Mailing List Archive

YouTube IP Hijacking
As you guys probably know Youtube's IP's are being hijacked. Trace:
~ $ host youtube.com
youtube.com has address 208.65.153.253
youtube.com has address 208.65.153.238
youtube.com has address 208.65.153.251
[Same /24]


701 3491 17557
64.74.137.253 (metric 1) from 66.151.144.148 (66.151.144.148)
Origin IGP, metric 100, localpref 100, valid, external
Community: 65010:300
Last update: Sun Feb 24 11:33:05 2008 [PST8PDT]
3491 17557
216.218.135.205 from 216.218.135.205 (216.218.252.164)
Origin IGP, metric 100, localpref 100, valid, external, best
Last update: Sun Feb 24 10:47:57 2008 [PST8PDT]

So, it seems that youtube's ip block has been hijacked by a more
specific prefix being advertised. This is a case of IP hijacking, not
case of DNS poisoning, youtube engineers doing something stupid, etc.
For people that don't know. The router will try to get the most specific
prefix. This is by design, not by accident. This is a case of censorship
on the internet. Anyways, I hope this doesn't get into a political
situation, and someone stops this.

What action are you going to take? Are you going to filter
announcements from AS17557, or just filter that specific announcement?
Considering youtube is a fairly high-traffic website I think that other
operators are just going to start filtering that AS. This is a great
example of global politics getting in the way of honest corporatism.
This is also an example of how vulnerable the internet is, and how lax
providers are in their filtering policies. I don't know how large
Pakistani Telecom is, but it I bet its not large enough that PCCW should
be allowing it to advertise anything.
Re: YouTube IP Hijacking [ In reply to ]
Sargun Dhillon wrote:

> So, it seems that youtube's ip block has been hijacked by a more
> specific prefix being advertised. This is a case of IP hijacking, not
> case of DNS poisoning, youtube engineers doing something stupid, etc.
> For people that don't know. The router will try to get the most specific
> prefix. This is by design, not by accident.

You are making the assumption of malice when the more likely cause is
one of accident on the part of probably stressed NOC staff at 17557.

They probably have that /24 going to a gateway walled garden box which
replies with a site saying 'we have banned this', and that /24 route is
leaking outside of their AS via PCCW due to dodgy filters/communities.

Will
RE: YouTube IP Hijacking [ In reply to ]
Pakistan is deliberately blocking Youtube.

http://politics.slashdot.org/article.pl?sid=08/02/24/1628213

Maybe we should all block Pakistan.



> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
> Behalf Of Will Hargrave
> Sent: Sunday, February 24, 2008 12:39 PM
> To: nanog@nanog.org
> Subject: Re: YouTube IP Hijacking
>
>
> Sargun Dhillon wrote:
>
> > So, it seems that youtube's ip block has been hijacked by a more
> > specific prefix being advertised. This is a case of IP
> hijacking, not
> > case of DNS poisoning, youtube engineers doing something
> stupid, etc.
> > For people that don't know. The router will try to get the most
> > specific prefix. This is by design, not by accident.
>
> You are making the assumption of malice when the more likely
> cause is one of accident on the part of probably stressed NOC
> staff at 17557.
>
> They probably have that /24 going to a gateway walled garden
> box which replies with a site saying 'we have banned this',
> and that /24 route is leaking outside of their AS via PCCW
> due to dodgy filters/communities.
>
> Will
>
Re: YouTube IP Hijacking [ In reply to ]
Sounds more like a typo on a filter over at AS17557
than anything else.

http://ca.news.yahoo.com/s/afp/080224/world/denmark_media_islam_pakistan_internet_youtube

-r


On Sun, Feb 24, 2008 at 12:27:29PM -0800, Sargun Dhillon wrote:
>
> As you guys probably know Youtube's IP's are being hijacked. Trace:
> ~ $ host youtube.com
> youtube.com has address 208.65.153.253
> youtube.com has address 208.65.153.238
> youtube.com has address 208.65.153.251
> [Same /24]
>
>
> 701 3491 17557
> 64.74.137.253 (metric 1) from 66.151.144.148 (66.151.144.148)
> Origin IGP, metric 100, localpref 100, valid, external
> Community: 65010:300
> Last update: Sun Feb 24 11:33:05 2008 [PST8PDT]
> 3491 17557
> 216.218.135.205 from 216.218.135.205 (216.218.252.164)
> Origin IGP, metric 100, localpref 100, valid, external, best
> Last update: Sun Feb 24 10:47:57 2008 [PST8PDT]
>
> So, it seems that youtube's ip block has been hijacked by a more
> specific prefix being advertised. This is a case of IP hijacking, not
> case of DNS poisoning, youtube engineers doing something stupid, etc.
> For people that don't know. The router will try to get the most specific
> prefix. This is by design, not by accident. This is a case of censorship
> on the internet. Anyways, I hope this doesn't get into a political
> situation, and someone stops this.
>
> What action are you going to take? Are you going to filter
> announcements from AS17557, or just filter that specific announcement?
> Considering youtube is a fairly high-traffic website I think that other
> operators are just going to start filtering that AS. This is a great
> example of global politics getting in the way of honest corporatism.
> This is also an example of how vulnerable the internet is, and how lax
> providers are in their filtering policies. I don't know how large
> Pakistani Telecom is, but it I bet its not large enough that PCCW should
> be allowing it to advertise anything.
Re: YouTube IP Hijacking [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Will Hargrave <will@harg.net> wrote:

>Sargun Dhillon wrote:
>
>> So, it seems that youtube's ip block has been hijacked by a more
>> specific prefix being advertised. This is a case of IP hijacking, not
>> case of DNS poisoning, youtube engineers doing something stupid, etc.
>> For people that don't know. The router will try to get the most specific
>> prefix. This is by design, not by accident.
>
>You are making the assumption of malice when the more likely cause is
one of accident on the part of probably stressed NOC staff at 17557.
>
>They probably have that /24 going to a gateway walled garden box which
replies with a site saying 'we have banned this', and that /24 route is
leaking outside of their AS via PCCW due to dodgy filters/communities.
>

I guess you guys missed the news that Pakistan has "blocked" YouTube
due to [mumble]:

http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2008/02/24/wpak324.xml


AS Name
AS17557 PKTELECOM-AS-AP Pakistan Telecom

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHwdp8q1pz9mNUZTMRAt4kAKDxryR8tLk3ejGe0p2aBAvvIcanAwCg4JkC
a79WB3j06mIwUPdxUI+xweA=
=zTdh
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
Re: YouTube IP Hijacking [ In reply to ]
While they are deliberately blocking Youtube nationally, I suspect the
wider issue has no malice, and is a case of poorly constructed/
implemented outbound policies on their part, and poorly constructed/
implemented inbound polices on their upstreams part.

On 25/02/2008, at 9:49 AM, Tomas L. Byrnes wrote:

>
> Pakistan is deliberately blocking Youtube.
>
> http://politics.slashdot.org/article.pl?sid=08/02/24/1628213
>
> Maybe we should all block Pakistan.
>
>
>
>> -----Original Message-----
>> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
>> Behalf Of Will Hargrave
>> Sent: Sunday, February 24, 2008 12:39 PM
>> To: nanog@nanog.org
>> Subject: Re: YouTube IP Hijacking
>>
>>
>> Sargun Dhillon wrote:
>>
>>> So, it seems that youtube's ip block has been hijacked by a more
>>> specific prefix being advertised. This is a case of IP
>> hijacking, not
>>> case of DNS poisoning, youtube engineers doing something
>> stupid, etc.
>>> For people that don't know. The router will try to get the most
>>> specific prefix. This is by design, not by accident.
>>
>> You are making the assumption of malice when the more likely
>> cause is one of accident on the part of probably stressed NOC
>> staff at 17557.
>>
>> They probably have that /24 going to a gateway walled garden
>> box which replies with a site saying 'we have banned this',
>> and that /24 route is leaking outside of their AS via PCCW
>> due to dodgy filters/communities.
>>
>> Will
>>

Neil Fenemor
FX Networks
RE: YouTube IP Hijacking [ In reply to ]
Looks like it just went back to normal:

cr1-sea-A>show ip bgp 208.65.153.253
BGP routing table entry for 208.65.153.0/24, version 41150187
Paths: (3 available, best #3)
Flag: 0x8E0
Advertised to update-groups:
1 3 4 6 13 14
16
3356 3549 36561, (Received from a RR-client)
208.76.153.126 (metric 110) from 208.76.153.126 (208.76.153.126)
Origin IGP, metric 0, localpref 50, valid, internal
Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2011
3549:4142 3549:30840 11404:1000 11404:1030
2914 3549 36561, (Received from a RR-client)
208.76.153.125 (metric 310) from 208.76.153.125 (208.76.153.125)
Origin IGP, metric 0, localpref 49, valid, internal
Community: 2914:420 2914:2000 2914:3000 11404:1000 11404:1010
3491 3549 36561
63.216.14.137 from 63.216.14.137 (63.216.14.9)
Origin IGP, localpref 51, valid, external, best
Community: 3491:2000 3491:2003 3491:3549 11404:1000 11404:1020
cr1-sea-A>



Probably worth noting that the performace at least from our perspective
(via PCCW) is abysmal. As a side note, I know PCCW allows unfiltered
route-announcement capability to a large number of their customers, our
feed appears to be that way (or they apply RADB filters instantly which
would be a bit impressive).



John van Oppen
Spectrum Networks LLC
206.973.8302 (Direct)
206.973.8300 (main office)

-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Tomas L. Byrnes
Sent: Sunday, February 24, 2008 12:50 PM
To: Will Hargrave; nanog@merit.edu
Subject: RE: YouTube IP Hijacking


Pakistan is deliberately blocking Youtube.

http://politics.slashdot.org/article.pl?sid=08/02/24/1628213

Maybe we should all block Pakistan.



> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
> Behalf Of Will Hargrave
> Sent: Sunday, February 24, 2008 12:39 PM
> To: nanog@nanog.org
> Subject: Re: YouTube IP Hijacking
>
>
> Sargun Dhillon wrote:
>
> > So, it seems that youtube's ip block has been hijacked by a more
> > specific prefix being advertised. This is a case of IP
> hijacking, not
> > case of DNS poisoning, youtube engineers doing something
> stupid, etc.
> > For people that don't know. The router will try to get the most
> > specific prefix. This is by design, not by accident.
>
> You are making the assumption of malice when the more likely
> cause is one of accident on the part of probably stressed NOC
> staff at 17557.
>
> They probably have that /24 going to a gateway walled garden
> box which replies with a site saying 'we have banned this',
> and that /24 route is leaking outside of their AS via PCCW
> due to dodgy filters/communities.
>
> Will
>
RE: YouTube IP Hijacking [ In reply to ]
Clearly, they are incensed by youtube content, so what makes anyone
think that they would not be trying to engage in a case of Cyber-Jihad?

I hosted the site that was rated #1 on Google for the Jyllands Posten
(di2.nu) cartoons when it was a current issue, and I STILL get lots of
script kiddie DOS from the Islamic world.

I generally don't assume malice when mere incompetence will suffice, but
in the case of the Islamic world, they've proved themselves malicious
towards the non-Islamic world often, and violently, enough, that I don't
believe they deserve that presumption of innocence any more.

In either case, the correct COA is to filter all advertisements with AS
17557 in the path, until they fix the routes they are advertising, and
let us know how they plan on making sure this doesn't happen again.


> -----Original Message-----
> From: Neil Fenemor [mailto:neil.fenemor@fx.net.nz]
> Sent: Sunday, February 24, 2008 1:01 PM
> To: Tomas L. Byrnes
> Cc: Will Hargrave; nanog@merit.edu
> Subject: Re: YouTube IP Hijacking
>
> While they are deliberately blocking Youtube nationally, I
> suspect the wider issue has no malice, and is a case of
> poorly constructed/ implemented outbound policies on their
> part, and poorly constructed/ implemented inbound polices on
> their upstreams part.
>
> On 25/02/2008, at 9:49 AM, Tomas L. Byrnes wrote:
>
> >
> > Pakistan is deliberately blocking Youtube.
> >
> > http://politics.slashdot.org/article.pl?sid=08/02/24/1628213
> >
> > Maybe we should all block Pakistan.
> >
> >
> >
> >> -----Original Message-----
> >> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]
> On Behalf
> >> Of Will Hargrave
> >> Sent: Sunday, February 24, 2008 12:39 PM
> >> To: nanog@nanog.org
> >> Subject: Re: YouTube IP Hijacking
> >>
> >>
> >> Sargun Dhillon wrote:
> >>
> >>> So, it seems that youtube's ip block has been hijacked by a more
> >>> specific prefix being advertised. This is a case of IP
> >> hijacking, not
> >>> case of DNS poisoning, youtube engineers doing something
> >> stupid, etc.
> >>> For people that don't know. The router will try to get the most
> >>> specific prefix. This is by design, not by accident.
> >>
> >> You are making the assumption of malice when the more
> likely cause is
> >> one of accident on the part of probably stressed NOC staff
> at 17557.
> >>
> >> They probably have that /24 going to a gateway walled garden box
> >> which replies with a site saying 'we have banned this',
> and that /24
> >> route is leaking outside of their AS via PCCW due to dodgy
> >> filters/communities.
> >>
> >> Will
> >>
>
> Neil Fenemor
> FX Networks
>
>
>
Re: YouTube IP Hijacking [ In reply to ]
Tomas L. Byrnes wrote:
> Clearly, they are incensed by youtube content, so what makes anyone
> think that they would not be trying to engage in a case of Cyber-Jihad?

Because this usually doesn't work very well, is very evident, and easily
fixed? Even on a sleepy Sunday, it took 3491 about two hours to
filter/turn down 17557 and remove the problem. I bet most of their peers
say that's too slow, however :-)

> I generally don't assume malice when mere incompetence will suffice, but
> in the case of the Islamic world, they've proved themselves malicious
> towards the non-Islamic world often, and violently, enough, that I don't
> believe they deserve that presumption of innocence any more.

I think your perspective is a little off.
Re: YouTube IP Hijacking [ In reply to ]
<Jake Blues mode>

I hate Cyber Jihads!

</Jake Blues mode>

----- Original Message -----
From: owner-nanog@merit.edu <owner-nanog@merit.edu>
To: Neil Fenemor <neil.fenemor@fx.net.nz>
Cc: Will Hargrave <will@harg.net>; nanog@merit.edu <nanog@merit.edu>
Sent: Sun Feb 24 16:06:50 2008
Subject: RE: YouTube IP Hijacking


Clearly, they are incensed by youtube content, so what makes anyone
think that they would not be trying to engage in a case of Cyber-Jihad?

I hosted the site that was rated #1 on Google for the Jyllands Posten
(di2.nu) cartoons when it was a current issue, and I STILL get lots of
script kiddie DOS from the Islamic world.

I generally don't assume malice when mere incompetence will suffice,
but
in the case of the Islamic world, they've proved themselves malicious
towards the non-Islamic world often, and violently, enough, that I
don't
believe they deserve that presumption of innocence any more.

In either case, the correct COA is to filter all advertisements with AS
17557 in the path, until they fix the routes they are advertising, and
let us know how they plan on making sure this doesn't happen again.


> -----Original Message-----
> From: Neil Fenemor [mailto:neil.fenemor@fx.net.nz]
> Sent: Sunday, February 24, 2008 1:01 PM
> To: Tomas L. Byrnes
> Cc: Will Hargrave; nanog@merit.edu
> Subject: Re: YouTube IP Hijacking
>
> While they are deliberately blocking Youtube nationally, I
> suspect the wider issue has no malice, and is a case of
> poorly constructed/ implemented outbound policies on their
> part, and poorly constructed/ implemented inbound polices on
> their upstreams part.
>
> On 25/02/2008, at 9:49 AM, Tomas L. Byrnes wrote:
>
> >
> > Pakistan is deliberately blocking Youtube.
> >
> > http://politics.slashdot.org/article.pl?sid=08/02/24/1628213
> >
> > Maybe we should all block Pakistan.
> >
> >
> >
> >> -----Original Message-----
> >> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]
> On Behalf
> >> Of Will Hargrave
> >> Sent: Sunday, February 24, 2008 12:39 PM
> >> To: nanog@nanog.org
> >> Subject: Re: YouTube IP Hijacking
> >>
> >>
> >> Sargun Dhillon wrote:
> >>
> >>> So, it seems that youtube's ip block has been hijacked by a more
> >>> specific prefix being advertised. This is a case of IP
> >> hijacking, not
> >>> case of DNS poisoning, youtube engineers doing something
> >> stupid, etc.
> >>> For people that don't know. The router will try to get the most
> >>> specific prefix. This is by design, not by accident.
> >>
> >> You are making the assumption of malice when the more
> likely cause is
> >> one of accident on the part of probably stressed NOC staff
> at 17557.
> >>
> >> They probably have that /24 going to a gateway walled garden box
> >> which replies with a site saying 'we have banned this',
> and that /24
> >> route is leaking outside of their AS via PCCW due to dodgy
> >> filters/communities.
> >>
> >> Will
> >>
>
> Neil Fenemor
> FX Networks
>
>
>
Re: YouTube IP Hijacking [ In reply to ]
On Sun, Feb 24, 2008 at 4:06 PM, Tomas L. Byrnes <tomb@byrneit.net> wrote:
>
> Clearly, they are incensed by youtube content, so what makes anyone
> think that they would not be trying to engage in a case of Cyber-Jihad?
>


Let's avoid speculation as to the why and reserve this thread for
global restoration activity.

-M<
RE: YouTube IP Hijacking [ In reply to ]
Which means that, by advertising routes more specific than the ones they
are poisoning, it may well be possible to restore universal connectivity
to YouTube.



> -----Original Message-----
> From: Michael Smith [mailto:msmith@internap.com]
> Sent: Sunday, February 24, 2008 1:23 PM
> To: neil.fenemor@fx.net.nz; Tomas L. Byrnes
> Cc: will@harg.net; nanog@merit.edu
> Subject: Re: YouTube IP Hijacking
>
> Exactly... They inadvertently made the details of their
> oppression more readily apparent...
>
>
> ----- Original Message -----
> From: owner-nanog@merit.edu <owner-nanog@merit.edu>
> To: Tomas L. Byrnes <tomb@byrneit.net>
> Cc: Will Hargrave <will@harg.net>; nanog@merit.edu <nanog@merit.edu>
> Sent: Sun Feb 24 16:00:35 2008
> Subject: Re: YouTube IP Hijacking
>
>
> While they are deliberately blocking Youtube nationally, I
> suspect the wider issue has no malice, and is a case of
> poorly constructed/ implemented outbound policies on their
> part, and poorly constructed/ implemented inbound polices on
> their upstreams part.
>
> On 25/02/2008, at 9:49 AM, Tomas L. Byrnes wrote:
>
> >
> > Pakistan is deliberately blocking Youtube.
> >
> > http://politics.slashdot.org/article.pl?sid=08/02/24/1628213
> >
> > Maybe we should all block Pakistan.
> >
> >
> >
> >> -----Original Message-----
> >> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]
> On Behalf
> >> Of Will Hargrave
> >> Sent: Sunday, February 24, 2008 12:39 PM
> >> To: nanog@nanog.org
> >> Subject: Re: YouTube IP Hijacking
> >>
> >>
> >> Sargun Dhillon wrote:
> >>
> >>> So, it seems that youtube's ip block has been hijacked by a more
> >>> specific prefix being advertised. This is a case of IP
> >> hijacking, not
> >>> case of DNS poisoning, youtube engineers doing something
> >> stupid, etc.
> >>> For people that don't know. The router will try to get the most
> >>> specific prefix. This is by design, not by accident.
> >>
> >> You are making the assumption of malice when the more
> likely cause is
> >> one of accident on the part of probably stressed NOC staff
> at 17557.
> >>
> >> They probably have that /24 going to a gateway walled garden box
> >> which replies with a site saying 'we have banned this',
> and that /24
> >> route is leaking outside of their AS via PCCW due to dodgy
> >> filters/communities.
> >>
> >> Will
> >>
>
> Neil Fenemor
> FX Networks
>
>
>
Re: YouTube IP Hijacking [ In reply to ]
On Sun Feb 24, 2008 at 04:32:45PM -0500, Martin Hannigan wrote:
> Let's avoid speculation as to the why and reserve this thread for
> global restoration activity.

So, from the tit-bits I've picked up from IRC and first-hand knowledge,
it would appear that 17557 leaked an announcement of 208.65.153.0/24 to
3491 (PCCW/BTN). After several calls to PCCW NOC, including from Youtube
themselves, PCCW claimed to be shutting down the links to 17557. Initially
I saw the announcement change from "3491 17557" to "3491 17557 17557", so
I speculate that they shut down the primary link (or filtered the announcement
on that link), and the prefix was still coming in over a secondary link
(hence the prepend). After more prodding, that route vanished too.

Various mitigations were talked about and tried, including Youtube announcing
the /24 as 2*/25, but these announcements did not seem to make it out to the
world at large.

Currently Youtube are announcing the /24 themselves - I assume this will drop
at some time once it's safe.

It was noticed that all the youtube.com DNS servers were in the affected /24.
Youtube have subsequently added a DNS server in another prefix.

Simon
--
Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
Director | * Domain & Web Hosting * Internet Consultancy *
Bogons Ltd | * http://www.bogons.net/ * Email: info@bogons.net *
Re: YouTube IP Hijacking [ In reply to ]
On Sun Feb 24, 2008 at 01:49:00PM -0800, Tomas L. Byrnes wrote:
> Which means that, by advertising routes more specific than the ones they
> are poisoning, it may well be possible to restore universal connectivity
> to YouTube.

Well, if you can get them in there.... Youtube tried that, to restore service
to the rest of the world, and the announcements didn't propogate.

Simon
RE: YouTube IP Hijacking [ In reply to ]
I figured as much, but it was worth a try.

Which touches on the earlier discussion of the null routing of /32s
advertised by a special AS (as a means of black-holing DDOS traffic).

It seems to me that a more immediately germane matter regarding BGP
route propagation is prevention of hijacking of critical routes.

Perhaps certain ASes that are considered "high priority", like Google,
YouTube, Yahoo, MS (at least their update servers), can be trusted to
propagate routes that are not aggregated/filtered, so as to give them
control over their reachability and immunity to longer-prefix hijacking
(especially problematic with things like MS update sites).



> -----Original Message-----
> From: Simon Lockhart [mailto:simon@slimey.org]
> Sent: Sunday, February 24, 2008 2:07 PM
> To: Tomas L. Byrnes
> Cc: Michael Smith; neil.fenemor@fx.net.nz; will@harg.net;
> nanog@merit.edu
> Subject: Re: YouTube IP Hijacking
>
> On Sun Feb 24, 2008 at 01:49:00PM -0800, Tomas L. Byrnes wrote:
> > Which means that, by advertising routes more specific than the ones
> > they are poisoning, it may well be possible to restore universal
> > connectivity to YouTube.
>
> Well, if you can get them in there.... Youtube tried that, to
> restore service to the rest of the world, and the
> announcements didn't propogate.
>
> Simon
>
RE: YouTube IP Hijacking [ In reply to ]
Not if the hijackers have advertised a /24. Anything you advertise more
specific than /24 will be lost on many networks' filters.


-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Tomas L. Byrnes
Sent: Monday, 25 February 2008 8:49 AM
To: Michael Smith; neil.fenemor@fx.net.nz
Cc: will@harg.net; nanog@merit.edu
Subject: RE: YouTube IP Hijacking


Which means that, by advertising routes more specific than the ones they
are poisoning, it may well be possible to restore universal connectivity
to YouTube.



> -----Original Message-----
> From: Michael Smith [mailto:msmith@internap.com]
> Sent: Sunday, February 24, 2008 1:23 PM
> To: neil.fenemor@fx.net.nz; Tomas L. Byrnes
> Cc: will@harg.net; nanog@merit.edu
> Subject: Re: YouTube IP Hijacking
>
> Exactly... They inadvertently made the details of their
> oppression more readily apparent...
>
>
> ----- Original Message -----
> From: owner-nanog@merit.edu <owner-nanog@merit.edu>
> To: Tomas L. Byrnes <tomb@byrneit.net>
> Cc: Will Hargrave <will@harg.net>; nanog@merit.edu <nanog@merit.edu>
> Sent: Sun Feb 24 16:00:35 2008
> Subject: Re: YouTube IP Hijacking
>
>
> While they are deliberately blocking Youtube nationally, I
> suspect the wider issue has no malice, and is a case of
> poorly constructed/ implemented outbound policies on their
> part, and poorly constructed/ implemented inbound polices on
> their upstreams part.
>
> On 25/02/2008, at 9:49 AM, Tomas L. Byrnes wrote:
>
> >
> > Pakistan is deliberately blocking Youtube.
> >
> > http://politics.slashdot.org/article.pl?sid=08/02/24/1628213
> >
> > Maybe we should all block Pakistan.
> >
> >
> >
> >> -----Original Message-----
> >> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]
> On Behalf
> >> Of Will Hargrave
> >> Sent: Sunday, February 24, 2008 12:39 PM
> >> To: nanog@nanog.org
> >> Subject: Re: YouTube IP Hijacking
> >>
> >>
> >> Sargun Dhillon wrote:
> >>
> >>> So, it seems that youtube's ip block has been hijacked by a more
> >>> specific prefix being advertised. This is a case of IP
> >> hijacking, not
> >>> case of DNS poisoning, youtube engineers doing something
> >> stupid, etc.
> >>> For people that don't know. The router will try to get the most
> >>> specific prefix. This is by design, not by accident.
> >>
> >> You are making the assumption of malice when the more
> likely cause is
> >> one of accident on the part of probably stressed NOC staff
> at 17557.
> >>
> >> They probably have that /24 going to a gateway walled garden box
> >> which replies with a site saying 'we have banned this',
> and that /24
> >> route is leaking outside of their AS via PCCW due to dodgy
> >> filters/communities.
> >>
> >> Will
> >>
>
> Neil Fenemor
> FX Networks
>
>
>
Re: YouTube IP Hijacking [ In reply to ]
I think it was NOT a typo. This was a test, much more important test for
this world than last american anti-satellite missile.

And if they do it again with more mind, site will became down for a
weeks at least... More of that, if big national telecom operator did it
and have neighbors to filter them out - it can lead to global split of
the network.

Of course, it should be happened early or late with THIS design of the
Network.

Ravi Pina wrote:
> Sounds more like a typo on a filter over at AS17557
> than anything else.
>
> http://ca.news.yahoo.com/s/afp/080224/world/denmark_media_islam_pakistan_internet_youtube
>
> -r
>
>
> On Sun, Feb 24, 2008 at 12:27:29PM -0800, Sargun Dhillon wrote:
>> As you guys probably know Youtube's IP's are being hijacked. Trace:
>> ~ $ host youtube.com
>> youtube.com has address 208.65.153.253
>> youtube.com has address 208.65.153.238
>> youtube.com has address 208.65.153.251
>> [Same /24]
>>
>>
>> 701 3491 17557
>> 64.74.137.253 (metric 1) from 66.151.144.148 (66.151.144.148)
>> Origin IGP, metric 100, localpref 100, valid, external
>> Community: 65010:300
>> Last update: Sun Feb 24 11:33:05 2008 [PST8PDT]
>> 3491 17557
>> 216.218.135.205 from 216.218.135.205 (216.218.252.164)
>> Origin IGP, metric 100, localpref 100, valid, external, best
>> Last update: Sun Feb 24 10:47:57 2008 [PST8PDT]
>>
>> So, it seems that youtube's ip block has been hijacked by a more
>> specific prefix being advertised. This is a case of IP hijacking, not
>> case of DNS poisoning, youtube engineers doing something stupid, etc.
>> For people that don't know. The router will try to get the most specific
>> prefix. This is by design, not by accident. This is a case of censorship
>> on the internet. Anyways, I hope this doesn't get into a political
>> situation, and someone stops this.
>>
>> What action are you going to take? Are you going to filter
>> announcements from AS17557, or just filter that specific announcement?
>> Considering youtube is a fairly high-traffic website I think that other
>> operators are just going to start filtering that AS. This is a great
>> example of global politics getting in the way of honest corporatism.
>> This is also an example of how vulnerable the internet is, and how lax
>> providers are in their filtering policies. I don't know how large
>> Pakistani Telecom is, but it I bet its not large enough that PCCW should
>> be allowing it to advertise anything.


--
WBR,
Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
Re: YouTube IP Hijacking [ In reply to ]
> > Which means that, by advertising routes more specific than the ones they
> > are poisoning, it may well be possible to restore universal connectivity
> > to YouTube.
>
> Well, if you can get them in there.... Youtube tried that, to restore service
> to the rest of the world, and the announcements didn't propogate.

Some of us block prefixes longer than /24 at our borders (even if our
transit providers don't).

Steinar Haug, Nethelp consulting, sthaug@nethelp.no
RE: YouTube IP Hijacking [ In reply to ]
-- "Tomas L. Byrnes" <tomb@byrneit.net> wrote:

>It seems to me that a more immediately germane matter regarding BGP
>route propagation is prevention of hijacking of critical routes.
>

The best you can _probably_ hope for is a opt-in mechanism in
which you are alerted that prefixes you have "registered" with the
aforementioned system are being originated by an ASN which is not
authorized to originate them.

A lot of smart folks have given some thought to this exact issue,
and perhaps one of the best examples of this is:

"PHAS: A Prefix Hijack Alert System"
Mohit Lad, Dan Massey, Dan Pei, Yiguo Wu, Beichuan Zhang, and
Lixia Zhang
Proceedings of 15th USENIX Security Symposium 2006
http://www.cs.ucla.edu/~mohit/cameraReady/ladSecurity06.pdf

- ferg

--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
Re: YouTube IP Hijacking [ In reply to ]
http://www.google.com/reader/m/view/?source=mobilepack&v=2.1.4&rlz=1H2GGLE_en&i=-3701578819353178822&c=CMOjuszq3ZEC&n=1



On 2/24/08, Max Tulyev <president@ukraine.su> wrote:
>
> I think it was NOT a typo. This was a test, much more important test for
> this world than last american anti-satellite missile.
>
> And if they do it again with more mind, site will became down for a
> weeks at least... More of that, if big national telecom operator did it
> and have neighbors to filter them out - it can lead to global split of
> the network.
>
> Of course, it should be happened early or late with THIS design of the
> Network.
>
> Ravi Pina wrote:
> > Sounds more like a typo on a filter over at AS17557
> > than anything else.
> >
> >
> http://ca.news.yahoo.com/s/afp/080224/world/denmark_media_islam_pakistan_internet_youtube
> >
> > -r
> >
> >
> > On Sun, Feb 24, 2008 at 12:27:29PM -0800, Sargun Dhillon wrote:
> >> As you guys probably know Youtube's IP's are being hijacked. Trace:
> >> ~ $ host youtube.com
> >> youtube.com has address 208.65.153.253
> >> youtube.com has address 208.65.153.238
> >> youtube.com has address 208.65.153.251
> >> [Same /24]
> >>
> >>
> >> 701 3491 17557
> >> 64.74.137.253 (metric 1) from 66.151.144.148 (66.151.144.148)
> >> Origin IGP, metric 100, localpref 100, valid, external
> >> Community: 65010:300
> >> Last update: Sun Feb 24 11:33:05 2008 [PST8PDT]
> >> 3491 17557
> >> 216.218.135.205 from 216.218.135.205 (216.218.252.164)
> >> Origin IGP, metric 100, localpref 100, valid, external, best
> >> Last update: Sun Feb 24 10:47:57 2008 [PST8PDT]
> >>
> >> So, it seems that youtube's ip block has been hijacked by a more
> >> specific prefix being advertised. This is a case of IP hijacking, not
> >> case of DNS poisoning, youtube engineers doing something stupid, etc.
> >> For people that don't know. The router will try to get the most specific
> >> prefix. This is by design, not by accident. This is a case of censorship
> >> on the internet. Anyways, I hope this doesn't get into a political
> >> situation, and someone stops this.
> >>
> >> What action are you going to take? Are you going to filter
> >> announcements from AS17557, or just filter that specific announcement?
> >> Considering youtube is a fairly high-traffic website I think that other
> >> operators are just going to start filtering that AS. This is a great
> >> example of global politics getting in the way of honest corporatism.
> >> This is also an example of how vulnerable the internet is, and how lax
> >> providers are in their filtering policies. I don't know how large
> >> Pakistani Telecom is, but it I bet its not large enough that PCCW should
> >> be allowing it to advertise anything.
>
>
> --
> WBR,
> Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
>
Re: YouTube IP Hijacking [ In reply to ]
On Sun, Feb 24, 2008 at 10:41:26PM +0000, Paul Ferguson wrote:
> The best you can _probably_ hope for is a opt-in mechanism in
> which you are alerted that prefixes you have "registered" with the
> aforementioned system are being originated by an ASN which is not
> authorized to originate them.

http://www.ris.ripe.net/myasn.html


Best regards,
Daniel

--
CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
Re: YouTube IP Hijacking [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Daniel Roesen <dr@cluenet.de> wrote:

>On Sun, Feb 24, 2008 at 10:41:26PM +0000, Paul Ferguson wrote:
>> The best you can _probably_ hope for is a opt-in mechanism in
>> which you are alerted that prefixes you have "registered" with the
>> aforementioned system are being originated by an ASN which is not
>> authorized to originate them.
>
>http://www.ris.ripe.net/myasn.html

Nice. :-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHwgarq1pz9mNUZTMRAgXEAJwI9hkG66kj1aF3hcjtqoaQoV35vgCeObJL
8LNjLeAyEwamVIEEox37f90=
=bYgW
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
RE: YouTube IP Hijacking [ In reply to ]
Tomas L. Byrnes wrote:

> Perhaps certain ASes that are considered "high priority", like Google,
> YouTube, Yahoo, MS (at least their update servers), can be trusted to
> propagate routes that are not aggregated/filtered, so as to give them
> control over their reachability and immunity to longer-prefix hijacking
> (especially problematic with things like MS update sites).

Not to stir up a huge debate here, but if I were a day trader, I could live
without YouTube for a day, but not e*trade or Ameritrade as it would be my
livelihood. If I were an eBay seller, why would I care about YouTube? You
get the idea. What makes Google, YouTube, Yahoo, MS, etc more important?

More importantly, why is PCCW not prefix filtering their downstreams?
Certainly AS17557 cannot be trusted without a filter.

Randy

> -----Original Message-----
> From: Simon Lockhart [mailto:simon@slimey.org]
> Sent: Sunday, February 24, 2008 2:07 PM
> To: Tomas L. Byrnes
> Cc: Michael Smith; neil.fenemor@fx.net.nz; will@harg.net;
> nanog@merit.edu
> Subject: Re: YouTube IP Hijacking
>
> On Sun Feb 24, 2008 at 01:49:00PM -0800, Tomas L. Byrnes wrote:
> > Which means that, by advertising routes more specific than the ones
> > they are poisoning, it may well be possible to restore universal
> > connectivity to YouTube.
>
> Well, if you can get them in there.... Youtube tried that, to
> restore service to the rest of the world, and the
> announcements didn't propogate.
>
> Simon
>
RE: YouTube IP Hijacking [ In reply to ]
Very nice.. is there an ARIN equal that anyone knows of OR can you use
the RIPE one for ARIN registered space?

Just curious.. thanks..

Paul


-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Paul Ferguson
Sent: Sunday, February 24, 2008 7:07 PM
To: dr@cluenet.de
Cc: nanog@merit.edu
Subject: Re: YouTube IP Hijacking


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Daniel Roesen <dr@cluenet.de> wrote:

>On Sun, Feb 24, 2008 at 10:41:26PM +0000, Paul Ferguson wrote:
>> The best you can _probably_ hope for is a opt-in mechanism in
>> which you are alerted that prefixes you have "registered" with the
>> aforementioned system are being originated by an ASN which is not
>> authorized to originate them.
>
>http://www.ris.ripe.net/myasn.html

Nice. :-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHwgarq1pz9mNUZTMRAgXEAJwI9hkG66kj1aF3hcjtqoaQoV35vgCeObJL
8LNjLeAyEwamVIEEox37f90=
=bYgW
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/





----------------------------------------------------------------------------

"The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
RE: YouTube IP Hijacking [ In reply to ]
I'm sure we can all find a list of "critical infrastructure" ASes that
could be trusted to peer via the "high priority" AS. I'd say that the
criteria should be:

1: Hosted at a Tier 1 provider.

2: Within a jurisdiction where North American operators have a good
chance of having the law on their side in case of any network outage
caused by the entity.

3: Considered highly competent technically.

4: With state of the art security and operations.

OTOH: I would say that, until today, those who advocate not engaging in
any kind of ethnic or political profiling would have considered 17557,
as a national telco, a trusted route source.

> -----Original Message-----
> From: Randy Epstein [mailto:repstein@chello.at]
> Sent: Sunday, February 24, 2008 4:15 PM
> To: Tomas L. Byrnes; 'Simon Lockhart'
> Cc: 'Michael Smith'; neil.fenemor@fx.net.nz; will@harg.net;
> nanog@merit.edu
> Subject: RE: YouTube IP Hijacking
>
> Tomas L. Byrnes wrote:
>
> > Perhaps certain ASes that are considered "high priority",
> like Google,
> > YouTube, Yahoo, MS (at least their update servers), can be
> trusted to
> > propagate routes that are not aggregated/filtered, so as to
> give them
> > control over their reachability and immunity to longer-prefix
> > hijacking (especially problematic with things like MS update sites).
>
> Not to stir up a huge debate here, but if I were a day
> trader, I could live without YouTube for a day, but not
> e*trade or Ameritrade as it would be my livelihood. If I
> were an eBay seller, why would I care about YouTube? You get
> the idea. What makes Google, YouTube, Yahoo, MS, etc more
> important?
>
> More importantly, why is PCCW not prefix filtering their downstreams?
> Certainly AS17557 cannot be trusted without a filter.
>
> Randy
>
> > -----Original Message-----
> > From: Simon Lockhart [mailto:simon@slimey.org]
> > Sent: Sunday, February 24, 2008 2:07 PM
> > To: Tomas L. Byrnes
> > Cc: Michael Smith; neil.fenemor@fx.net.nz; will@harg.net;
> > nanog@merit.edu
> > Subject: Re: YouTube IP Hijacking
> >
> > On Sun Feb 24, 2008 at 01:49:00PM -0800, Tomas L. Byrnes wrote:
> > > Which means that, by advertising routes more specific
> than the ones
> > > they are poisoning, it may well be possible to restore universal
> > > connectivity to YouTube.
> >
> > Well, if you can get them in there.... Youtube tried that,
> to restore
> > service to the rest of the world, and the announcements didn't
> > propogate.
> >
> > Simon
> >
>
>
>

1 2 3 4  View All