We are a trusting bunch of people in the Internet world. When it comes to routing traffic between ISPs, the Internet is built on trust: when someone announces an IP range, we believe them ‘on their blue eyes’ that this range really belongs to them or their customer. But lately we see more and more criminals taking advantage of that trust. We at Fusix are done with that!
One of the latest of these “prefix hijacks” has caused a lot of people losing money, or in this case their cryptocurrency. In April of this year, MyEtherWallet users noticed something odd. Connecting to the service, they were faced with an unsigned SSL certificate. But as often is the case – because we are so trusting – users clicked through it and continued to the service, which was running inside a hijacked IP address range and rerouted to a Russian server. Their wallets were emptied; the culprits got away with at least 13,000 dollars in just under two hours.
Amazon’s Route 53 service
What happened? Criminals announced the IP addresses of Amazon Route 53 service as if these IP addresses belonged to them and started to receive user’s requests and reroute some of them to collect login and passwords. Then they used this data to empty people’s pockets. This could have been avoided, if the Internet Service Providers on the Internet were able to verify that the IP addresses did not in fact belong to the network that was announcing them and did not route the user requests to the malicious actor.
Internet routing works because ISP networks announce IP addresses for which they want to receive traffic. More and more we see announcements of IP addresses that are (unintentionally) wrong. With RPKI, you can validate the announcements by using an anchor of IP addresses to their valid origin ISP network. If the origin network invalid, the route will not be accepted and traffic is not sent to it.
Among the first in the world to deploy RPKI Validation
So why is RPKI not deployed by all ISPs across the Internet? I think because we still believe that if an ISP can’t deliver traffic, it has bad service. Many are afraid that they will lose customers if they miss prefixes. At Fusix we would rather explain to a customer why some IP addresses are not reachable via our network, than send the traffic of our customers to a malicious network that announces IP addresses for which it should not receive traffic. That is why, as one of the world’s first commercial ISPs, we have deployed RPKI, and make more informed decisions about when to route the user traffic or not. In the Fusix Networks’ backbone “RPKI Invalid” origin networks are rejected.
Trust is a beautiful thing, but the Internet has turned into a place where trust isn’t enough anymore. We need to be vigilant and validate that the IP addresses are not hijacked, to make sure clients have that extra layer of protection and can keep doing business. RPKI helps us, and you. It brings peace of mind.