Code and skull depicting DDOS dangers

The hottest topic among network admins these days is clearly Routing Security. Your ISP (and you?) use Routing Security to make the Internet a more secure place. Well, not the entire Internet, maybe, but at least your own routing table. Of course, RPKI Validation is one key element. The other? Less is more!

By now, it should not be news to a network administrator any more that it is possible to steal and use someone else’s IP address space. We have recently seen several hijacks of IP ranges that caused re-routing of IP traffic to a criminal network where personal information and cryptocurrency are being stolen. One of the contributing factors of these hijacks, in my opinion, is that a lot of ISPs feel that they always have to make sure that any IP address is reachable, no matter what, and that if they can’t deliver traffic, they provide a ‘bad service’. Many are afraid that they will lose customers if they do not deliver traffic to some IP prefixes.

In addition to trying to avoid RPKI, this is why a lot of ISPs will try to peer with as many other networks as possible and get as many routes in their table as possible – just set up peering with anyone anywhere, regardless of whether the announcement comes from a valid origin or actually provides better reachability. This is possible, because a lot of Internet Exchanges offer cheap and massive connection capabilities to get as much traffic through their exchange as possible. The problem here, as is often the case with ‘free stuff’ on the Internet, is that in the end the ‘free’ peering can cost a lot more. Lower your costs by peering with a network that propagates BGP hijacks and you are in the front seat when it comes to becoming victim of the next BGP hijack.

I feel it is time that we make the Internet safer again. At Fusix we are doin

g that not only through RPKI validation, but also by limiting the use of peering on Internet exchanges to only those networks that we know and trust. I’d rather explain to a customer why we have a slightly higher latency on a certain destination, than send the traffic of that customer to a malicious network that announces IP addresses for which it should not receive traffic, just because we happen to peer with them ‘for free’. We know that this way our connections are secured, stable and we can troubleshoot them easily if required. Of course we pay for the volume of traffic that we use but at least we know that our transit provider implemented certain mechanisms for security and if we have questions about a security topic, we know we’ll get a reply. You do not have this when peering with everybody and their brother on a big Internet Exchange.

At Fusix, for all networks that we connect to, we have a set of agreements about security and quality of service (plus 24/7 contact details of the other network’s NOC). We are here to offer you secure connections and make the Internet a little safer once again!