FORT project

Welcome to FORT Monitor

FORT Monitor is a tool that presents data on the status of routing security in Latin America and the Caribbean and its impact on Internet end users. It is an easy-to-use tool designed to provide information that can be used by technical staff, decision makers, activists and other regional actors.

Here, you will be able to see some of the most relevant results and explore the data to understand them in greater detail.

This website is under construction, so, as we collect information, more complete reports will become available. The tool only covers the territories in LACNIC's service region.

Getting Started

If you have no prior technical knowledge, we recommend that you read the following information before exploring the data available on FORT Monitor.

The global routing system allows transmitting and routing packets (information) over the Internet. Every time a user conducts a transaction or communicates over the Internet, the information that is sent and received is routed to its destination using routing information that specifies how to reach each group of IP addresses. Routers exchange this “routing information” using a protocol called BGP.

The global routing system is one of the pillars of the Internet as we know it today. A failure in this system affects the ability of users and organizations to interconnect. Depending on its extent, a failure may affect a group of networks (limited scope) or it may have a regional or global impact.

If technologies are not deployed to protect it, the global routing system is vulnerable to attacks. When a route hijack occurs, the packets circulating within the Internet can be intercepted and redirected to spoofed destinations or they can be inspected to spy on their contents. To date, the most effective solution to this problem is Resource Public Key Infrastructure (RPKI), which uses public key infrastructure to certify the legitimate holder of a group of IP addresses (IPv4 or IPv6). In turn, using objects known as Route Origination Authorizations (ROAs) signed by the same public key certificate system, IP address holders can define which organizations (autonomous systems) are authorized to publish those address on the Internet. This allows validating routing information and distinguishing between valid and invalid or fake announcements.

Understanding the data presented in FORT Monitor requires knowledge of three key concepts.

Autonomous System. An autonomous system (AS) is a network or a group of networks managed as a unit. The Internet is made up of multiple, connected autonomous systems. Each AS is identified by an autonomous system number (ASN).

BGP. The Border Gate Protocol (BGP) is the protocol used by autonomous systems to communicate on the Internet. Each autonomous system announces to the others the group of IP networks (prefixes) to which it can provide connectivity. In turn, it learns from the other autonomous systems the group of prefixes it can reach. The BGP protocol is responsible for sharing this information among autonomous systems, and routers use this information to send traffic from one location to another.

RPKI. Resource Public Key Infrastructure (RPKI) is a specialized public key infrastructure that applies to Internet resources (IPv4, IPv6, ASN). It is a tool that allows Internet operators to verify that the routing information they receive and propagate originates in a reliable, authorized source. This is done through a validation process where the operator uses the corresponding cryptographic material to validate that the entity requesting the routing effectively has the right to perform that action (to make that announcement). The RPKI solution is still in the process of being deployed; in other words, its use is not yet universal.

FORT Monitor looks at the exchanges between autonomous systems (BGP messages) collected throughout the network and classifies them according to their RPKI validity status. To do this, it regularly connects with two RPKI validators (FORT and Routinator) from which it obtains the validation algorithm's results.
The information exchanged between the autonomous systems (AS) is analyzed by the tool and accumulated daily. The observed announcements are grouped by distinct Prefix / origin AS, this beeing the basic unit for FORT monitor calculations. That is, if one of these prefix / origin AS pairs was observed in the period under study, it is counted as one regardless of the number of times it was seen or the number of days in which it appeared. For example, the RPKI deployment analysis considers the distinct Prefix /origin AS and their respective RPKI validity in a period of time. In the case of the evolution graph, the information is grouped by day, while at the percentage graph, the information is grouped by month. It is important to note that, for this reason, the monthly deployment percentage may not correspond to the average of the daily percentages in the evolution.

RPKI Deployment

RPKI is a technology that protects the routing system against attacks. RPKI is in the process of being deployed, which means that its use is not yet universal. This chart shows the proportion of IPv4 and IPv6 prefixes protected by RPKI in LAC over the past month. In order for the routing system to be fully protected, coverage should be as close to 100% as possible. It should be noted that organizations/countries with lower coverage rates are more exposed to attacks such as route hijacking.

The degree RPKI coverage is calculated as the ratio between distinct Prefix/Origin AS pairs corresponding to prefixes covered by ROAs and all routed prefixes. A prefix is ​​covered by ROAs if it is possible to determine the validity of the announcements containing it via RPKI. The greater the coverage, the greater the level of protection for the routes announced by the region.

The information by country can be found by following the link.

See Map See Evolution

Results of RPKI Validation in the Region

By using RPKI, the region’s operators can check whether an autonomous system is authorized to announce a specific range of prefixes. This ensures that Internet traffic reaches the right destination and that it does so safely.

Because the deployment of RPKI is not yet universal, the validation can have varied results. The prefixes that appear as “valid” are protected by RPKI and we can be sure that they can be trusted. Those that appear as “not found” are not yet protected by RPKI. “Invalid” is used for incorrect or malicious announcements.

This chart shows the status of prefixes that have their origin in Latin America and the Caribbean when RPKI validation is performed. As RPKI deployment progresses, the number of unprotected (not found) prefixes will decrease and the accuracy with which invalid prefixes are identified will increase.

This data can also be filtered by country and its evolution over time can be displayed.

See Map See Evolution

Potential Route Hijacks

A route hijack is an attempt to redirect Internet traffic to spoofed (fake) destinations. Based on the total number of announcements in the region, grouped by unique Prefix/Origin AS pairs, this chart estimates the proportion of potential route hijacks (RPKI-Invalid Origin, RPKI-Invalid Length), which pairs contain an anomaly and are therefore considered suspicious (IRR-Invalid), the proportion of pairs corresponding to prefix announcements for which the origin cannot be verified and are therefore unprotected (RPKI/IRR - not found), and the proportion of prefixes that have their origin in a reliable/authorized source (RPKI-Valid and IRR-Valid).

Under “Expand Information”, we can see how the victims and those responsible for potential route hijacks are distributed in the region, as well as the details of anomalous announcements and possible hijacks.

Route hijacks are estimated based on RPKI validation data. If an announcement is identified as invalid, it is considered a potential route hijack. There are two possible reasons for this: the origin autonomous system is not authorized to announce the route, or the announced prefix is ​​too specific (the maximum length is exceeded). But what about the announcements that are not covered by RPKI? For these cases, we use information from the Internet Route Registries ( IRR ) to validate whether the announcements are registered. If there is a record in the IRR that matches the announcement (same origin ASN and same prefix length), then it is labeled as IRR-valid. If there are records but these records contradict this information, then it is considered as IRR-invalid. If the prefix is not registered in an IRR, it is considered as IRR-not found. In such cases, potential route hijacks are not considered, but they are reported as anomalies.

Calculations are performed based on unique Prefix/Origin AS pairs.

Expand Information

Critical Infrastructure protection

The Critical Infrastructure is made up of resources that are essential for the Internet to function properly. In this case, we consider Critical Infrastructure all the name servers that resolve country code top level domains (ccTLDs) such as .uy, .br or .mx. A hijacking at the critical infrastructure level can have a big impact. Here is the number of route hijackings that impacted critical infrastructure in the region in the last 3 months. In “Expand information”, information is presented on the evolution of critical infrastructure coverage in the region and details of the kidnappings that have occurred.

expand information

In the last 3 months

13

hijacks on critical infrastructure have occurred

Monthly Report

At the end of each month we prepare a summary with the most relevant data of the month. It is possible to subscribe to receive the monthly report in your email.

Expand Information

Technical Reports

For users with a more technical profile, we offer several reports containing more detailed information.

View detail

By prefix

A search by prefix yields a list of autonomous systems that announced the selected prefix and its RPKI validity status.

Search by prefix

View detail

By autonomous system

The search by autonomous system creates a list of prefixes announced by the selected autonomous system and its RPKI validity status.

Search by AS