grouped by month. It is important to note that, for this reason, the monthly deployment percentage may not match the average daily evolution percentages.

BGP announcements. The source we use to obtain information about the prefixes announced on the Internet is the UPDATE messages of all the collectors available at BGPStream .

Countries. To match prefixes to countries within the LACNIC service region, we use the information available in LACNIC's delegated-extended file. For countries outside the region, we use the information available in GeoLite2 integrated in Elasticsearch.

RPKI Validation. To find out which announcements are valid based on RPKI, we fetch the validation results of two RPKI validator implementations, FORT validator and Routinator . Through RTRLib we integrate the validation data and incorporate this into our system.

IRR Validation. To validate Internet Routing Registry information, we use the data available in the RADB and RIPE databases.

Autonomous Systems. To incorporate more information about the ASs shown in the system, we integrate data for each AS obtained from ASRank . The names of the ASs shown in the lists are obtained from this source.

Critical Infrastructure. To determine which prefixes include root servers that are part of the region's critical infrastructure, we use the information available at Internic .

RPKI Deployment

RPKI is a technology that protects the routing system against attacks. RPKI is in the process of being deployed, which means that its use is not yet universal. This chart shows the proportion of IPv4 and IPv6 prefixes protected by RPKI in LAC over the past month. In order for the routing system to be fully protected, coverage should be as close to 100% as possible. It should be noted that organizations/countries with lower coverage rates are more exposed to attacks such as route hijacking.

The degree RPKI coverage is calculated as the ratio between distinct Prefix/Origin AS pairs corresponding to prefixes covered by ROAs and all routed prefixes. A prefix is ​​covered by ROAs if it is possible to determine the validity of the announcements containing it via RPKI. The greater the coverage, the greater the level of protection for the routes announced by the region.

The information by country can be found by following the link.

See Map See Evolution

Results of RPKI Validation in the Region

By using RPKI, the region’s operators can check whether an autonomous system is authorized to announce a specific range of prefixes. This ensures that Internet traffic reaches the right destination and that it does so safely.

Because the deployment of RPKI is not yet universal, the validation can have varied results. The prefixes that appear as “valid” are protected by RPKI and we can be sure that they can be trusted. Those that appear as “not found” are not yet protected by RPKI. “Invalid” is used for incorrect or malicious announcements.

This chart shows the status of prefixes that have their origin in Latin America and the Caribbean when RPKI validation is performed. As RPKI deployment progresses, the number of unprotected (not found) prefixes will decrease and the accuracy with which invalid prefixes are identified will increase.

This data can also be filtered by country and its evolution over time can be displayed.

See Map See Evolution

Potential Route Hijacks

A route hijack is an attempt to redirect Internet traffic to spoofed (fake) destinations. Based on the total number of announcements in the region, grouped by unique Prefix/Origin AS pairs, this chart estimates the proportion of potential route hijacks (RPKI-Invalid Origin, RPKI-Invalid Length), which pairs contain an anomaly and are therefore considered suspicious (IRR-Invalid), the proportion of pairs corresponding to prefix announcements for which the origin cannot be verified and are therefore unprotected (RPKI/IRR - not found), and the proportion of prefixes that have their origin in a reliable/authorized source (RPKI-Valid and IRR-Valid).

Under “Expand Information”, we can see how the victims and those responsible for potential route hijacks are distributed in the region, as well as the details of anomalous announcements and possible hijacks.

Route hijacks are estimated based on RPKI validation data. If an announcement is identified as invalid, it is considered a potential route hijack. There are two possible reasons for this: the origin autonomous system is not authorized to announce the route, or the announced prefix is ​​too specific (the maximum length is exceeded). But what about the announcements that are not covered by RPKI? For these cases, we use information from the Internet Route Registries ( IRR ) to validate whether the announcements are recorded. If there is a record in the IRR that matches the announcement (same origin ASN and same prefix length), then it is labeled as IRR-valid. If there are records but these records contradict this information, then it is considered as IRR-invalid. If the prefix is not registered in an IRR, it is considered as IRR-not found. In such cases, potential route hijacks are not considered, but they are reported as anomalies.

The unit used to perform the calculations is the Prefix/Origin AS pair.

Expand Information

Critical Infrastructure Protection

Critical Infrastructure comprises the resources that are essential for the Internet to function properly. In this case, Critical Infrastructure is considered to include all name servers that resolve country code top-level domains (ccTLDs) such as .uy, .br or .mx. Hijacks at the critical infrastructure level can have a huge impact. Here we present the number of route hijacks that affected critical infrastructure in the region over the last three months. “Expand Information” will show information on the evolution of critical infrastructure coverage in the region and details of the hijacks that have occurred.

more information

Over the past three months there have been

8

critical infrastructure hijacks

Monthly Report

At the end of each month we prepare a summary with the most relevant data of the month.

Expand Information

Technical Reports

For users with a more technical profile, we offer several reports containing more detailed information.

View detail

By prefix

A search by prefix yields a list of autonomous systems that announced the selected prefix and its RPKI validity status.

Search by prefix

View detail

By autonomous system

The search by autonomous system creates a list of prefixes announced by the selected autonomous system and its RPKI validity status.

Search by AS